Scalable, efficient, and secure RFID with elliptic curve cryptosystem for Internet of Things in healthcare environment

The rapid development of IoT technology has led to the usage of various devices in our daily life. Along with the ever-increasing rise of the Internet of Things, the use of appropriate methods for establishing secure communications in health care systems is vital. The adoption of high-security optimal mechanisms for this purpose has been more effective regarding the efficiency of medical information systems; hence, many studies are being conducted in this field today. One of the most important components is the RFID cards that can be used for communication between entities in the environment. In healthcare systems, patient information is critical and nobody should have access to this information. Thus, providing security for these networks is essential. Recently, good researches have been done in the area of authentication for medical information systems, using RFID technology, which has a low computational cost. In this paper, we propose a novel method based on elliptic curve cryptography for vital and efficient and scalable authentication between RFID cards, card readers, and servers. This proposed method maintains security and has less computational cost and low elliptic curve point multiplication running time compared to similar recent methods.


Introduction
The term "Internet of Things" was first introduced in 1999 [1]. The Internet of Things refers to the precise communication between the physical and digital world [2,3]. In fact, it provides an extensive infrastructure for providing advanced services, such as sending and receiving information and interconnections using physical and virtual elements [3]. The Internet of Things consists of a set of sensors and radio frequency identification (RFID) technology that communicate through the network with various devices [2]. Technologies such as sensor technology, embedded smart technology, and nanotechnology as well as RFID technology can be widely used in the Internet of Things. In RFID technology, objects can communicate with one another through radio waves and exchange information among themselves [3,4]. Some advantages of RFID technology in comparison with traditional barcodes are the ability to read and write, lack of direct exposure to the card-reader, simultaneous reading of multiple cards, and non-restrictions of using different barcodes [3,5]. Considering the above-mentioned reasons, we can use these benefits for health care systems such as hospitals.
The components of RFID technology include servers, card readers, and cards. The cards include various parts including a chip that performs calculations, a memory for data storage, an antenna for transmitting and receiving data, and a special hardware that is used for encryption and decryption operations [6][7][8].
Cards can communicate with the card reader and transfer encrypted data between themselves. The cards themselves are divided into three categories, including a reactive card that gets the energy necessary to transmit its data through a wireless signal, a semi-active card with a small battery, and the active card that has a radio antenna and a small battery that is directly connected to the card reader [8,9]. The cards can store and process data and then transfer information to the card reader using their radio transmitter [6,7].
Card readers have a control unit, a memory unit, and a radio transmitter and receiver; in addition, the capacity of computations in card readers is more than cards, and its main function is to create authentication and exchange messages between the card and the server [8,10].
A server is a trusted entity and stores all information and ID cards and card readers in its database for proper authentication process, and then the system starts up. The validity of the card can be determined using this information stored in the server [8,10].
One of the instances that can be implemented by using RFID technology inside the Internet of Things and in healthcare settings is the identification of the newborn and patient [8,11], tracing and validating the medical treatment of patients [8,12], patient location and patient management in healthcare centers [8,13], surgery process management [8,14], equipment location tracking [5,8,15], blood pack tracing, monitoring, and pharmaceutical management.
All messages in healthcare environments are transmitted by using wireless waves through RFID cards in the latter environment. With rapid development and advances of RFID technology in healthcare environments, the need for safe and secure access to sensitive information should be considered, and ultimately, the exchange of this information should be taken into account through the Internet infrastructure of the objects more than before [8]. Transferring information by using RFID technology does not provide any security by itself. Therefore, these healthcare systems are vulnerable to attacks due to the use of RFID. In order to remove these vulnerabilities, various security protocols are provided for secure communication within these networks, some of which are based on symmetric cryptography [16][17][18][19][20][21][22][23][24][25], and others are based on asymmetric cryptography [3,7,[26][27][28]. Some of these protocols deal with the authentication between the card and the server, in which they confirm each other [3,7,[26][27][28] and others have authentication between the card and the reader [16,17]. In order to ensure that the connection between the card, the card reader, and the server is secure, we need mutual authentication in RFID systems, which will affect the authentication process against various attacks [8].
In this paper, we propose a novel method based on elliptic curve cryptography for vital and efficient and scalable authentication between RFID cards, card readers, and servers. This proposed method maintains security and has less computational cost and low elliptic curve point multiplication running time compared to similar recent methods.
An elliptic curve over GF(2 m ) consists of all points (x, y ∈ GF(2 m )) such that it satisfies an elliptic curve equation: E: y 2 + xy = x 3 + ax 2 + b with a, b ∈ GF(2 m ), b ≠ 0 (let GF(2 m ) be a finite field of 2 m elements, where m is an integer). For cryptographic purpose, those over the finite field of F p and F2 m are most suitable [29].
The addition of two points and doubling a point on an elliptic curve (generally over a set of real numbers) in a geometrical space are illustrated in Figs. 1 and 2. The Group Law is supported by following terms [29]: Negativity: Let P = (x, y) ∈ E and Q = (x, x + y) ∈ E therefore P + Q = O, that is to say, negative of P is Q. Point addition: If P = (x 1 , y 1 ) ∈ E and Q = (x 2 , y 2 ) ∈ E such that P ≠ ± Q, then P + Q = (x 3 , y 3 ) is calculated by following equation: Point doubling: If P = (x 1 , y 1 ) ∈ E and P ≠ − P, then 2P = (x 2 , y 2 ) is defined by following equation: Scalar multiplication as a fundamental operation in ECC is obtained by performing the elliptic curve addition operation k times: Calculating Q is relatively easy when k and P are given, but it is a hard problem to determine k when Q and P are specified. This problem is called the elliptic curve discrete logarithm problem (ECDLP). Thus, the scalar multiplication on elliptic curves over finite fields is considered as a one-way function which is useful in cryptographic applications [30].
The structure of the paper is organized as follows: Section 2 reviews the related papers; Section 3 describes the proposed solution, including the initializing phase and the authentication phase; Section 4 describes the dynamic key management; in Section 5, the analysis of the proposed solution as well as security and its efficiency has been addressed; and finally, the conclusions are presented in Section 6.

Methods and related work
Due to the sensitive information that can be exchanged with RFID technology, security for these networks is critical. RFID technology is one of the most important steps in establishing secure communication in these networks. However, the messages exchanged between the card, the card reader, and the server have always been exposed to a variety of security attacks. In this paper, we use the elliptic curve cryptography to secure the connection between the card and reader. The proposed solution preserves security and computational costs less than the previous methods. Furthermore, key management solutions are presented for dynamic access problems in RFID cards in order to be able to develop scalability healthcare networks Various research and articles have been conducted for RFID security in a variety of applications, which, in addition to providing effective security schemes, identify and discuss the following security issues [3,7,10,16,18,[25][26][27][28][31][32][33][34][35][36][37][38][39]:

Mutual authentication
In most researches, interconnection between the card, the card reader, and the server is required prior to the initialization of the operation. The relationship between the card and the card reader is insecure and needs to be reciprocally authenticated, while the communication channel between the server and card reader is assumed to be secure.

Confidentiality
Each secret key of the card, the card reader, or their ID must not be recovered by attackers. If the attacker accesses the card or card reader's secret key, he/she can introduce his/her card or card reader to the server and access sensitive information of the network. To prevent this, data must be encrypted before being transmitted between the card and the card reader.

Anonymity
An RFID authentication scheme is necessary for anonymity of the card and card reader. If the attacker recognizes the identity of the card or card reader, he can in fact violate their privacy; in order to prevent this issue, the ID of the card and card reader should be encrypted in a mutual authentication process.

Availability
The RFID authentication process should be implemented accurately over the available lifetime of the card or the card reader. To provide anonymity, for most RFID authentication schemes, the secret keys between the card and the card reader should be updated during the implementation of the authentication process. If the attacker in any way eliminates the process of updating secret keys between the card and the card reader, the authentication scheme will be invalid.

Forward security
In many authentication schemes, if an attacker can access the secret key, he can get the old location of the card or access the old information of that card, which will result in the violation of the privacy of the owner of the card. It is therefore necessary to have the forwardlooking security within the authentication plan.

Scalability
An authentication scheme should be able to support the number of cards or card readers in the network. For example, if the number of cards has multiplied or the card has been deleted, added, or its location has changed, or even the location of the card reader has changed, the authentication scheme should be able to maintain and continue to work well and correctly manage the key for the steps listed.

Resists various attacks
A strong authentication scheme should be able to secure the exchange of information between the card and the card reader against multiple attacks, such as man-in-themiddle attack, replay attack, forging attack, internal attacks, and external attacks. Various methods are used for the authentication problem in healthcare and health systems based on the Internet of Things that use symmetric and asymmetric cryptography (elliptical curve cryptography) [7,25,31,[40][41][42]. The authors of papers did not use asymmetric cryptographic methods, because the key length is long in asymmetric cryptography and thus the speed is very low, but the implemented elliptical curve cryptography methods [43,44] have proven less storage space than the SHA3 hashing algorithms [7]. Using elliptic curve cryptography, we can easily expand our network and do not have a scalability problem while being safe against various attacks. In contrast, symmetric encryption always suffers from scalability problem [32,33,[45][46][47][48][49][50].
The elliptic curve ciphering identification for RFID technology was presented for the first time in 2006, by Batina and Tuyls [51], and then, various methods were presented by different authors, or the vulnerability of these methods was investigated by other researchers or new protocols have been introduced to improve their cost and security. For example, in Lee's paper [52], works of Batina and Tuyls [51] and Batina et al. [53] were investigated, and the problem of the unidentified card was addressed.
Another article by Zhang and Qi [26] has addressed the problems in Chou's work [34], namely availability of the information inside the card by the attacker, interacting with the server, and card tracking, and aimed to improve Chou's authentication method. A recent paper by Farash et al. [7] has recently been presented in the field of RFID technology using elliptic curve cryptography for health care systems, in which, by reviewing the methods proposed by Zhang and Qi [26] and Zhao [3], first, addresses the security problem of these two methods in insecure sending of the information, and then presents his own security method. Another paper proposed by Yang et al. [10] addresses the problems of the Kaur [54] scheme, being a high computational cost; with changes made to the Kaur scheme, he has presented a new scheme reducing the high cost of computation.

Proposed scheme
In our proposed method, the server, the card reader, and the card are all participating; first, the server generates the keys for both the card reader and the card. Then, the server loads the keys on them.
The proposed method has two phases: (1) initializing phase and (2) authentication phase. The details of these two phases are fully described below. The symbols are listed in Table 1.

Initializing phase
This phase includes the following steps: Step 1: The server selects the size and type of the Galois field GF(q) which can be chosen p = q, where p must be a large prime number or q=2 m (this field is usually chosen because the calculations on the GF(2 m ) field can be done quickly, and a fast and efficient algorithm has been provided for required calculations on GF(2 m ) field); m represents the size of the field.
Step 2: The server uses two parameters a,b ϵ F q in order to define the elliptic curve equation E on the field F q shown in (1): Then, the server chooses the basic point (G) for the elliptic curve (basic point means the point on the elliptic curve that has the highest n order) that is nG = O. Step 3: For each card T i , the server inserts a random integer p r i from the interval [1, n − 1] as the private key and then calculates and inserts p u i = p r i G into the card. Also, the inverted private key p r − 1 i is inserted into the card. Then, this procedure is repeated for each card reader.
Note: Given the discrete logarithm for the elliptic curve, having p u i and G, calculation of p r i is complicated in practice.
Step 4: The server has a one-way hashing function h(x) for converting a point on the elliptic curve E to a number v, where chooses v ϵ F q .
Step 5: The server selects a random integer l i from the range [1, n − 1] for each card and then calculates the U i according to (2).
Therefore, the secret key for each card is obtained from Eq. (3).
Step 6: The server specifies the public dots for the reader, as in Eq. (4), in which the parameter j represents the card reader.
In the end, the server stores the parameters E q , G, n, h, p r − 1 i , p U i , p r i and l i for the card and the parameters E q , G, n, h, p r − 1 j , p U j , p r j and M i, j = l j ðp U i Þ, M j; i ¼ l i ð p U j Þ for the card reader.

Authentication phase
In this phase, the card and card reader authenticate each other using the secret key. This phase includes the following steps: Step 1: To calculate U j , each card reader is to get its public points and inverted private key already loaded by the server at the initial phase, then U j is calculated by Eq. (5): It should be noted that p r − 1 j denotes inversion in a finite field, which is an operation required in the digital signature algorithm of the elliptic curve [55].
Step 2: Determining the secret key according to Eq. (6): Step 3: In this step, we obtain the value of w according to Eq. (7): w is used for two-way authentication. The card reader calculates the value of w, which is hashing of the sum of values SK j and SK j . It is used in the symmetric encryption procedure that encrypts the message (m) if the card is able to calculate the value of w, then is able to authenticate the card reader.
In fact, when the card reader communicates with the cards, it can authenticate them, and it is enough to calculate the secret key for the card; also, the card must calculate the value of w in order to authenticate the card reader. The authentication phase is shown in Fig. 3: For example, Fig. 4 illustrates a cluster with card reader and cards with a certain relationship. In this figure, there are 7 cards and one card reader. There is a bidirectional relationship between each card and card reader, and only the card reader is able to calculate the secret key for the cluster members. The server determines the public parameters M i, j and M j, i and declares them to the card reader. The set of required public parameters for deriving the secret key by card reader is shown as follows: Reader : Therefore, the card reader in addition to its secret key can derive secret keys of cluster members as follows: Note that no card or card reader can operate autonomously unless it has permission from the server, in which case it must receive the required public points from the server.

Solution to key management of dynamic access problems
In this section, the concept and problems of dynamic key management for RFID technology in healthcare environments such as adding a new card, removing an existing card, revoking an existing relationship and creating a new relationship (switch card reader), and changing secret keys will be discussed.

Adding new card
Imagine that a new card T x is added to Fig. 4. In this case, the private, public keys, and reverse private key will be embedded within new card by the server, then steps 5 to 6 of initializing phase will repeat, and the type of relationship between the card and card reader will be a bidirectional one like the other cards. The details are as follows: Step 1: Select a random integer P r x from the interval [1, n − 1] as a secret parameter for each new card T x by the server; then, the point P u x = P r x G is computed as a public parameter, and both of them are embedded in the new card. Moreover, the reverse private key P − 1 r x is embedded within the new card too.
Step 2: The server selects a random integer l x for the new card from interval [1, n − 1]. Thus, the secret key of the card T Step 3: The server determines the points M i, x = l x (P u i ) and M x, x = l x (P u x ) to communicate between the card reader and the new card and declares it publicly.

Removing the existing card
Imagine there is a need for a card to be removed from Fig. 4 for any reason, like the case when cards are captured by an attacker. Under this condition, the server should remove all parameters in contact with the card mentioned above and revoke the access to the card too. In addition, the secret key of the card reader must be changed as follows: Step 1: The server reselects a random integer l Ã x from the interval [1, n − 1] for card reader. As a result, the new secret key of the card reader is SK Ã x = h(U x ).

Revoking an existing relationship and creating a new relationship (switch card reader)
Imagine that a new card reader is selected for cluster members (cards), and the previous card reader continues to carry out tasks in another cluster (as shown in Fig. 5). Then, all communications which the card reader has with cards must be removed. Furthermore, all public parameters and those which connect the cluster members to the card reader and vice versa should also are removed. To build communication between the cluster members and the new card reader, steps 5 to 6 of initializing phase should be executed as follows: Step 1: The server selects a random integer l i from interval [1, n − 1] for each card. Therefore, the secret key for each the card is Step 2: The server determines the points M j, j = l j (P u j ) and M i, j = l j (P u i ) for communication between the new card reader and each single card, and declares it publicly.

Changing secret keys
Sometimes changing a secret key is felt necessary perhaps to ensure higher network security and efficiency. Changing the secret key of a card T x from SK x to SK Ã x follows the below procedure: Step 1: The server selects a random integer l Ã x from interval [1, n − 1]. Therefore, the new secret key of the card T x is SK Ã Step 2: The server determines the points M x, x = l Ã x ( P u x ) and M i, x = l Ã x (P u i ) declares it publicly.

Security
The following are some of the important attacks and the resistance of the proposed method against them and some security requirements:

Man-in-the-middle attack
In this attack, the attacker is trying to retrieve secret and private keys through intercepting communication channel between the card and card reader. In this case, the attacker cannot extract any useful information. Even if we assume that the attacker retrieves w while the card and card reader are communicating, but based on ECDLP, he cannot get the private key to use it and communicate with the card reader or card.

Forging attack
Identity forging attacks are difficult to detect in these networks because the attacker is trying to forge an authorized card ID in order to get the card's secret key. Now, assume that the attacker is trying to get the card's secret key, which requires solving discrete logarithm for the elliptic curve. Given the resistance of the discrete logarithm for the elliptic curve, as outlined in Johnson et al. [56], the proposed method will be reliable against this attack.

Mutual authentication
In the proposed method, if the value of SK j is equal to SK i , then the card reader has been able to authenticate the card, and if the card can calculate the value of w, it will authenticate the card reader.

Confidentiality
Based on ECDLP, the attacker cannot retrieve the private key from the messages.

Masquerade attack
There is an extraordinarily important attack whenever a card wants to compute authorized secret keys. Imagine that a malicious card reader masquerades like the server and distributes some planned public parameters M i, j and M j, i . Then, assume some cards use these public parameters to compute secret keys SK i . If this card uses SK i as a proper symmetric key and sends it to the card reader encrypted confidential data, then the malicious card reader, with the proper secret key SK i , can decrypt and access those confidential data. An authentication mechanism such as the proposed scheme in Nikooghadam et al. [57], improved by the changes suggested by the present researchers, is able to stand against this attack. Although a number of overheads are imposed, they are fewer than ECDSA digital signature algorithm [56] used in [58]. Furthermore, suppose a constant and unique private key such as α has been selected by the server, and the resultant public key Q = αG is registered in the server as trusted for all cards and has been registered in the server. In the following, the employment of digital signature is described step by step.
(a) The server prepares special information corresponding to each public parameter M i, j and M j, i , like a digital signature as follows: 1. Selecting a random integer such as β. 3. Computing s * = erQ + R; consider that r is the x-coordinate of the received point R and Q is the reliable public key of the server. 4. If v = s * , then signature is valid; otherwise, it is rejected.
As an example for card reader, the server signs all public parameter M i, j and M j, i of the cluster members which have been converted to an integer e by one-way hash function and sends besides the public parameters (M i, j ,M j, i ) to the card reader. Then, card reader public parameter converts to one integer e and investigates the signature verification following the steps explained above. Table 2 shows the security comparison between related protocols and the proposed method. This is a comparison between recent research papers such as Farash et al. [7], Alamr et al. [35], Zhang and Qi [26], Zhao [3], Liao and Hsiao [36], Shen et al. [28], and the proposed method in this research.

Performance
To evaluate the performance, we have compared our proposed method with similar recent research papers such as Farash et al. [7], Alamr et al. [35], Zhang and Qi [26], Zhao [3], Liao and Hsiao [36], Shen et al. [28]. We  estimated the cost of the authentication phase for each of the six methods, for both the card reader and card. In Table 3, we present some of the various symbols used in this section. On the other hand, according to the method proposed in Nikooghadam et al. [59], the complexity of time for implementation of various operational phases is calculated using modular exponentiation. The results are specified in Table 4.
The comparison between the six methods is shown in Table 5. Since all of the public and private keys and other main parameters are loaded into the card and card reader in the initialization phase, thus, the computational cost of the private and public keys and other parameters is zero. In the authentication phase of our method, the computational cost is 2T H + 1T PM and 2T H + 1T PM for the card and card reader, respectively. Therefore, our proposed method has lower computational cost, when compared to other methods.
It should be noted, due to the fact that time complexity for modular exponentiation in operating unit T H and T PA is not high, the related values are excluded from Table 5.
As shown in Fig. 6, the performance comparison is illustrated in Table 5.
It is also possible to calculate the execution time of the most complex operations on elliptic curve, that is, the elliptic curve point multiplication in milliseconds. For instance, we assume that all of the related articles use an elliptic curve with an equal key length of 160 bits. The execution time of the elliptical curve point multiplication on 5 MHZ cards equals 0.064 s. The running time of the elliptic curve point multiplication among the related protocols for both the card and the card reader is given in Table 6.

Conclusion
Considering the constant developments of the Internet of Things and its applications in fields such as health care systems, where patient information is critical and nobody should have access to this information, then providing security for these networks is essential. Various studies have been done recently to address security and computational cost problems. In this paper, we have proposed an elliptic curve cryptography method that, in addition to maintaining security, has less computational cost compared to similar studies. Furthermore, key management solutions are presented for dynamic access problems in RFID cards in order to be able to develop scalability healthcare networks. For future work, a hardware implementation can also be done in order to evaluate the precise security and computational cost of the proposed method.  Table 5