In [31], Shin et al. proposed a Leakage-Resilient and Proactive Authenticated Key Exchange (LRP-AKE) protocol for credential services which provides not only a higher level of security against leakage of stored secrets but also secrecy of private key with respect to the involving server. In this paper, we discuss a problem in the security proof of the LRP-AKE protocol, and then propose a modified LRP-AKE protocol that has a simple and effective measure to the problem. Also, we formally prove its AKE security and mutual authentication for the entire modified LRP-AKE protocol. In addition, we describe several extensions of the (modified) LRP-AKE protocol including 1) synchronization issue between the client and server's stored secrets; 2) randomized ID for the provision of client's privacy; and 3) a solution to preventing server compromise-impersonation attacks. Finally, we evaluate the performance overhead of the LRP-AKE protocol and show its test vectors. From the performance evaluation, we can confirm that the LRP-AKE protocol has almost the same efficiency as the (plain) Diffie-Hellman protocol that does not provide authentication at all.

With the rapid development of Internet of things (IoT), Radio Frequency Identification (RFID) has become one of the most significant information technologies in the 21st century. However, more and more privacy threats and security flaws have been emerging in various vital RFID systems. Traditional RFID systems only focus attention on foundational implementation, which lacks privacy protection and effective identity authentication. To solve the privacy protection problem this paper proposes a privacy protection method with a Privacy Enhancement Model for RFID (PEM4RFID). PEM4RFID utilizes a “2+2” identity authentication mechanism, which includes a Two-Factor Authentication Protocol (TFAP) based on “two-way authentication”. Our TFAP employs “hardware information + AES-ECC encryption”, while the ”“two-way authentication” is based on improved Combined Public Key (CPK). Case study shows that our proposed PEM4RFID has characteristics of untraceability and nonrepeatability of instructions, which realizes a good trade-off between privacy and security in RFID systems.