A Classified Protection Protocol for RFID-based Medical Systems

: RFID technology has been used in many medical systems. The data transmitted in these medical systems is very important and sensitive. The security of these private data has a wide range of risks. Most existing protocols lack the idea of classified security protection for RFID-based medical systems. These protocols are difficult to apply directly. To address this problem, a reliable RFID based medical system classification protection protocol is proposed in this study without assuming that the channels between readers and server are safe. The protocol allows different participants to access the authorized tag data. The proposed protocol adopts timestamp, one-way hash function and mutual authentication procedure to provide security protection and good performance. Based on a formal analysis, GNY logic is used to verify the design correctness of the protocol. According to the analysis of attack model, the protocol can resist various attacks: Internal attack, replay attack, tracking attack, spoofing attack and DOS attack. Performance analysis indicates that the protocol has less communication overload, similar storage requirements and acceptable computation load compared with other related protocol.


Introduction
Radio Frequency Identification (RFID) is an automatic identification technology. Prominent RFID applications include medical system (Zhao et al., 2018;Youssef et al., 2019), Supply Chain Management (SCM) (Sun and Wei, 2019) and Internet of Things (IoT) (Álvarez López et al., 2018). The tag communicates with a reader via wireless channels, where neither visual nor physical contact is needed. Some readers are fixed and some are mobile. The wireless communication is more vulnerable to malicious adversaries, which causes user privacy disclosure and security threats (Cha and Yeh, 2018;Alotaibi, 2019). Many schemes have been proposed to address these problems, some for IoT (Rasheed et al., 2019;Alotaibi, 2019), some for SCM (Ahamed et al., 2020;Ren et al., 2016) and some for medical system (Youssef et al., 2019;Mehra et al., 2018;Sanchez et al., 2019;Safkhani and Vasilakos, 2019). In the medical system, RFID tags can be attached to the surface of the object, or implanted into it to collect its information (Fan et al., 2018). In addition, RFID has also been found to be of great help in improving the tracking of patients, medicines and medical assets in hospitals and the digitalization of these operations improves their efficiency and safety (Álvarez López et al., 2018). For patients, the tag can collect physical health data as well as communicate and interact with the server (Fan et al., 2018). It makes remote real-time monitoring and telemedicine become a reality for Wireless Body Area Networks (WBAN) (He et al., 2013) and mobile health networks (Zhang et al., 2015). Patients authorize doctors to monitor users' physical health data through RFID system . For medical assets and medication, RFID systems can track and manage. There are a lot of medication errors in the medical system every year. By improving the automation of low-and medium-complexity tasks, RFID system can minimize medical errors (Fan et al., 2018).
Along with the advantages of medical RFID system, its security problems are increasingly prominent (Chen et al., 2016). It is known that personal physical health information is closely related to individual privacy and business interests. The information collected from tags is valuable for some agencies (e.g., insurers 371 and cosmetic surgery hospitals). There are various participants (e.g., doctors, nurses, asset manager) in a medical system. Each participant has its authorized readers, who are permitted to access the authorized tag data, while any irrelevant sensitive data of other groups will not be disclosed publicly (Ning et al., 2011). The attackers may steal or fake the patients' medical privacy data, destroy the normal work process of the system and lead to the serious consequences of medical privacy data disclosure. Therefore, security has become one of the key issues to be solved in the application of RFID in medical system safety (Fan et al., 2018).
The RFID-based medical systems face two threats: External attack and internal attack. Both attacks may lead to security threats and privacy disclosure. External attack refers to illegal entities (such as insurers or business competitors), who may carry out replay attack, denial server attack and spoofing attack. Internal attack refers to legal entities, who may impersonate other legal entities to carry out authority-exceeding violation. For example, a reader of assert manager personates a nurse's reader to access a tag for achieving the privacy of patient.
Most existing protocols lack the idea of classified security protection for RFID-based medical systems. Another protocols assume the channels between readers and servers are secure. In fact, the channel between reader and server is not secure due to wireless communication.
Therefore, a reliable classified protection protocol for RFID-based medical system is proposed. The doctors, nurses and managers have been allowed to access the specified field areas of a Tag Identifier (TID). Readers can change roles successfully without tag intervention.
The proposed protocol adopts timestamp, one-way hash function, pseudorandom identifiers and mutual authentication procedure to provide security protection and good performance.
The organization of the paper is as follows. The requirement of the RFID-Based medical system and some related protocols are analyzed in section II. The proposed protocol is described in section III. Formal analysis of the protocol with GNY logic is provided in section IV. In the next section, the attack model is used to analyze the security against external and internal attacks. Performance analysis is carried out in section VI. Finally, section VII summarizes the scheme and discusses the future work (Rhee et al., 2005).

Requirement of the RFID-Based Medical Systems
There are two typical architectures for the RFID system. One is that the connection between the server and the reader is wired and the reader is fixed. The other is that the connection between the server and the reader is wireless and the reader is portable (Fan et al., 2018).
In the first architecture mode, the channel between the reader and server is considered secure, while the channel of the second one is considered insecure. Both structures exist in the RFID-based medical system and it is necessary to ensure reliable and secure access to medical information of patients as well as sensitive information management (Fan et al., 2018).
The tags in medical systems usually contain some sensitive or personal data. These data are valuable for external entities. Divulging all or part of the data may damage the people's privacy and seriously affect their physical and mental health. For example, the medication provided by patients to insurance the insurers or business competitors are related to commercial interests and maintain the personal privacy of managers. Thus, only doctors or nurses can obtain the information. The nurse is allowed to read the medication of the patient, but not the previous medical history. Therefore, it is necessary to classify and protect the tag data. Legal readers are authorized to read part fields of the tags. Therefore, the medical system needs classified security protection.
This means that RFID tags should provide a mechanism to prevent tag information from being revealed by any malicious reader. When a TID is transmitted over a public channel, only the authenticated reader can read it. The exchanged data are protected to fight against forgery and data modification by either illegal readers or unauthorized legal readers. The protocol should provide entity authentications between valid readers, valid tags and authorized server.
The RFID-Based medical system needs resist the following attacks: Internal forgery attack, spoofing attack, replay attack, tracking attack and DOS attack.

Related Protocols
Many schemes have been proposed to address the potential security and privacy problems in RFID systems. Here the related schemes for the medical system or the hierarchic security protection are discussed. Zhao (2014;Zhang and Qi, 2014) proposed two efficient ECC-based RFID authentication schemes that can be applied to the healthcare environment. Experimental results show that these ECC-based RFID authentication schemes are suitable for automated patient medication systems (Fan et al., 2018). However, the former cannot resist some attacks, such as replay attack, spoofing attack, DOS attack and location tracking attack. The latter claimed the scheme can resist all the attacks. Both of them are not suitable for the lightweight RFID system due to ECC. Fan et al. (2018) proposed a lightweight RFID protocol for medical privacy protection in IoT, which can withdraw various attacks. However, the above-mentioned protocols lack the classified security protection idea for overall management.

372
Fore-mentioned schemes allow all the authorized readers to access the entire identifiers of all legal tags. Based on the previous analysis, it is essential for authenticated entities to access the specified field areas of the Tag Identifier (TID) (Ning et al., 2011). Ning et al. (2011) proposed a distributed Key Array Authentication Protocol (KAAP) for RFID systems. However, one reader is hard to change its role in KAAP. This feature limits the protocol scalability (Ren et al., 2016). Ren et al. proposed a scalable authentication protocol with classified protection in RFID-based systems. Both of them can withdraw various attacks for lightweight RFID systems and assume that the communication between the server and the reader is safe. However, the connection between the server and the reader is wireless in medical RFID systems. The wireless communication is facing more serious challenges. Thus, this assumption does not hold in medical RFID system.
In view of patient privacy and overall management, there is not a suitable protocol that can be directly applied in medical RFID systems.

Proposed Protocol
The proposed protocol is shown in Fig. 1. The details of the protocol are as follows.
It describes the protocol in detail according to the sequence of message exchanges.

Challenge Messages
One reader generates a random number Rr, then computes H1 = h(PIDR||Rr) and H2 = h(PIDR||T0) and sends them to the tag as an initial query.

Response Messages
Upon receiving the query, the tag verifies the reader by searching H1 = h(PIDR||Rr) in the access list LR. If there is no PIDR to meet H1, the protocol will terminate with an error code. Otherwise, the reader obtains PIDR. After generating a random number Rt, T computes H3 = h(PIDR||Rr||H2)  h(PIDt||Rr) and then sends H3 and Rt to the reader.

Authenticate the Reader and the Tag
When receiving the authentication request from the reader, the server first detects whether where T is the current timestamp of the server and t is the transmission delay threshold. If it is true, the server continues to verify the legitimacy of the reader and tag. Otherwise, the protocol will be terminated. The server verify the reader through H0 = h(PIDR||Rr) and H1 = h(PIDR||T0). If the above step holds, the server would compute h(PIDR||Rr||T0) and verify the tag through h(PIDt||Rr) = H5  h(PIDR||Rr||T0). If the formula holds, the tag is legal.

The Reader Authenticate the Server
After receiving the server's message, the reader first detects whether 21 where T2 is the current timestamp of the reader. If it is true, the reader checks H5 = h(PIDR||Rr||T1) to verify the server. Then it gets kij from H7 and computes H8 = h(PIDR||Rt||kij). Finally, the reader resend H6, H7, H8 to the tag. Reader Tag H6, H7, H8 The Tag Authenticate the Server After receiving the reader's response, the tag extracts kij from H7, checks H6 = h(PIDt||PIDR||Rt||kij) and H8 = h(PIDR||Rr||kij) to verify the reader, the server and the kij value.

Formal Analysis of the Protocol with GNY Logic
GNY logic (Gong et al., 1990) was proposed, which is optimized and derived from BAN logic (Burrows et al., 1989). Based on the knowledge/belief, GNY Logic uses postulates and definitions to analyze whether the protocol goals can be derived from the initial assumptions and message exchanges in the reasoning progress. GNY logic is chosen to prove the secure correctness of the protocol.
The GNY formal logic analysis involves four steps: (1) Formalization of the protocol messages; (2) declaration of initial assumptions; (3) definition of anticipant goals; and 4) verification by logical rules and formulae.

Formalization of Messages
Each exchanged message is expressed with a logical formula and a formal message in the language of GNY Logic. For the sake of clarity, the same statements are used as (Gong et al., 1990;Ren et al., 2013).
According to the authentication phase, the formalized messages are as follows:

Initial Assumptions
In order to specify the initial possessions and abilities of each participant, the following statements are assumed: These statements show that each participator possesses its random number and the pseudorandom identifier. Each tag believes or is entitled to believe kij and PIDR are fresh. The server possesses kij, PIDR and PIDt and it believes that they are fresh.

Protocol Messages and Security Correctness Goals
The purpose of the protocol is to assure freshness of data and mutual authentication among R, S and T. The anticipant goal can be obtained as follows: The first to the seventh goals show belief requirements. The server and T believes R conveys Rr and PIDR. R believes T conveys Rt. The server believes T conveys PIDt and Rt. The next four goals show that the messages are not used in the previous sessions and indicate fresh requirements. The twelfth and thirteenth goals indicate R and T believe the server conveys kij. The last two goals show they believe that h(kij) is fresh.

Logic Verification
Logic verification is based on the formalized messages, the related GNY Rules and the assumptions.
Verifications for the first to the seventh goals are similar to (Rahman and Ahamed, 2014) and it will not be repeated here. This subsection will focus on verification of other goals.
For G8: From message M1 gets: Applying the Being-Told Rule T1: (P ⊲ (*X))/(P ⊲ X) deduces: T can retrieve PIDR from LR and applying the Being-Told Rule T2: (P ⊲ (X, Y))/(P ⊲ X) deduces: Applying the Possession Rule P1: (P ⊲ X)/(P ϶ X): Applying the Possession Rule P2: (P ϶ X, P ϶ Y)/(P ϶ (X, Y) deduces: From the assumption A4, it gets: Applying the Freshness Rules F1: (P |# (X))/(P |# (X, Y), P |# F(X)) deduces: Applying the Freshness Rules F10: (P |# (X), P ϶ X)/(P |# H(X)) deduces: Thus, T is entitled to believe that h(PIDR||Rr) is fresh. Hereinafter, for simplicity, the applied logical rules and formula behind the formula are marked: Goal G9 is achieved. Verifications for the tenth and eleventh goals are similar to the ninth goal, it is not repeated here: AS a consequence, R is entitled to believe the server once conveyed kij: For G13: From aforementioned formula (11) gets

Security Analysis
Unlike most similar protocols, communication between the server and the reader is regarded as insecure because the connection between them is wireless in RFID-based medical systems. The wireless communication is facing more serious challenges.

Attack Model
In this section, security analysis of the scheme by using attack model is given. There are some different common possible attacks in the attack model: Replaying, forgery, tracking, spoofing and DOS. The protocol will not generate mismatching among the three participants (the reader, the tag and the server) when it performs incompletely. Thus, the desynchronization attack is not discussed here. It is assumed the attack cannot replicate a tag or a reader.
Security analysis is performed with three steps like (Ning et al., 2011): ① To suppose the action of the attacker; ② to simulate the process of the attacking step by step; and ③ to deduce the security.

Replay Attack
Replay attack is an active attack. The attacker obtains the message of the current session and then modifies, deletes or replays the message in the next session. The goal of the attack is to attain the sensitive data.
Under the replay attack, the attacker A performs the following actions:

Internal Forgery Attack
The forgery attack can be categorized into an internal and external forgery attack. From the analysis of the replay attack, the scheme can resist the external forgery attack. Thus, the internal forgery attack is analyzed here. In the attack, the legal reader in one group oversteps its access of authority to achieve others' private information by forging another legal reader in another group (Ren et al., 2016).
During the internal reader forgery attack: In

Spoofing Attack
In this attack, the attack can forge a legal reader to obtain the information of the legal tag and damage the 376 normal communication. The attack also can forge a legal tag to obtain valid response (Ren et al., 2016).
During the spoofing attack, an attacker A performs the following actions:

In One Session
A disguises as a reader Ra and sends a query to T: T cannot find a match to verify A(Ra) by searching in the access list LR. The authentication will be ended.

In Bad Conditions
T may respond to A(Ra) by mistake. A(Ra) obtains Rt and h(PIDt||Rt), then authentication will continue.

In the Next Session
A intercepts messages sent to T and disguises as a tag Ta first: The tag finds that these two are not equal and the authentication will be interrupted. In this protocol, access lists are available for preliminary verifications and random numbers are valid for one time. So the protocol can resist the spoofing attack.

Tracking Attack
The tracking attack is a passive attack, it traces tags through malicious readers. Some malicious readers send the same query to a tag. If the tag responds to the same message, the attacker may trace the certain tag and achieve its related information (Ren et al., 2013).
Under the attack, the attacker A performs the following actions: The tag finds there is no matching entry in the access list LR. The authentication will terminate.
In worse conditions, T responds to these readers by mistake: In other words, if the attacker collects the transferring messages by a certain tag in the past sessions, it cannot find two same messages. It cannot track specific tags because random numbers generated by readers and tags are different in each session.
Therefore, the protocol can resist the tracing attack.

DOS Attack
DOS attack is an active attack. The attacker launches a lot of requests with false address. The system has no 377 sufficient resources to process the normal communication because most of the resources are allocated to handle these malicious messages. The goal of the attacker is not to achieve the sensitive data, but to destroy the normal communication.
Like (Ning et al., 2011;Ren et al., 2013), two approaches (the access list and the access control) are adopted to provide protection in this protocol. Access lists (LR, LT) are used for quick search and preliminary check.
Under the attack, the attacker A may perform the following actions: A sends several requests with wrong PIDR to one tag. The tag can quickly identify all illegal readers by the access list LR. The access control is applied by random/pseudorandom numbers (Rr, Rt, PIDR, PIDt). The legal server and tag can refuse the request with the same pseudorandom identifier and random numbers in a certain time, because they keep the last received and pseudorandom identifiers as temp lists. The legal reader can do that by keeping (Rt, h(PIDt||Rt)).
If the attack continually replays legal requests attained from the former session to a tag (or a reader or server), the tag (or the reader or server) can deny the requests through access control. Hence, the attacker cannot interfere with the normal communication.
All in a word, the DOS attack can be resisted in this protocol.
In the protocol, an attacker cannot obtain tag's identifier even it correctly guesses the random number Rt. So the protocol offers anonymity. Table 1 shows the security comparison with other related protocols for lightweight RFID systems.

Performance Analyses
In this section, we will compare the proposed scheme with some other protocols in terms of performance, including storage requirement, the computation overhead and communication overhead.
The performance comparison between this protocol and other related protocols of lightweight RFID systems is shown in Table 2. Like (Fan et al., 2018;Zhao, 2014;Zhang and Qi, 2014;Niu et al., 2014;Doss et al., 2013). The protocol assumes that the channels between readers and servers are insecure since they work in mobile RFID system. KAAP and SAAP assume that the channels between readers and server are secure in RFID system.

Storage Requirement
As it is known that the tag's storage is limited relative to the reader and the server. Only the using of tag storage in Table 2 is concerned. Each tag stores the TID IDT, access list LR and pseudorandom identifier PIDT in the protocol. It is the same as most related protocols.
For the sake of simplicity, it is noted that all the components are assumed L-bits size and the length of keys, hash function value and random numbers are ignored in Table 2.

Computation Cost
In the authentication process, each reader performs a Random Number Generation (RNG) operation and a oneway hash function and the server performs a one-way hash function. Each tag in the protocol needs to perform three bitwise XOR, one RNG operation and one hash function. Since XOR consumes little resource, XOR operation and other simple operations are ignored here. In general, a server and reader are not limited to the computing resources and Table 2 only shows the tag computation cost of the protocol, which is obviously more than (Fan et al., 2018) and less than (Niu et al., 2014).

Communication Overhead
In terms of communication overhead, "round" represents the number of communication rounds in the whole authentication process in Table 2. "Communication cost" represents the resource consumption on the channel between the tag and the reader. Supposed that the identifier of a reader or a tag has the same length L, communication cost of this protocol is 0 L. It is less than other related protocols.
Based on the previous analysis, the protocol has middle complexity in storage requirement and computation cost and its communication overhead is obviously less than other related protocols.

Conclusion
To minimize medical errors and overall manage, more and more medical systems adopt RFID technology. The tags in medical systems usually contain some sensitive or personal data. Leakage of whole or part of the data may damage the people's privacy and seriously affect their physical and mental health.
Most of the existing protocols lack the idea of classified security protection for RFID-based medical systems. These protocols are difficult to be directly applied and other protocols assume the channels between readers and servers are safe.
A classified protection protocol is proposed for RFIDbased medical systems without the assumption that the channels between readers and server are safe. The scheme allows different participants to access the authorized tag data in the medical systems. Readers, tags and servers are mutually authenticated. Readers can change their roles freely, so the protocol has better scalability.
The protocol uses timestamp, access list, mutual authentication mechanism and random access control mechanism to strengthen security and privacy protection. Based on formal analysis, the design correctness of the protocol is verified by GNY logic. According to the analysis of attack model, the protocol can resist all kinds of attacks: Internal attack, replay attack, tracking attack, spoofing attack and DOS attacks.
Performance analysis shows that the protocol has less communication overload, similar storage requirements and acceptable computation load compared with other related protocols. Therefore, the new protocol is suitable for RFID-based medical application.
The new protocol cannot detect the patient. In the future, we will focus on personnel detection of patient status in the scheme and develop several programs to simulate further certification.

Author's Contributions
Xueping Ren: Has conceived and designed the experiments, data analysis, manuscript writing and publication.
Ming Jiang: Has reviewed and revised the manuscript.

Ethics
Authors should address any ethical issues that may arise after the publication of this manuscript.