Improving RFID/IoT-based generalized ultra-lightweight mutual authentication protocols

With the increase of connected devices being introduced into the market each day, the Internet of Things (IoT) vision is progressively becoming a reality. This phenomenon however increases key security risks flagged by the scientific and research community and industry professionals. Devices featuring limited security capabilities are of particular concern in IoT adoption, including passive Radio Frequency Identification (RFID) tags. In response to such security limitations, several ultra-lightweight authentication protocols have been proposed, although, most of them exhibit various vulnerabilities. In this study, we evaluate the security level of recent ultra-lightweight mutual authentication protocols and show their susceptibility to replay and desynchronization attacks. Through this research, we also show that these protocols can be grouped into a generalized version of ultra-lightweight mutual authentication protocols (GUMAPs) and classify them into two categories: (i) GUMAP1, where both parties (tag and reader) maintain a history of old parameters; and (ii) GUMAP2, where only one party maintains a history of old parameters. We then establish that both groups are vulnerable to replay and desynchronization attacks. To eliminate these vulnerabilities, we propose a more secure generalized improved mutual authentication protocol (GIMAP). To address the security issues, we present a new message authentication code (MAC) function for GIMAP and prove that the new protocol can satisfy the security requirement involved in lightweight protocols. The security analysis of GIMAP is also supported by the formal security analysis, using two widely accepted approaches, namely BAN logic and the Scyther tool.