Universal and secure object ownership transfer protocol for the Internet of Things

https://doi.org/10.1016/j.future.2017.02.020Get rights and content

Highlights

  • We address the problem of ownership transfer of RFID tagged objects in IoT.

  • The proposed mechanism securely transfers ownership of an objects in IoT.

  • The proposed protocol ensures the security of both objects and object owners.

  • We analysed the proposed protocol both qualitatively and quantitatively to evaluate its effectiveness.

Abstract

In this paper, we address the problem of ownership transfer of RFID tagged objects in Internet of Things (IoT) in a secure manner. In application domains such as supply chain management, RFID tagged objects are required to securely change hands several times during their life cycle. To this end, we propose a novel ownership transfer mechanism that securely transfers an RFID tagged objects in Internet of Things (IoT). An important property of the proposed approach is that the proposed ownership transfer mechanism ensures the security of both the RFID tagged objects and the object owners. We analysed the proposed object ownership transfer protocol both qualitatively and quantitatively to evaluate its effectiveness. The analysis shows that the proposed protocol is more secure and requires less computation as compared to existing similar protocols.

Introduction

INTERNET of Thing (IoT) system consists of pools of globally distributed objects. To collect and locate specific information of an object from this pool, the IoT system requires the identification of each object separately. Therefore each object in the IoT pool needs to be attached and represented by a unique identification. Furthermore, this unique identification leads the IoT system to connect, interact, and cooperate between global objects to achieve a dynamic global information network [1], [2], [3]. With various strengths such as recognition speed, non-line-of-sight operation, capability to identify many objects in one read as well as networking capability, Radio Frequency Identification (RFID) technology has become an attractive solution to address objects’ unique identification need in the IoT [4].

However, the business model of IoT dictates that objects in this global network may be owned by different parties at different points in time [2], [3], [5], [6]. Thus, the ownership of an RFID tag requires it to be physically and digitally transferred over to different partners many times as the control on tagged items changes [5], [6]. The internal state of the RFID tags must also reflect these ownership and control changes precisely. This makes secure ownership transfer of the RFID tagged objects an important aspect for the IoT system. Specifically, once RFID tag ownership is transferred to a new owner, only the current owner should be able to interrogate the tag while others should be prevented from communicating with the tag. Moreover, the privacy of both the new and previous owners of the tag must be protected. Therefore, it is imperative that the ownership transfer protocol for RFID tagged object must be able to ensure privacy and security requirements of both the current and previous owners of the object.

The need for secure ownership transfer of RFID tagged objects is well recognized and a number of ownership transfer protocols have recently been proposed [7], [8], [9], [10], [11], [12], [13]. However, existing protocols suffer from a number of vulnerabilities, for example they do not validate an ownership transfer request. Furthermore, these existing proposals do not support all possible ownership transfer scenarios such as one to one, one to many, many to one and many to many [14], [15], [16]. Therefore, they do not support universal ownership transfer and are not ready to address the need of the IoT. Adapting a separate protocol for each scenario is expensive, a waste of resources and increases the complexity of a large scale distributed system like the IoT. To have an IoT ready ownership transfer protocol, it must be capable of protecting the required security properties of business entities while being universal (supporting all RFID tag ownership transfer scenarios) at the same time [5], [6].

In this paper, we propose a secure and universal object ownership transferring protocol for IoT. The main contributions of the proposed work are summarized as follows:

  • We propose a novel ownership transfer mechanism that securely transfers an RFID tagged objects in Internet of Things (IoT) environment for application domains such as supply chain management.

  • The proposed ownership transfer mechanism ensures the security of both the RFID tagged objects and the object owners by validate genuineness of an ownership request and the ownership right of a new partner to own a set of objects.

  • Our novel use of simple number theories and transitivity property let us securely exchange secret keys and information for ownership transfer, ownership request and right validation.

  • The novel use of simple number theories and the multiplicative inverse of modular arithmetic reduces computational and communication cost in the tag.

  • We analysed the proposed object ownership transfer protocol both qualitatively and quantitatively to evaluate its effectiveness.

The tag only requires to perform bitwise operations, Cyclic Redundancy Check (CRC) and one modular arithmetic operation in conformance to EPC Gen 2 RFID passive tags which has EPC memory of 128 bits and user memory of 2 bytes [16], [17].

The rest of the paper is organized as follows. In Section 2, we analyse existing similar work in the literature. We present detail system model, system requirements, assumptions and definitions of key concepts in Section 3. The detail of the proposed protocol is presented in Section 4. The security analysis and the comparative study of our protocol against baseline protocol is presented in Section 5. The conclusion is presented in Section 6.

Section snippets

Related work

Although much work has been done to provide privacy and anonymity of RFID systems, the secure ownership transfer protocol has only recently received attention from the research community. Generally, existing secure ownership transfer protocols can be broadly divided as those that either rely on a Trusted Third Party (TTP) [16], [18], [19], [20], [21], [22] or a scheme that does not rely on TTP [7], [8], [9], [10], [11], [12], [17], [23]. In TTP-based approaches, secure ownership transfer is

System model

We define IoT as an interconnection of sensing and actuating devices providing the ability to share information across platforms through a unified framework, and for developing a common operating picture for enabling innovative applications [24]. To achieve these, the IoT needs to bring together a large group of networked RFID tags to work collaboratively. Using networked RFID tags (from same or separate administrative domains), the IoT can provide a network between uniquely addressable things

Proposed protocol

In this section, we detail the proposed protocol. The proposed protocol works in two main stages to securely transfer ownership from a current owner to a new owner. In stage one, the steps of ownership transfer request and validity verification of the request is shown in Fig. 2. In stage two, the ownership transfer and the ownership claim process is shown in Fig. 3. We have also numbered each communication rounds in Fig. 2, Fig. 3 to match with the detail discussion below.

In the proposed

Protocol analysis

In this section, we will discuss various analysis undertaken to verify and compare properties of the proposed ownership transfer protocol against baseline protocols The adversary model used in this paper is based on the notion of a normal adversary [34], [36]. An adversary A can perform monitoring on all communications (between tags and coordinator readers) and collecting some side channel information based on all oracles defined in [34] as well as result (π) oracle as in Definition 3. We

Conclusion

We have proposed a RFID tagged object ownership transferring protocol that addresses the required security and business requirements of the IoT. The proposed protocol verifies ownership transferring requests and can handle all possible tag ownership transfer scenarios which were completely ignored by previous protocols. It has a flexible grouping mechanism, therefore one can easily include or exclude a tag or an owner reader. We have used a modified group Diffie–Hellman algorithm to validate an

Acknowledgements

We appreciate the anonymous reviewers for their constructive feedback and Maliha Omar. We also appreciate partial financial support from CQU, Deakin University and the Deanship of Scientific Research at King Saud University, Riyadh, Saudi Arabia through the research group project no. RGP-318.

Biplob R. Ray is an ICT lecturer at the School of Engineering and Technology, CQUniversity, Australia. He has eight years of experience within the Education, IT and Recruitment industries in Philippines and Australia. He has worked as a system programmer and team leader in HSG, Philippines. He has also worked as an analyst programmer and research assistant in Telstra and Deakin University respectively. Prior to joining CQUniversity, Dr. Ray was an academic staff in University of Ballarat,

References (39)

  • Jenq-ShiouL. et al.

    Improving heterogeneous SOA-based IoT message stability by shortest processing time scheduling

    IEEE Trans. Serv. Comput.

    (2014)
  • RayB.R.

    Secure object tracking protocol for the internet of things

    IEEE Internet Things J.

    (2016)
  • DeganZ. et al.

    A novel approach to mapped correlation of ID for RFID anti-collision

    IEEE Trans. Serv. Comput.

    (2014)
  • PereraC. et al.

    The emerging internet of things marketplace from an industrial perspective: A survey

    IEEE Trans. Emerg. Top. Comput.

    (2015)
  • Al-FagihA.E. et al.

    A priced public sensing framework for heterogeneous IoT architectures

    IEEE Trans. Emerg. Top. Comput.

    (2013)
  • LinI.-C. et al.

    Non-identifiable RFID privacy protection with ownership transfer

    Int. J. Innovative Comput. Inform. Control

    (2010)
  • DossR. et al.

    Secure RFID tag ownership transfer based on quadratic residues

    IEEE Trans. Inform. Forensics Security

    (2013)
  • LuoJ.-N. et al.

    Mobile RFID mutual authentication and ownership transfer

    Int. J. Adv. Comput. Technol.

    (2012)
  • LiuL. et al.

    Mutual authentication protocol with ownership transfer

    Int. J. Digital Content Technol. Appl.

    (2012)
  • Cited by (30)

    • Secure and lightweight privacy preserving Internet of things integration for remote patient monitoring

      2022, Journal of King Saud University - Computer and Information Sciences
      Citation Excerpt :

      A comprehensive medical network is possible with wireless technologies, sensors, actuators and Internet of Things (Yang et al., 2017). It will help in driving medical or healthcare domain integrated with IoT for next generation applications (Ray et al., 2018). As of now, medical fields are using Information Technology (IT) for secure management and tracking of drugs.

    • A novel group ownership transfer protocol for RFID systems

      2019, Ad Hoc Networks
      Citation Excerpt :

      In 2012, Yang [42] designed a group ownership transfer protocol for mobile RFID systems. Yang's work, however, is said to have unrealistic assumptions that the old owner cannot eavesdrop the new owner's communication; at the same time, the tree-based ownership transfer protocol has a computational overhead problem as well as a windowing problem [31]. In addition, Yang’s protocol is weak against the tag impersonation attack, and the identities of the readers and tags as well as the ownership information are all stored in the backend server in the form of plaintext, making the backend server an easy target to attack [10].

    • Security enhancement on an RFID ownership transfer protocol based on cloud

      2019, Future Generation Computer Systems
      Citation Excerpt :

      In late 1990s, the concept of Internet of Things (IoT) was proposed. IoT is commonly defined as the inter-networking of physical devices connected to the Internet via wired or wireless communication technologies (e.g. RFID, Wi-Fi, Bluetooth, ZigBee, NFC, Z-Wave, Fiber-optic and etc.) so that automatic and intelligent management can be executed among the inter-networked devices [1–4]. Since the beginning, RFID technologies have been widely used in IoT environments.

    • A multistage protocol for aggregated queries in distributed cloud databases with privacy protection

      2019, Future Generation Computer Systems
      Citation Excerpt :

      also demonstrate that the MSQP protocol is scalable and efficient. An interesting open problem is to consider analogous tasks for the protection of privacy in social networks [84,85], smart home healthcare delivery [86], wireless body area networks [87], fog computing [14,42,88,89] or IoT [90–93]. The corresponding questions are more difficult, because of the more complex nature of data ownership that may occur.

    View all citing articles on Scopus

    Biplob R. Ray is an ICT lecturer at the School of Engineering and Technology, CQUniversity, Australia. He has eight years of experience within the Education, IT and Recruitment industries in Philippines and Australia. He has worked as a system programmer and team leader in HSG, Philippines. He has also worked as an analyst programmer and research assistant in Telstra and Deakin University respectively. Prior to joining CQUniversity, Dr. Ray was an academic staff in University of Ballarat, Deakin University and Melbourne Institute of Technology. He has published a number of peer reviewed papers and book chapters on network security and health informatics. Dr. Ray is a member of IEEE society. He has served as a member of technical program committee for several international conferences and as a reviewer for a number of journal papers since 2010.

    Jemal H. Abawajy is a full professor at Faculty of Science, Engineering and Built Environment, Deakin University, Australia. Professor Abawajy was awarded the higher doctoral degree, Doctorate of Science (D.Sc.) in 2016, by Deakin University for his outstanding research achievements. Professor Abawajy is currently the Director of the Distributing System and Security Research cluster and an executive member of the Center for Cyber Security Research at Deakin University. He is a Senior Member of IEEE Society; IEEE Technical Committee on Scalable Computing (TCSC); IEEE Technical Committee on Dependable Computing and Fault Tolerance and IEEE Communication Society. Professor Abawajy is actively involved in funded research supervising large number of Ph.D. students, postdoctoral, research assistants and visiting scholar in the area of Cloud Computing, Big Data, Network and System Security, Decision Support System, and E-health. He is the author/co-author of seven books, more than 300 papers in conferences, book chapters and journals such as IEEE Transactions on Computers, IEEE Transaction on Cloud Computing and IEEE Transactions on Fuzzy Systems, IEEE Transactions on Emerging Topics in Computing and IEEE Transactions on Services Computing. He also edited 10 conference volumes. Professor Abawajy has delivered numerous keynote addresses, invited seminars, and media briefings (e.g., Voice of America’s English Radio). His leadership is extensive spanning industrial, academic and professional areas (e.g., IEEE Technical Committee on Scalable Computing, Academic Board, Faculty Board and Research Integrity Advisory Group). Professor Abawajy is one of the founding members of the IEEE Communications Society Technical Sub-Committee on Big Data. He has been actively involved in the organization of more than 300 national and international conferences in various capacity including chair, general co-chair, vice-chair, best paper award chair, publication chair, session chair and program committee. Professor Abawajy has served on the editorial-board of numerous international journals and currently serving as associate editor of the IEEE Transaction on Cloud Computing, International Journal of Big Data Intelligence and International Journal of Parallel, Emergent and Distributed Systems. He has also guest edited many special issue journals.

    Morshed Chowdhury received his Ph.D. from Monash University, Australia in 1999. Dr. Chowdhury is an academic staff member in the School of Information Technology, Deakin University, Australia. Prior to joining Deakin University, he was an academic staff in Gippsland School of Computing and Information Technology, Monash University, Australia. Dr. Chowdhury has more than 12 years of industry experience in Bangladesh and Australia. As an International Atomic Energy Agency (IAEA) fellow he has visited a number of International Laboratory/ Centers such as Bhabha Atomic Research Centre, India, and Brookhaven National Laboratory, New York, USA, International Centre for Theoretical Physics (ICTP)-Italy. Dr. Chowdhury’s current research interests are RFID security, wireless network security and security of social networks, documentation security etc. He has published more than hundred five research papers including a number of journal papers, conference papers and book chapters. He has organized a number of international conferences and served as a member of the technical and program committee of several international conferences since 2001. He has also acted as reviewer of many journal papers.

    Abdulhameed Alelaiwi is a faculity member of Software Engg. Department, at the College of Computer and Information Sciences, King Saud University. Riyadh, Saudi Arabia. He received his Ph.D. degree in Software Engineering from the College of Engineering, Florida Institute of Technology-Melbourne, USA. He has authored and co-authored many publications including refereed IEEE/ACM/Springer journals, conference papers, books, and book chapters. His research interest includes software testing analysis and design, cloud computing, and multimedia. He is a member of IEEE.

    View full text