Next Article in Journal
A 34.7 µW Speech Keyword Spotting IC Based on Subband Energy Feature Extraction
Previous Article in Journal
Control of Permanent Magnet Synchronous Motors for Track Applications
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 12
Issue 15
10.3390/electronics12153286
Review Report
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Formal Security Analysis of ECC-Based RFID in Logic of Events Theory

Electronics 2023, 12(15), 3286; https://doi.org/10.3390/electronics12153286
by Meihua Xiao, Quangang Chen *, Zehuan Li, Yuqiong Chen and Ruihan Xu
Reviewer 1:
Haris M. Khalid
Reviewer 2:
Luis Parrilla
Reviewer 3: Anonymous
Electronics 2023, 12(15), 3286; https://doi.org/10.3390/electronics12153286
Submission received: 28 June 2023 / Revised: 28 July 2023 / Accepted: 28 July 2023 / Published: 31 July 2023

Round 1

Reviewer 1 Report

- This works talks about the formal analysis of ECC-based RFID authentication protocol in logic of events theory.

- This work discusses the rapid development of the Internet of Things (IoT), which has greatly affected human life, and the security analysis of authentication protocols in IoT is increasingly important. Radio Frequency Identification (RFID) is a crucial component of IoT, and RFID using Elliptic Curve Cryptography (ECC) is a public key cryptosystem authentication approach that tackles the problem of electronic tag data encryption in RFID systems. The formal method is one of the most powerful ways for verifying protocol security, and the Logic of Events Theory (LoET) is a theorem-proving formal logic for analyzing distributed system security. This paper proposes three event classes, Compute, Retrieve, and Generate, and related axioms and inference rules to formally abstract the ECC session key generation function, formally statute the authentication process of both parties, and the extended LoET is used to analyze the security properties of ECC-based RFID security protocols. Under reasonable assumptions, an ECC-based RFID two-way authentication scheme is shown to satisfy the two-way strong authentication feature. It is shown that the extended logic of event theory may be used to prove the security properties of this class of ECC-based RFID protocols.

- The work has potential. However, it requires an overhaul.

- The title should be more expressive. The flavor of "security" should be there in the title. Please elaborate the title more.

- The keywords are not sufficient. There are many possible keywords which could address the scope of this work.

- There are my errors, spelling mistakes, and citation mistakes in the text. For example, Line # 56, page 2. Please revisit the manuscript and ensure appropriate restoration of such errors. 

- What is the contribution of the paper? It must be clearly mentioned in the introduction. So far, this element is not obvious in the introduction.

- What motivated you to write this paper? It must be clearly mentioned in the introduction. So far, this element is not obvious in the introduction.

- What is the scope and possible potential of the paper? It must be clearly mentioned in the introduction. So far, this element is not obvious in the introduction.

- The sections 2 and 3 require a direction. The reader can easily be lost while losing the flow of work. Either some of the sections should be merged. Or there should be a framework diagram which could possibly address and connect all the sections together to improve the readability of work.

- There should be a pseudo code or flow chart to convolute the proposed scheme before Section 4. Pseudo codes are usually considered for mathematical formulation driven work. In this work, a possible pseudo code-driven algorithm could be designed for practitioners to understand things smoothly. The variables of input and output are required to be defined in the pseudo code. And then that defined language is required to be used in the rest of the lines of the algorithm. Please follow the above steps accordingly.

- In section 4, what main-stream techniques are utilized for comparison? Is adequate comparison been made ? The superiority of your proposed scheme shall be mentioned in the conclusion based on the outcome of comparison with other main-stream techniques.

- For a Journal paper talking about secure communication, IoT, its authentication and security, the elements of digitalization must be flavored which is the main set towards IoT authentication in systems. Similarly, the discussion on cyber-attacks from the perspective of security in general will also maintain the balance of the work. Some suggested references in IoT security, cyber attacks, and communication barriers are as follows: 1) Learning‐Based Methods for Cyber Attacks Detection in IoT Systems: A Survey on Methods, Analysis, and Future Prospects. 2) Communication systems in distributed generation: A bibliographical review and frameworks.  3) WAMS Operations in Power Grids: A Track Fusion-Based Mixture Density Estimation-Driven Grid Resilient Approach Toward Cyberattacks. 

 

- References literally require an overall. Most of the references are conference papers and technical reports. Are they relevant to the work ? Moreover, the format is not consistent. In some references, there is no page number mentioned. In others, the page number is at the end and year in the middle and vice versa. Also, in some, the first letter of the title of the paper is only capital. In others, all first letters of the titles of the paper are capital. Please visit the styling again and maintain consistency.

A proof reading towards English is required. 

Author Response

Dear Editor and Reviewers,
    We would like to thank the reviewers for carefully reading our manuscript. We appreciate the comments and suggestions. In the following, we include a point-by-point response to the comments. In the revised manuscript, all the changes have been highlighted in red.

Comment: The title should be more expressive. The flavor of "security" should be there in the title. Please elaborate the title more.
Response: Thanks for your advice. We have revised it as your suggestion. Title revised to Formal Security Analysis of ECC-based RFID in Logic of Events Theory.

Comment: The keywords are not sufficient. There are many possible keywords which could address the scope of this work.
Response: Thanks for your advice. More keywords have been added.

Comment: There are my errors, spelling mistakes, and citation mistakes in the text. For example, Line # 56, page 2. Please revisit the manuscript and ensure appropriate restoration of such errors. 
Response: Thanks for your suggestion, we have corrected the errors in the manuscript.
 
Comment: What is the contribution of the paper? It must be clearly mentioned in the introduction. So far, this element is not obvious in the introduction.
Response: The main work as well as the innovations of this paper are as follows:
1.Extending the theory of event logic. Two new event classes are added, and relevant axioms and rules are expanded.
2.Formally abstract the elliptic curve session key generation function, statute the mutual authentication process of ECC-based RFID authentication protocol, and portray the security properties that the protocol needs to satisfy.
3.Using ECC-based RFID protocol as an example, the strong authentication of the protocol is proved using the extended LoET. The application of LoET is extended to enable formal analysis of authentication protocols with elliptical cryptography regimes.

Comment: What motivated you to write this paper? It must be clearly mentioned in the introduction. So far, this element is not obvious in the introduction.
Response: At present, in the research of security analysis of ECC-based RFID authentication scheme, scholars mainly use BAN logic and some non-formal methods for analysis, the non-formal methods are based on the personal experience of scholars as well as known methods of attack on the protocol, so the security conclusions derived from the analysis of security protocols using the non-formal methods are inaccurate and unreliable. Also because of the non-formal nature of the modal logic idealisation process, the in-complete logical semantics and the over-reliance on initial assumptions, it is difficult to be used to statute ECC-based RFID security protocols and to carve out the security properties that need to be satisfied.
 
Comment: What is the scope and possible potential of the paper? It must be clearly mentioned in the introduction. So far, this element is not obvious in the introduction.
Response: In this paper, we look at the authentication protocol's own authentication to veri-fy the security of the protocol, so as to determine whether there is a replay attack on the protocol, which ensures the security of IoT information exchange.
 
Comment: The sections 2 and 3 require a direction. The reader can easily be lost while losing the flow of work. Either some of the sections should be merged. Or there should be a framework diagram which could possibly address and connect all the sections together to improve the readability of work.
Response: Thanks for your suggestion. We have added a framework diagram in section 1.

Comment: There should be a pseudo code or flow chart to convolute the proposed scheme before Section 4. Pseudo codes are usually considered for mathematical formulation driven work. In this work, a possible pseudo code-driven algorithm could be designed for practitioners to understand things smoothly. The variables of input and output are required to be defined in the pseudo code. And then that defined language is required to be used in the rest of the lines of the algorithm. Please follow the above steps accordingly.
Response: Thanks for your suggestion. We have added a flow chart at the beginning of section 4.
 
Comment: In section 4, what main-stream techniques are utilized for comparison? Is adequate comparison been made? The superiority of your proposed scheme shall be mentioned in the conclusion based on the outcome of comparison with other main-stream techniques.
Response: 1. Comparison with BAN-like Logic
BAN-like Logic requires initialisation assumptions before analysing security protocols, which are subjective to the analyst's intentions and are not formalised. These initialisation assumptions have the subjective intention of the analyst and are not formal, and the idealisation of the protocols relies too much on the analyst's intuition and experience. The idealisation process will cause problems, and the idealised protocol will have some gap with the original protocol. LoET is based on rigorous mathematical rules that regulate a series of axiomatic inference rule constraints, thus ensuring the reliability of the proof process. 
2.Comparison with PCL
In the verification of protocol security properties, PCL can only por-tray some protocol properties, but not the authentication properties of data signature protocols, whereas LoET can portray the authentication properties of other properties. PCL is not rigorous enough in modelling protocol interaction actions, and lacks the definition of a mechanism for describing the sequence of preceding actions of a thread. LoET specifies the successive thread states in which an event occurs by means of atomic independence.
3.Comparison with Model Checking
The verification idea of model checking method is falsification, while the verification idea of LoET is proof, i.e.  focusing on proving that the security protocol is correct. The model checking method requires the system model to have an infinite state space, the number of security protocols running, the number of protocol subjects will make the state space grow exponentially, although there are a series of optimisation algorithms that can re-duce the size of the protocol state space, but the problem still exists; while the LoET has no requirements for the security protocol state space, and will not face the problem of state explosion.
 
Comment: For a Journal paper talking about secure communication, IoT, its authentication and security, the elements of digitalization must be flavored which is the main set towards IoT authentication in systems. Similarly, the discussion on cyber-attacks from the perspective of security in general will also maintain the balance of the work. Some suggested references in IoT security, cyber attacks, and communication barriers are as follows: 1) Learning‐Based Methods for Cyber Attacks Detection in IoT Systems: A Survey on Methods, Analysis, and Future Prospects. 2) Communication systems in distributed generation: A bibliographical review and frameworks.  3) WAMS Operations in Power Grids: A Track Fusion-Based Mixture Density Estimation-Driven Grid Resilient Approach Toward Cyberattacks. 
Response: It is a very good suggestion. These references are very helpful for us to understand cyber-attacks from the perspective of security in general. We added these references, which are cited in [11], [12], [13], respectively.
 
Comment: References literally require an overall. Most of the references are conference papers and technical reports. Are they relevant to the work? Moreover, the format is not consistent. In some references, there is no page number mentioned. In others, the page number is at the end and year in the middle and vice versa. Also, in some, the first letter of the title of the paper is only capital. In others, all first letters of the titles of the paper are capital. Please visit the styling again and maintain consistency.
Response: Thank you for pointing out the mistakes. The author has corrected the mistakes. And the references cited are relevant to the work and give theoretical support to our work.

 We tried our best to improve the manuscript and we appreciate for Editors/Reviewers' warm work earnestly, and hope that the correction will meet with approval.
  Once again, thank you very much for your comments and suggestions.
Your sincerely
Quangang Chen
On behalf of all the co-authors

Reviewer 2 Report

The article presents a a formal analysis of ECC authentication protocol by means logic of events theory. Some comments follow:

    - Line 31 " on a elliptic curve cryptography (ECC)" should be "on Elliptic Curve Cryptography (ECC)"
- Line 56. Please correct reference issue.
- First paragraph of Section 2 has not been removed from the template.
- Line 90: reference issue should be solved.
- Equations should be numberd
- Line 100. Equation needs more explanation
- letters used in formulae should be emphasyzed in the text.

- All this issues should be corrected before to be able to acomplish the review of rest of the article.

   - In general, the manuscript is difficult to read, it needs to be completely rewritten, equations are not numbered, letters from equations are not emphasized in the text and equations and procedures need  more detailed explanations.

In general, the manuscript has several typos and grammatical errors. It should be thoroughly revised.

Author Response

Dear Editor and Reviewers,
We would like to thank the reviewers for carefully reading our manuscript. We appreciate the comments and suggestions. In the following, we include a point-by-point response to the comments. In the revised manuscript, all the changes have been highlighted in red.

Comment: Line 31 " on a elliptic curve cryptography (ECC)" should be "on Elliptic Curve Cryptography (ECC)"
Response: Thanks for your suggestion, we have corrected the errors in the manuscript.

Comment: Line 56. Please correct reference issue.
Response: Thanks for your suggestion, we have corrected the reference issue in the manuscript.

Comment: First paragraph of Section 2 has not been removed from the template.
Response: Thank you for pointing out the mistakes. The author has corrected the mistakes.

Comment: Line 90: reference issue should be solved.
Response: Thanks for your suggestion, we have corrected the reference issue in the manuscript.

Comment: Equations should be numberd.
Response: Thanks for your advice. We have revised it as your suggestion.

Comment: Line 100. Equation needs more explanation
Response: Thanks for your advice. We have revised it as your suggestion.

Comment: letters used in formulae should be emphasyzed in the text.
Response: Thanks for your advice. We have revised it as your suggestion.

We tried our best to improve the manuscript and we appreciate for Editors/Reviewers' warm work earnestly, and hope that the correction will meet with approval.
  Once again, thank you very much for your comments and suggestions.
Your sincerely
Quangang Chen
On behalf of all the co-authors

Reviewer 3 Report

In this paper, the authors proposed three event classes, Compute, Retrieve, and Generate, and related axioms and inference rules to formally abstract the ECC session key generation function, formally statute the authentication process of both parties, and the extended LoET is used to analyze the security properties of ECC-based RFID security protocols. The proof of mutual authentication property of ECC-based RFID protocol proves the efficiency of the proposed protocol. In addition, the structure of this paper is well organized and explanation of key part is clear, thus the paper is easy to understand. However, the reviewer has some comments, as is listed below.

-       - The abstract can be improved.

-      - In Subsection 2.3, the authors present the proof system to prove the protocol security properties. The authors should more explain the mathematical equations presented in key axiom, casual axiom and honest axiom.

-      - In section 3, the authors presented their proposed protocol which consists of two parts: the server and the tag. The authors should more detail the authentication process shown in Figure 1.

-      -  Minor mistakes in line 56 and line 90 “Error! Reference source not found”.

Minor editing of English language required

Author Response

Dear Editor and Reviewers,
We would like to thank the reviewers for carefully reading our manuscript. We appreciate the comments and suggestions. In the following, we include a point-by-point response to the comments. In the revised manuscript, all the changes have been highlighted in red.

Comment: The abstract can be improved.
Response: Thanks for your advice. We have revised it as your suggestion.

Comment: In Subsection 2.3, the authors present the proof system to prove the protocol security properties. The authors should more explain the mathematical equations presented in key axiom, casual axiom and honest axiom.
Response: Thanks for your advice. We have revised it as your suggestion.

Comment: In section 3, the authors presented their proposed protocol which consists of two parts: the server and the tag. The authors should more detail the authentication process shown in Figure 1.
Response: Thanks for your advice. We have revised it as your suggestion in section 3.

Comment: Minor mistakes in line 56 and line 90 “Error! Reference source not found”.
Response: Thanks for your suggestion, we have corrected the reference issue in the manuscript.

We tried our best to improve the manuscript and we appreciate for Editors/Reviewers' warm work earnestly, and hope that the correction will meet with approval.
  Once again, thank you very much for your comments and suggestions.
Your sincerely
Quangang Chen
On behalf of all the co-authors

Round 2

Reviewer 1 Report

The paper has been revised well.  The comments have been addressed adequately. The missing corners have been structured. Usually in such papers, the readers gets lost due to the heavy mathematics and write-up. However, in this paper, in its current form, the reader should find it very easy to read the work and to understand and implement the idea. Moreover, for practitioners, the touches of flowcharts and comparison analysis is a big support of understanding.

I recommend the acceptance of this work in its current form. 

Author Response

Dear Editor and Reviewers,

We would like to thank the reviewers for carefully reading our manuscript. We tried our best to improve the manuscript and we appreciate for Editors/Reviewers' warm work earnestly.
 Once again, thank you very much for your comments and suggestions.

Your sincerely,
Quangang Chen
On behalf of all the co-authors

Reviewer 2 Report

   The manuscript has been significantly improved. Nevertheless there are some minor issues:

   -A  final review is  recommendable, there are still some typos (as an example, in Line 99 "to the literature" should be "in the literature").

- The topics in Secton 2.2 ("Threads and Matching Sessions", "Strong authentication properties of protocol ") should be emphasized for improving the readability of the section.

- The font size of Figure 4 needs to be increased, it is difficult to read.

 

There are some typos in the manuscript, it requires a final revision.

Author Response

Dear Editor and Reviewers,
We would like to thank the reviewers for carefully reading our manuscript. We appreciate the comments and suggestions. In the following, we include a point-by-point response to the comments. In the revised manuscript, all the changes have been highlighted in red.

Comment: A final review is recommendable, there are still some typos (as an example, in Line 99 "to the literature" should be "in the literature").
Response: Thank you for pointing out the mistakes. The author has corrected the mistakes.

Comment: The topics in Secton 2.2 ("Threads and Matching Sessions", "Strong authentication properties of protocol ") should be emphasized for improving the readability of the section.
Response: Thanks for your advice. We have revised it as your suggestion.

Comment: The font size of Figure 4 needs to be increased, it is difficult to read.
Response: Thanks for your advice. We have revised it as your suggestion.

We tried our best to improve the manuscript and we appreciate for Editors/Reviewers' warm work earnestly, and hope that the correction will meet with approval.
  Once again, thank you very much for your comments and suggestions.
Your sincerely,
Quangang Chen
On behalf of all the co-authors

Reviewer 3 Report

My comment has been addressed.

Author Response

Dear Editor and Reviewers,

We would like to thank the reviewers for carefully reading our manuscript. We tried our best to improve the manuscript and we appreciate for Editors/Reviewers' warm work earnestly.
 Once again, thank you very much for your comments and suggestions.

Your sincerely,
Quangang Chen
On behalf of all the co-authors

Back to TopTop