Radio frequency identification (RFID) is an efficient and practical identification technology. It transmits information between reader and tag through radio wave to realize object tracking and identification. RFID system is mainly composed of tag, reader and back-end database system. The tag can receive data and send it to the reader. The reader is responsible for processing and capturing the tag data, and transferring the data to the back-end database system. Readers play a mediating role in tags and back-end systems. This kind of non-contact technology not only brings convenience, but also has many security risks, such as object location tracking and label information leakage. RFID Security has attracted more and more attention. Many scholars have proposed security authentication protocols, such as RFID Security Protocol Based on key matrix, key value update random hash lock to strengthen RFID Security and privacy, and information security solution based on lightweight encryption technology to establish the perception layer of the Internet of things. To a certain extent, these algorithms can resist attacks and have certain security, but they also have some defects, such as synchronization problems, large amount of computation and no immunity to replay attacks.
Visual cryptography scheme (VCS) is a new cryptography technology, which has the advantages of simple decryption, small amount of calculation and unconditional security. It was proposed by Naor and Shamir at the European Conference on cryptography in 1994. The basic idea is to encode the secret image into n shadow images (shared images), and assign the shadow images to n participants respectively. When decrypting, only K (K ≤ n) participants are required to superimpose the shadow images, and the secret information [1-3] can be identified visually. In reference , a (2, n) threshold visual cryptography scheme based on Boolean operation is proposed. In encryption, the secret image is shared into n shared images, and in decryption, any two shared images are taken for XOR operation to recover the secret image. Reference  analyzes the security loopholes in the perception layer of the Internet of things architecture, and proposes an identity authentication scheme based on visual cryptography. Although the scheme adopts the characteristics of simple operation of visual cryptography, it only realizes one-way authentication in the authentication process, that is, the authentication of label, but not the authentication of reader. In addition, because the authentication information remains unchanged during the authentication process, the scheme can not resist location tracking, replay and other attacks. Document  uses visual cryptography to realize two-way identity authentication. However, in the authentication process, it is difficult for the algorithm to resist counterfeiting attacks. Once captured, the algorithm can not guarantee forward security. In view of the defects of the existing authentication protocol, this paper uses visual cryptography to construct a new RFID authentication protocol. Visual cryptography is used to realize the authentication between the tag and the reader, and the shadow image in the tag is updated after authentication, which makes up for the shortcomings of the existing authentication protocol, such as large computation and poor security.
1 visual code
1.1 basic principle
The (k, n) visual cryptography scheme encrypts a secret image p into n shadow images. When decrypting, only K (K ≤ n) shadow images need to be overlapped to recover the secret information. The basic principle of encryption is to process each pixel in secret image p n times, and each pixel in P corresponds to m black-and-white subpixels (M is called pixel expansion) in shadow image. After processing all pixels in P, n shadow images can be obtained. If an n * m Boolean matrix A = (AIJ) n * m is constructed for the encryption of each pixel in P, then AIJ = 0 means that for a pixel in the secret image, the color of its j-th sub-pixel of the i-th sharer is white; AIJ = 1 means that the color of the j-th sub-pixel of the i-th sharer is black. The I th line of matrix A is the corresponding sub-pixel of a pixel in the shadow image of the secret image P. Do or operation on all the elements of the j-th column in a, and its value w (V) is called the Hamming weight of the pixel block.
When decrypting, K shadow images are overlapped and the Hamming weight of each pixel block is calculated. When w (V) ≥ D, the pixel in the image is black; (2,2) visual Cryptanalysis of W (V) 1.2 binary image
Taking a black-and-white binary image p decomposed into two shadow images as an example to illustrate the basic principle of the visual cryptography scheme, the formula (1) is used as the encryption matrix (H0 and H1 respectively represent the encryption matrix of white and black pixels in the secret image), and the pixel expansion M = 2. The specific steps are as follows: (1) for each pixel PXY in P, the expansion method: if PXY is white, a matrix is selected from the set H0 with medium probability to encrypt the pixel; A row in the matrix is the corresponding pixel block of PXY in the shadow image. If PXY is black, a matrix is selected from H1 to encrypt the pixel.
(2) Repeat the above operation until all pixels in P are encrypted.
The decryption steps are as follows:
① The parameters D and a were selected; Two shadow images are superimposed, and the Hamming weight W (V) of each pixel block in the superimposed image is calculated;
② When the Hamming weight W (V) ≥ D, the pixel in the restored image is black; W (V) 3 the restored image can be obtained by repeating the above process.
RFID authentication protocol based on visual cryptography
2.1 preset information
In the RFID authentication protocol based on visual cryptography, the background database stores a record (ID, S1, RR, pointer) for each tag. ID is the unique identifier of the tag, and RR is the random number generated by the system. A black-and-white binary image p is constructed by RR; S1 is the shadow image obtained by (2,2) visual Cryptanalysis of P. Pointer is the data record association pointer, which is used to ensure the synchronization security in the authentication process. The ID identifier and another shadow image S2 corresponding to the label are stored in the label. The reader has a random number generator and stores a record (hash (ID | R) and ID) for each tag. Hash (ID | R) is the hash value of tag ID and random number. The back-end system and tag share hash() and ard(), hash() is a hash function, and ard() is a cat face transform function, which is used to encrypt and restore shadow image. During initialization, a binary image p is randomly generated for each tag, which is decomposed into shadow images S1 and S2 by using visual cryptography, and these information are stored in the background system and tags respectively, as shown in Figure 1.
2.2 protocol authentication process
(1) After the reader sends the authentication request query and random number r to the tag, it updates the hash (ID | R) value recorded in the reader.
(2) The tag calculates hash (ID | R), encrypts the shadow image S2, and sends the information hash (ID | R) and en (S2) to the reader.
(3) The reader uses hash (ID | R) as the index to search the records in the table. If it is found, it forwards the ID and en (S2) in the records to the back-end system; Otherwise, the session ends.
(4) The background searches the database with ID as index. If it is found, S1 in the record and S2 after decryption are taken for visual cryptography operation to get the recovered image p ‘. The system detects whether the information in P’ is consistent with RR, and if it is consistent, the label will pass the authentication. The back-end system randomly generates a new random number RNew and the corresponding binary image pnew, performs visual cryptanalysis on pnew to obtain new shadow images s1new and s2new, generates a random number r, calculates hash (ID | R), sends hash (ID | R), R and en (s2new) to the reader. The reader receives it and forwards it to the tag. If the information detected in P ‘is inconsistent with that of RR, the session ends.
(5) The database checks the pointer value in the current record J. if pointer = 0, a new record K (ID, s1new, rrnewj, J) is added, and the pointer value in record J is changed to K. If pointer= 0, find the record referred to by the pointer, and modify its content to (ID, s1new, rrnewj).
(6) After the tag receives hash (ID | R), R and en (s2new), the tag calculates hash (ID | R) and compares it with the received hash (ID | R). If the comparison is successful, the reader will pass the authentication. After the tag decrypts en (s2new), the shadow image S2 will be updated, otherwise the session ends. The authentication process between tag and reader is shown in Figure 2.
3 protocol security analysis
3.1 two way authentication analysis
Bidirectional authentication between tag and reader is the most important problem to be considered when designing security protocol. In this paper, only the legal tag has the correct shadow image S2, and the information recovered after S2 overlaps with its corresponding S1 is consistent with the information of RR; If the tag is forged, the recovered information is inconsistent with the information of RR. So S2 can be used to realize the identity authentication of the tag. In the protocol, S2 is transmitted in the form of ciphertext, so even if the information is leaked, the attacker can not get any information of S2. In addition, when the back-end system passes the tag authentication, the protocol will generate a new shadow image s2new, calculate the hash value of the tag ID and the random number r, and send hash (ID | R), R and en (s2new) to the tag. The tag authenticates the reader through the calculation and comparison of hash (ID | R). Finally, in the whole process of the protocol, the ID is not transmitted between the reader and the tag, so the attacker cannot get the correct ID unless the tag is physically broken. In authentication, the tag needs to send hash (ID) and en (S2), so it is useless to hold the correct hash (ID). Generally speaking, the protocol can realize the mutual authentication between reader and tag safely and reliably.
3.2 untraceability analysis
Another problem that RFID authentication protocol must consider is tag location tracking. This protocol contains anti position tracking design. After each authentication, the label will update the shadow image S2, and the value of the random number R is also changing. Therefore, each response of the label to the reader (hash (ID | R) and en (S2)) is different, thus realizing the tag anti tracking.
3.3 forward and synchronous security analysis
Suppose that a tag is broken by the attacker and gets the key, the attacker will get the shadow image S2 in use. However, after each verification, the system will randomly generate a binary image p to update the shadow image S2 in the tag, and there is no association between these shadow images. Therefore, even if the current S2 is stolen, the previous S2 cannot be calculated from the existing value, and the historical activity record of the tag cannot be obtained.
After the protocol passes the authentication of the label, the database creates a new record for the updated s2new, while retaining the old S2 corresponding record. If the update of s2new is not successful, the tag can still use the old S2 to authenticate with the reader and writer, so as to prevent the possible exception when S2 is updated.
3.4 other performance analysis
Only label ID and shadow image S2 are stored in the label, and two hash operations and one encryption and decryption operation are needed in one authentication process, which reduces the storage space and computational complexity of the label. So it’s easier to implement on low-cost tags. In each authentication, the background database searches in 2n (n is the number of tags) records, performs a hash operation, generates two random numbers, and performs a visual password encryption and decryption operation, and the amount of visual password encryption and decryption operation is small, so this method has short delay, fast speed and high efficiency.
3.5 performance comparison with other protocols
Table 1 shows the comparison between this Agreement and references  and . In the table, VCs is visual encryption or decryption, h is hash operation, R is the number of random number operations, en is symmetric encryption algorithm, De is symmetric decryption algorithm.
In this protocol, the random binary image is decomposed by visual cipher, and the decomposed shadow image is stored in the label and background system respectively. During authentication, the shadow image is decrypted by visual cipher, and then the extracted recovered image information is compared with RR. If the information is consistent, the label authentication is passed, otherwise the session ends. The encryption and decryption process of visual cryptography is simple, and the amount of computation is small. The data stored in the label end is less, and the amount of computation is small. The complex computation is mainly carried out in the background database and reader with strong computing and storage capacity. The algorithm has the characteristics of low cost, short delay and high security. On the basis of realizing two-way authentication, it can effectively resist location tracking, eavesdropping, illegal reading and other attacks.
Editor in charge: CT