A Novel Authentication Protocol Enabling RFID Tags Ownership Transfer

Hong Wang

School of Communication and Information Engineering Chongqing Univ. of Posts and Telecomm

Chongqing 400065, China

Xiaolong Yang School of Computer and Communication Engineering

Univ. of Science & Technology Beijing Beijing 611731, China

Qiong Huang

School of Communication and Information Engineering Chongqing Univ. of Posts and Telecomm

Chongqing 400065, China

Keping Long

School of Computer and Communication Engineering Univ. of Science & Technology Beijing

Beijing 611731, China

Abstract—Ownership of RFID tag may be frequently changed during its lifetime, thus how to securely transfer its ownership between owners is very important. Recently, some lightweight cryptograph-based authentication protocols have been proposed to resolve the problem, but most of them assume that the channel between the RFID reader and the database server is secure, and ignore the backward un-traceability. Hence during the ownership transfer operations, there exist inevitably some security/privacy vulnerabilities exposed to malicious users and its previous owner. In this paper, we propose a novel authentication protocol enabling RFID tags ownership transfer. Based on challenge-response mechanism, the protocol achieves mutual authentication between the tag and the database. Moreover, it provides the authentication to prevent the fake reader. Also, based on BAN logic we give the proof of protocol correctness. The merit of our protocol is that it not only well protects owner’s privacy but also achieves high-security and high-efficiency.

Keywords-RFID; ownership transfer; mutual authentication; security; privacy

I. INTRODUCTION Nowadays RFID [1-6] is one of the most discussed auto-

identification and data capture technologies. The range of its applications is broadening rapidly and can roughly fall into the following categories: enterprise supply chain management and asset management; contactless payment; access control; identification and tracking etc. RFID technology is believed to be an indispensable foundation to realize ubiquitous computation and machine perception as long as RFID security and privacy are guaranteed. However, security and privacy risks [3-4] associated are not easy to cope with due to low-cost RFID systems in which threats such as tracking, counterfeiting and denial of service are instant doom for people. Besides, Ownership of RFID tags may be changed frequently during its lifetime, which will also makes these security and privacy risks more complicated.

Supposing that Alice (new owner) aims to take over the tag ownership from Bob (old owner). She can use her portable reader, e.g., handheld PDA, smart phone, to get all information

associated with the tag from Bob’s back-end database. However, at the moment of tag ownership transfer, both of them have the information necessary to authenticate the tag. This fact may cause an infringement upon their privacy. More specifically, if Bob is malicious, he may still read the tag using retained tag information after transfer, and/or trace Alice’s transactions with the tag. That is, the privacy of Alice might be compromised by Bob. Conversely, if Alice is malicious, she might trace Bob’s past transactions with the tag, therefore, the privacy of Bob might be compromised by Alice. Except these risks, Alice is likely to suffer other security and privacy invasion. For example, in order to protect her privacy, Alice may update the key k. However, the tag and her portable RFID reader communicate via an insecure channel and an adversary can easily intercept and tamper with the exchanged messages, when the reader has updated the key k, but the tag did not, then they will become de-synchronization. Moreover, if the tag response for each query is fixed, an adversary can easily trace the tag, which will also invade Alice’s privacy.

Therefore, a secure tag ownership transfer should take into consideration of the following requirements [5, 8]: (1) Ownership Transferability: ownership is transferable without invasion of owner’s privacy. (2) Trace Attack resistance: the security that the adversary cannot distinguish output of Tag. (3) Replay Attack resistance: the security against the attack that the adversary spoofs as legitimate Tag. (4) Forward/Backward Security: the security that future/previous transactions are secure even if the tag internal state leaked out to the adversary. (5) Resist DoS attack: even though a legitimate tag’s secret update is de-synchronized with a legitimate server, the legitimate tag can still pass the server’s authentication successfully.

There are some RFID ownership transfer (OT) protocols [4-8] on solving those security and privacy risks, but there are vulnerabilities in their protocols as we will show in Section III. In this paper, we will present our RFID tag ownership transfer protocol. The merit of the protocol is that it can satisfy both forward and backward un-traceability. Moreover, it provides

___________________________________ 978-1-4673-2101-3/12/$31.00 ©2012 IEEE

both reader authentication and mutual authentication that can afford strong security.

The rest of the paper is organized as follows. Section II introduces RFID system requirement. Section III introduces related work. Section IV presents our new protocol. Section V discusses the security, performance and correctness of our protocol. Section VI concludes this paper.

II. RFID SYSTEMS AND SECURITY

A. Brief Description of RFID System An essential RFID system usually consists of three

components: tags, couples of readers and one back-end database/server. The tag is a small and cheap device, which combines IC chip and an antenna for radio communications. And conventional security primitives cannot be integrated in the tag as its limited computation and memory resources. When the back-end database wants to identify one or more tags, a reader emits RF signal via its antenna, any tag within range of the signal sends a response with certain stored data. The reader then delivers received tag data to the back-end database for further processing.

B. Security Requirements RFID technology may bring spontaneous risks because of

the proliferation of RFID tags. So our protocol is designed with the following security requirements into consideration:

Resist replay attack: An attacker may intercept the messages between a reader and a tag and uses these messages to spoof him or her as legitimate Tag. Thus, protocol must satisfy that the attacker cannot achieve a reader or a tag’s authentication successfully by the messages intercepted before transactions.

Forward/Backward secrecy: If an adversary compromises a tag, then it might be possible to trace previous/future transactions using knowledge of the tag internal state. Therefore, protocol must satisfy that even if an adversary compromises a tag, the adversary can’t trace previous/future transactions using knowledge of the tag internal state.

Resist tracking attack: An attacker may intercept the messages from a target tag and, according to the messages, knows whether they were sent from the target tag in the next session. If the messages intercepted are the same, it means they were sent from the target tag, and the attacker can trace the location of the target tag by the messages. Therefore, protocol must prevent the attacker from tracing a tag’s location by the messages sent from the tag.

Resist fake reader: An attacker can spoof him or her as a legitimate reader to get the tag information. Thus, protocol must prevent the attacker from spoofing him or her as a legitimate reader to get the tag information.

Resist Denial-of-Service (DoS) attack: An attacker may prevent a legitimate tag from updating the secrets so that the server and the tag are de-synchronized. The legitimate tag does no longer achieve the server’s authentication. Therefore, protocol must satisfy even though a legitimate tag’s secrets

update is de-synchronized with a legitimate server, the legitimate tag can still successfully achieve the server’s authentication successfully.

Ownership Transferability: Ownership transferability is a requirement that violations of present and new owner’s privacy do not arise even if the present owner gives necessary data to new owner.

C. Performance Requirements Conventional security primitives cannot be integrated in the

tag as the tag its limited computation and memory resources. Our protocol should thus address the following performance issues.

Storage capacity: The volume of data stored in a tag should be minimized.

Computation: The complexity of tag computations should be minimized.

Communication: The number and size of messages exchanged between a tag and a reader should be minimized.

III. RELATED WORKS The previous protocols have been proposed to just achieve

some of the above-mentioned requirements individually [4-8]. None of RFID systems that achieve all requirements described in Section II has been constructed. Moreover, most of them assume that the channel between the RFID reader and the database server is secure and few of them provide the authentication to prevent the fake reader. The related works are now briefly reviewed.

Osaka discussed the RFID system requirements, and proposed an RFID protocol that provides all the necessary security properties based on a hash function and a symmetric key cryptosystem [7]. The protocol assumes that the new owner initially receives the key k. In the authentication process, the protocol authenticates transmitted data from reader, and gives Info(ID) to reader. In the ownership transfer process, it transfers ownership without invasion of present and new owner’s privacy by changing the symmetric key. However, there are some disadvantages in the protocol. First of all, it does not satisfy un-traceability. Moreover, the protocol is also vulnerable to DoS attack in which an adversary can add a small noise (NA) to the last message from reader to tag. Then, the tag updates the secret as fk’(ID) � NA, while the database and reader have fk’(ID) as their new secret, which leads to de-synchronization. However, this is easily preventable from the perspective of the database by storing the previous secret.

Lei and Cao proposed a RFID protocol enabling ownership transfer to against traceability and DoS attacks [8]. The tag generates a random number to prevent the attacker’s traceability in the authentication process. To defend the DoS attack, the database updated the key k only after the tag has successfully updated its key k. The protocol has several vulnerabilities. First of all, there is DoS problem in the protocol if the attack prevents the tag sending the correct message b to the database. In essence, it is just an ownership sharing protocol, and not ownership transfer since previous owners

could still access to the tag. After the new owner got the new key k’, it sends (e, m) to the tag in an insecure channel. A previous owner can passively observe this and gets ffk’(ID)=e� H(fk(ID)). Since the tag uses fk’(ID) until the next ownership transfer process, previous owners can continue access to the tag.

Jappinen and Hamalainen proposed a simple and efficient security protocol for ownership transfer [9]. The protocol just concatenates NDB, H(fk’(ID)� NDB) to the last message of the Osaka protocol. It fixed the security flaws while keeping the simplicity and efficiency of the original method. However, an adversary can intercept the message between the reader and tag while sets NDB =0 and modifies fk(ID) � fk’(ID) to (fk(ID) �fk’(ID) � NDB ). The tag now computes its new fk(ID) = fk’(ID) � NDB, which is different from fk’(ID) in the reader and database. Therefore, it leads to de-synchronization.

Song proposed an RFID tag ownership transfer protocol [10]. The protocol has two stages. The first stage transfers ownership from one owner R1 to another R2 and the second stage updates the secret key. The protocol claims that it does not only provides all the necessary security properties but also offer efficient in storage and communication requirements. However, the protocol has several vulnerabilities. Communication between the two owners is secure in one side (i.e., R1 to R2) but insecure in the other side (i.e., R2 to R1). An adversary can hijack the communication from R2 to R1 and replays this to continue with the remainder of the protocol to obtain ownership of the tag. Another vulnerability is de-synchronization between tag and new owner when R2 has the new key (t, s) while the tag has the previous key as long as an adversary blocked the message m3 between R2 and tag in the protocol. Moreover, this is strictly not an ownership transfer protocol since previous owners could still access to the tag. Although the paper claims “protocol P2 should be performed at a distance from any readers connected to R2 in order to prevent R2 eavesdropping on the messages,” this may not be valid. If this assumption were valid, there is no need to encrypt messages.

IV. AUTHENTICATION PROTOCOL ENABLING RFID TAGS OWNERSHIP TRANSFER

Based on challenge-response mechanism, our protocol is to achieve mutual authentication between the tag and the back-end database, and also aims to provide reader authentication. The goal of our protocol is to satisfy the privacy and security requirements with ownership transfer. And the ownership transfer process is show in Fig.1.

A. Notions

TABLE I. THE FOLLOWING NOTATIONS ARE USED THROUGHOUT FOLLOWING PAPER

Notation Meaning

T, Rnew, DB Tag, New Reader, Back-end database

TID, RID The identifier of Tag, New reader

Info(TID) Information related to TID (e.g., time and location, manufacturer name, etc.)

h(.), hk(v) One-way hash function, keyed hash function. K, kold , knew Shared key ,Old key, New key

ri Random number � ,|| XOR, Concatenation operator

B. Assumptions We assume that the tag is low-cost passive tag and the

lightweight hash function is existence. Some studies conducted by Weis [11], Pramstaller [12] also support this assumption. The reader communicates with the tag and database via an insecure channel. So the attacker can intercept and tamper with all the messages through the protocol.

TnewRDBRIDRID 11. ,query r

1 1 2 22. ( || r ),s h TID r k r� � �1 1 1 23. ( ), , ,h RID r s r r�

2

3 2

4.( )

s S RIDs s h RID

� �� � old

3 4( ( ))k kk h h k r r

� �� � � �

14 3 4

5 3 4

5. ( || ) ( )

( || )rs r r h TID

s h r r

� �

�

3 4h( ( ))k h k r r� � � �

oldk( )Info TIDTIDKTID K

old

3( )k kk h k r

� �

� � �

Figure 1. Authentication process with ownership transfer

C. Authentication Process 1) Reader broadcasts query and random number r1 as a

challenge to tag. 1. Reader 1,query r���� Tag.

2) Tag generates a new random number r2 andcomputes s1=h(TID� r1||k� r2), then transmits s1, r2 to reader.

2. Tag 1 2rs���� Reader.

3) Reader computes h(RID � r1), then forwards h(RID� r1), r1 , r2 and s1 to database.

3. Reader 1 1 1 2( ), , ,h RID r s r r��������Database.

4) Database authenticates the tag and reader. 4.1.finds RIDnew s.t. h(RID� r1) = h(RID� r1).

4.2 finds TID and k s.t. h(TID� r1||k� r2) = s1.

5) Database updates the tag key, generates a new random number r3. Then, it computes and forwards s2=S� RID, s3=s2� h(RID) (where S=TID||r3||k||Info(TID)) to the reader.

5.1. updates key k� kold , h(k)� k.

5.2. Database 2 3,s s���� Reader.

6) Reader obtains the necessary information, generates a new random number r4, and renews the tag key. After that, it computes and forwards s4=(r3|| r4� hr1(TID)),s5=h(r3|| r4) to the tag.

6.1. computes h(RID) and checks h(RID) � s2?=s3.

6.2. obtains S= s2� RID.

6.3. renews key k� kold , h( h(k� r3� r4))� k.

6.4. Reader 4 5,s s����Tag.

7) Tag authenticates the reader and updates its key k. 7.1. obtains r3|| r4= s4� hr1(TID).

7.2. Checks h(r3|| r4)? = s5.

7.3. updates key h(h(k� r3� r4))� k.

After that, the authentication process is completed.

V. PERFORMANCE ANALYSIS

A. Security Analysis In this section, we give a brief analysis of the security of

our protocol.

Backward/ Forward Security: The adversary cannot trace previous/future transactions using knowledge of the tag internal state since it has no previous symmetric keys,

h(TID � r1 ||k � r2) � h(TID � r1||k’ � r2’) for k is a preset key, k’ is a previous key.

Therefore, the proposed protocol achieves the backward security. By the same token, it achieves the forward security

Replay Attack: The r1’, r2’ sent by legitimate reader and tag

are different from the eavesdropped r1 r2’. Hence h(TID� r1||k� r2) and h (TID� r1

’||k� r2’) are also different due to the collision resistant property of hash functions. The adversary therefore cannot spoof as legitimate tag,

h (TID� r1’||k� r2’)� h (TID� r1||k� r2) for r1

’ � r1,

r2’ � r2 .

Therefore, the proposed protocol is secure against the replay attack.

Traceability: The attacker can use the same message sent from the tag to trace the location of the tag. Reasons why attacker is unable to trace the tag’s location are as follows:

The attacker intercepts the 1s and ns communication messages: s1, s1’, but can not ensure whether messages s1 and s1’ are sent from the same tag. The reason for this is described as follows:

s1 =h(TID� r1 ||k� r2) s1’ =h(TID� r1’ ||k’ � r2’) s � s1’

Since random number r1, r2 and key k are different for each transactions, our protocol can resist tracking attacks.

Fake reader attack: The reasons the attacker is unable to spoof him or her as a legitimate reader to get the tag information are as follows:

the database received h(RID� r1) and veri�es it as follows:

received h(RID� r1) ? = h(RID� r1) computed

If the equality holds, it means that the reader is legal. Otherwise, the database will terminate the authentication process.

DoS: In the protocol, in order to resist DoS attack, the tag always checks the integrity of the received values s4 and s5. If the verification process failed, then tag would not update its

key k. Moreover, we require the database and reader to save the old values to recover synchronization with the tag. If an adversary prevents message s4, s5 reaching the tag T, T will not update its key k while the database and reader had. In the following process of authentication, the database and reader will employ the old key k to recover synchronization with the tag.

Ownership Transferability: During ownership transfer process, the new owner obtains the tag’s key k, TID and Info(TID) from the old owner. However, before transmitted to the new owner, that key k was updated via a hash function h in each procedure of authentication. As one-way hash function h is computationally un-invertible, the new owner cannot decipher/recreate any past messages sent with previously used key.

The protocol also protects the new owner’s privacy. The old owner cannot trace the future interactions between the new owner and the tag T because they have established new key k:h(h(k) � r3� r4)). As a result, the old owner cannot find key k’ to coordinate with s1=h(TID � r1||k � r2), then he is no longer able to read the tag.

The following Table I shows the comparison in terms of security discussed in this section.

TABLE II. PRIVAVCY AND SECURITY COMPARSION

PropertyProtocol

Forward Security

Backward Security

Replay Attack DOS Traceability

Osaka etc. [7] × × � × ×Lei and Cao[8] � × � × �

Jappinen etc.[9] � � � × ×

Song [10] � × × × �New protocol � � � � �

�: Provided; ×: Not provided.

B. Efficiency Considerations Storage: The protocol is efficient in terms of non-volatile

memory. A tag merely needs the non-volatile memory to store the key k and TID.

Communication: The protocol accomplishes mutual authentication between the tag and database requiring five rounds. Five rounds are acceptable for mutual authentication in RFID environment. Therefore, the protocol is feasible in terms of communication overheads.

TABLE III. ERFORMANCE COMPARISON

Property

ProtocolA1 A2 A3

Osaka etc. [7] Ek(ID) 1TH+2TXor 5Lei and Cao. [8] Ek(ID) 4TH+3Txor+4TCon 7Jappinen etc.[9] Ek(ID) 2TH+4TXor 6

Song [10] t 6TH+9Txor+4TSop 7New protocol TID, k 4TH+5Txor+1TCon+1Tran 5

A1: Tag Storage cost. A2: Tag Computation cost. A3: Communication cost. TH: the cost of hash function. TXor: the cost of XOR operation. TCon: the cost of connect operation. TSop: the cost of bit shift operation. Tran: the cost of random number generation.

Computation: In the protocol, a tag only performs two hash function computations and some bit-wise XOR as well as Concatenation operations. So the protocol has modest computational requirements for RFID tags.

The Table II shows a performance comparison between the existing protocol and the new protocol.

C. Formal Proof of Correctness As a kind of formal analysis methods, BAN logic [13] can

not only discover the current attacks in cryptographic protocols, but also find out flaws comprehensively and profoundly. Therefore, the formal proof of correctness of the proposed protocol based on BAN logic is shown in this subsection.

There are four phases in BAN logic, including Establishment of Idealized Model, Initiative Assumptions, Establishment of Security Goals and Protocol Analysis. BAN logic consists of 19 logical rules. The seven rules used in the paper are as follows:

Message-meaning rule: | , { }| |

K

KP Q P P XP Q X

��

1( )P

Nonce-verification rule: | | , # ( )| |

P Q X P XP Q X

� 2( )P

Jurisdiction rule: | | , | ||

P Q X P Q XP X

� �

3( )P

Belief rule: | ( , )|

P X YP X

4( )P

| | ( , )| |

P Q X YP Q X

5( )P

Freshness rule: | # ( )

| # ( , )P X

P X Y

6( )P

Seeing rule: ( , )P X YP X��

7( )P

Idealize the protocol: The purpose of this step is to transform the proposed protocol into an ideal one for the following proof. Ignoring the plaintext transmitted, the protocol can be idealized as follows:

Message 1: Reader->DB:{ 1r , 2r , TID , K , DBTID Tag,

DBKTag}K , { 1r , RID , DB

RIDReader}RID

Message 2: DB->Reader: { 3r , TID , K , RID , DBTID Tag,

DBKTag, DB

RID Reader}RID

Message 3: Reader->Tag: { 1r , 2r , 3r , 4r , TID ,

DBTIDTag}TID

Initiative Assumptions: This step is to abstract the initial assumptions from the proposed protocol, which is the premise of the success of each protocol. Assumptions about the initial state are written below.

1 :A Tag | Tag TID DB 2 :A Tag | Tag

K DB

3 :A DB| DBTIDTag 4 :A DB| DB

KTag

5 :A Reader | ReaderRIDDB 6 :A DB| DB

RIDReader

7 :A Tag| #( )ir 8 :A Reader | #( )ir

9 :A DB| #( )ir 10A : DB| Tag|�� TID

11A : DB| Tag|�� K 12A : Tag | DB |�� TID Establishment of security goals: The goals of the protocol

are as following:

1G : DB| Tag| Tag TIDDB 2G :DB| Tag| Tag

KDB

3G : Tag | DB| DBTIDTag

4G :DB| Reader | ReaderRIDDB

5G : Reader | DB| DBRIDReader 6G : DB| tK

7G : DB| tTID 8G : Tag| DBTID The actual meaning is that they ensure each other’s legality

through mutual authentication and provides authentication to the reader.

Protocol Analysis: The logic rules and the assumptions will be used by the messages in the first phase to discover the final beliefs held by the parties in the protocol. If the final beliefs contain the goals of the protocol, the protocol is integrated; else, the protocol has flaws. The proof is as follows:

1.1) DB � { 1r , 2r , TID , K ,DBTID Tag, DB

K Tag }K ,

{ 1r , RID ,DBRIDReader}RID /*For Message 1*/

1.2) DB� { 1r , 2r , TID , K , DBTIDTag, DB

KTag}K /*For

1.1) ,by 7( )P */

1.3) DB | Tag | � { 1r , 2r , TID , K ,DBTID Tag,

DBK Tag } /*For

1.2) ,by 4A , 1( )P */

1.4) DB| #{ 1r , 2r , TID , K , DBTIDTag, DB

KTag}

/* by 9A , 6( )P */

1.5) DB | Tag | { 1r , 2r , TID , K ,DBTID Tag,

DBK Tag } /*For

1.3,1.4) ,by 2( )P */

1.6) 1G : DB | Tag | DBTID Tag, 2G :DB | Tag |

DBKTag/*For 1.5) ,by 5( )P */

1.7) DB| Tag| TID , DB| Tag| K

/*For 1.5), 5( )P */

1.8) 6G : DB| tK 7G :DB| tTID

/*For 1.7) , by 3( )P */ By the same token, we can obtain

4G :DB| Reader | ReaderRIDDB From Message 1.

2.1) Reader � { 3r , TID , K , RID ,DBTID Tag, DB

K Tag,

DBRID Reader}RID /*For Message 2*/

2.2) Reader | DB | � { 3r , TID , K , RID , DBTID Tag,

DBKTag, DB

RID Reader} /*For 2.1) ,by 5A , 1( )P */

2.3) Reader | #{ 3r , TID , K , RID , DBTID Tag, DB

K Tag,

DBRID Reader} /* by 8A , 6( )P */

2.4) Reader | DB | { 3r , TID , K , RID , DBTID Tag,

DBKTag, DB

RID Reader} /*For 2.2) 2.3),by 2( )P */

2.5) 5G : Reader | DB | DBRID Reader

/*For 2.4), by 4( )P */

By the same token, we can obtain 3G : Tag | DB |

DBTIDTag and 8G : Tag| DBTID From Message 3.

As shown above, the final beliefs contain all of the proof goals. Thus, the protocol can effectively achieve the correctness of mutual authentication between B and Tag. And it also achieves the correctness of reader authentication.

VI. CONCLUSIONS The important requirements of secure tag ownership

transfer are forward and backward un-traceability, that is, the protocol should protect both the new owner and the old owner’s privacy. In this paper, we have presented our novel authentication protocol that provides both reader authentication and mutual authentication and enables prefect RFID tags ownership transfer. Moreover, we give the proof of protocol correctness based on BAN logic. The merit of our protocol is that it does not only well protect owner’s privacy but also achieves high-security and high-efficiency.

REFERENCES [1] G. Avoine, E. Dysli, and P. Oechslin: Reducing Time Complexity in

RFID Systems. In SAC 2005 of LNCS,Vol. 3897, Springer-Verlag, pp: 291-306,2005.

[2] S. Kinoshita, F. Hoshino, T. Komuro, A. Fujimura, and M. Ohkubo: Low-cost RFID Privacy Protection Scheme. IPSJ, Vol. 45, No. 8, pp:2021-2004, 2007.

[3] M. Ohkubo, K. Suzuki, and S. Kinoshita: Cryptographic Approach to “privacy-friendly” tags. In RFID Privacy Workshop, 2003.

[4] J. Saito and K. Sakurai: Owner Transferable Privacy Protection Scheme for RFID Tags. In CSS 2005,Vol. 2005 of IPSJ Symposium Series, pp: 283-288,2005.

[5] Boyeon Song, Chris J. Mitchell: Scalable RFID security protocols supporting tag ownership transfer. ELSEVIER, Computer Communications, Volume 34, Issue 4, pp.556-566,2011.

[6] Albert Fernandez-Mir, Rolando Trujillo-Rasua, Jordi Castella-Roca and Josep Domingo-Ferrer: A Scalable RFID Authentication Protocol Supporting Ownership Transfer and Controlled Delegation. RFID. Security and Privacy, LNCS, Volume 7055, pp.147-162, 2012.

[7] Osaka, K, Takagi, T, Yamazaki, K., Takahashi, O: An Efficient and Secure RFID Security Method with Ownership Transfer. Proceedings of the International Conference on Computational Intelligence and Security (CIS), LNAI 4456, pp. 778-787,2007.

[8] H. Lei and T. Cao: RFID protocol enabling ownership transfer to protect against traceability and DoS attacks.in Proc. 1st Int. Symp. Data, Privcacy E-Commerce, pp: 508-510,Nov 2007.

[9] Pekka Jappinen, Harri Hamalainen: Enhanced RFID security method with ownership transfer. International Conference on Computational Intelligence and Security, Volume 2, 13-17, pp: 382-385, Dec 2008.

[10] Song, B: RFID Tag Ownership Transfer. Proceedings of RFID-Sec08.2008.

[11] Stephen Weis: Security and privacy in radio-frequency identi�cation devices. Master’s thesis, Massachusetts Institute of Technology (MIT), Massachusetts, USA, May 2003.

[12] N. Pramstaller, C. Rechberger and V. Rijmen: Acompact FPGA implementation of the hash function whirlpool. In ACM/SIGDA 14th international symposium on Field Programmable Gate Arrays —FPGA’06, ACM Press, New York, pp: 159-166, 2006.

[13] M Burrows, M Abadi, R Needham: A Logic of Authentication. ACM Transactions on Computer Systems (TOCS), pp: 18-36, 1990.