ArticlePDF Available

Abstract and Figures

p>This paper proposes an attendance system for increasing the security based on Shamir Secret Share algorithm. The use of RFID devices for classroom attendance is still vulnerable to certain attacks. Students usually make use of existing loopholes for prohibited things, such as forged attendance. Shamir Secret Share is a security method based on the Secure Multiparty Computation (SMC) concept. The SMC guarantees not only the confidentiality of external attacks but also of each member in the secure system. In the attendance scenario using Shamir Secret Share, a student and a lecturer must do tapping at the same time; otherwise, the secret that opens the lock for attendance at that class will not be opened. To realize this system, this paper uses two RFID modules, each of which is connected to one nodeMCU microcontroller. Both systems are connected to a database where the Shamir Shared Secret calculation is performed. Some experiment has been implemented for proving the concept. The result shows that some scenarios of fraud in RFID based attendance can be prevented.</p
Content may be subject to copyright.
OPEN ACCESS
ISSN 2460-9056
http://socj.telkomuniversity.ac.id/ijoict/
10
Intl. Journal on ICT
Vol. 6, Issue. 1, June 2020. pp. 10-22
doi:
10.21108/IJOICT.2020.61.480
Received on 20 Mar 2020. Accepted on 18 May 2020
Increasing the Security of RFID-based
Classroom Attendance System with Shamir
Secret Share
Aji Gautama Putrada
1
, Maman Abdurohman
1*
1
School of Computing, Telkom University
Bandung, Indonesia
*
ajigps@telkomuniversity.ac.id
Abstract
This paper proposes an attendance system for increasing the security based on Shamir Secret
Share algorithm. The use of RFID devices for classroom attendance is still vulnerable to certain
attacks. Students usually make use of existing loopholes for prohibited things, such as forged
attendance. Shamir Secret Share is a security method based on the Secure Multiparty Computation
(SMC) concept. The SMC guarantees not only the confidentiality of external attacks but also of
each member in the secure system. In the attendance scenario using Shamir Secret Share, a student
and a lecturer must do tapping at the same time; otherwise, the secret that opens the lock for
attendance at that class will not be opened. To realize this system, this paper uses two RFID
modules, each of which is connected to one nodeMCU microcontroller. Both systems are
connected to a database where the Shamir Shared Secret calculation is performed. Some
experiment has been implemented for proving the concept. The result shows that some scenarios
of fraud in RFID based attendance can be prevented.
Keywords: RFID Card, Secure Multiparty Computation, Classroom Attendance System, Shamir
Secret Share
I. I
NTRODUCTION
ll non-mobile phone devices that are connected to the Internet can be classified as the Internet of Things.
The technology of the IoT field in the last decade has been growing and advancing. With the presence of
IoT technology, many companies or offices use the technology to improve their used facilities [1][2], one of
which is the use of RFID Cards. RFID is a technology that has existed for the last 50 years, and in various
industries, more and more are considering RFID [2][3]. The security system provided by RFID can be used
for a variety of things, such as user attendance, as well as door lock securities.
The case which will be discussed here is about the attendance system in classrooms. Classroom attendance
is the main condition for students to get good academic results. In this case, the use of attendance with RFID
is quite effective and efficient because it can uniquely identify a person based on the Card entered [4]. Each
student has an RFID that has been given by the campus to tap attendance in class, using a unique code that
stores the student's own identity by using a UID (Unique Identifier) code that distinguishes students from one
another. However, the use of RFID is only limited to UID storage, so the RFID is said to be still not safe.
A
INTL. JOURNAL ON ICT VOL. 6, NO.1, JUNE 2020 11
One of the scenarios of fraud is, students who did not attend class will secretly approach class and do
tapping when a class has been dismissed, but there is still time left until the next class. So, in fact, the student
did not come to class but was considered to be present by the system.
Therefore it is necessary to increase security and awareness of data storage in RFID users [5]. Efforts to
increase security can be done by doubling security on RFID users [6]. What is meant by doubling the security
of this system is to add code by implementing Secure Multiparty Computation (SMC), which performs simple
correlations using card patterns. The card stores data that will be processed by the Shamir Secret Shared
method. This increase in security is to prevent attendance fraud by students who can use more than one RFID
card.
The concept of SMC is to guaranty not only the confidentiality of external attacks but also of each member,
meaning that this system works highly effective when internal parties have low mutual trust, as in between
lecturers and students. In an attendance system based on SMC, the key of two parties, in this case, the student
and the lecturer, is needed to open the lock of the student's attendance in that classroom. In other words, there
is no way a student can do RFID tapping without the presence of the lecturer.
Shamir Secret Share is one of many methods to implement SMC. The concept of this method is using
algebra. The parties of the secrecy share a point in a function, and if not all points or parties are complete, the
point of the secret will not be revealed. The consequence is that the more the parties in the SMC, the more
complex the line is. For example, a two-party SMC will only need linear algebra, and a four-party SMC will
need a polynomial line.
Based on the problem statement, which is a vulnerability in classroom attendance based on RFID Cards,
this paper aims to increase the security of an RFID-based classroom attendance system with Shamir Secret
Share.
Because the parties involved in this system are two, the student and the lecturer, linear algebra is used. Two
RFID Card Readers will be involved in the system. This is necessary because the tapping needs to be
executed simultaneously. Each reader will be controlled by one NodeMCU Microcontroller. This NodeMCU
Microcontroller will be connected to a database. The Shamir Secret Share calculation will be done in the
database. The attendance system will also reside in the database.
The systematic of this paper is as follows. The first chapter is about the introduction. Motivation, problem
statement, and research aim are elaborated in this section. The second chapter is about related work. In this
section, other researches and papers are explored to define the position of the current research. The third
chapter is about the design of the system. This section will discuss the legacy system, possible attack
scenarios, and the design of the secure system proposed. This section will also explain about the Shamir secret
share used in the research. The fourth chapter is about evaluation. In this section, the defense of the system
will be tested, and the results will be discussed. The fifth chapter is the conclusion. This section will mention
and highlight findings in this research. Future work will also be provided.
II. RELATED WORK
RFID based attendance systems have long been the subject of research. One of them is research in 2016 [7].
This study explores the advanCardes of implementing an RFID-based attendance system. In addition to the
attendance system, this study also discusses the RFID system in other fields such as logistics, animal
husbandry, libraries, and also the use of active RFID. This research successfully proved that the attendance
system using RFID would bring efficiency. This efficiency will lead to a return in investment and an increase
in lecturer income.
PUTRADA ET AL.:
I
NCREASING THE
S
ECURITY OF
RFID
-
BASED
C
LASSROOM
A
TTENDANCE
YSTEM WITH
S
HAMIR
S
ECRET
HARE
12
Similar research in 2018 used several IoT devices to enhance the learning interactivity in the class [8].
RFID Card was one of the devices involved. This research bundled the RFID Card with nodeMCU to create a
long-range Card system. The Card is used so that lecturers can report students. This research also applied QR
Codes to ease the user's response system. Through the research, the authors can prove that the system
increases student attendance in class.
Another research in 2019 studied the time improvement in using RFID Cards compared to conventional
attendance system [9]. What is meant by the conventional attendance system is when the teacher calls the
name of the students one by one and checks their names on the attendance form. To compare the time of each
system, a stopwatch is used as a measurement tool. The results of this research prove that using RFID Cards,
the time consumed to take attendance of a class is 20 to 40 seconds. Faster than a conventional method that
takes approximately 40 to 200 seconds. The research states that fraud can occur when a student brings two or
more cards, substituting their friends to take attendance in class.
Attacks and defenses on RFID Cards have also been a common research field. Many types of attacks can be
launched upon an RFID Card system. Likewise, RFID Card defense systems also take many forms. A
research in 2015 promotes Brute Force as an attack that has a high threat towards RFID Cards [10]. As a
defense system, this research chooses hashing. Through the proposed system, the defense system will cause a
brute force attack to have a cost of 2192. This is a way much higher cost than what it takes to brute force a
conventional RFID system, which is 296. This also includes if the card went through eavesdropping.
Another paper discussing a different attack is research on Replay Attacks on RFID [11]. A replay attack is
when an adversary steals information from a card and stores it in another card or a card emulator for fraud
intention. The paper discusses a previous paper and points out the failure of that paper in handling Replay
Attack, thus proposing a correct solution. In the previous paper, it said that the replay attack could be solved if
two RFID Cards are involved; the method is called "Yoking Proof". But the amount of Cards involved is not
the issue in Replay Attack as they can copy any amount of Card as they like. The previous paper then
proposes "Grouping Proof", another method just like "Yoking Proof", but this time, adding timestamps, to
distinguish the time difference in each operation. Again this is still not the issue, as timestamps can be forged.
The paper proposes a better mechanism to defend against Replay Attack.
Besides brute force, eavesdropping, and replay attack, cloning is another famous attack against RFID
Cards. Cloning is simply doubling or faking an RFID Card. There are no two RFIDs in the world with the
same UIDs. But in cloning, the adversary creates a fake RFID Card with the same UID as the victim, using
special kinds of RFID Cards, thus using it for fraud intention. The research discusses this attack and advices
as a system to prevent cloning [12]. This paper proposes the idea of metaID. MetaID is a once in a lifetime
ID. It is an ID stored in the memory of the RFID Card. Each time the card is used, the metaID changes, thus if
cloned, the cloned version of the card will receive useless information. To also defend the card from
eavesdropping, the system adds hashing, so communication of the metaID cannot be detected.
III. ARCHITECTURAL REQUIREMENTS
A. RFID Card
RFID is one of the "what you have" based authentication techniques. The RFID system consists of two
parts, namely the RFID tag and the RFID reader. RFID tags are usually card-shaped, in this card there is a
microchip that is able to store information, including a UID containing a unique number that is not owned by
another RFID card in the world [13]. Communication between the tag and the reader occurs wirelessly, using
radio frequency technology, hence the name RFID [13] [14]. During communication between the tag and the
reader, a UID will be sent for authentication. In order to save power, communication between the tag and
reader is done with a very low range; therefore, the way to authenticate is to touch the RFID tag with the
INTL. JOURNAL ON ICT VOL. 6, NO.1, JUNE 2020 13
Reader. One of the RFID protocol technology users is advanCarde [14]. RFID systems have 2 important parts,
namely:
1) RFID Reader. RFID Reader is the "keyhole" in the RFID authentication system. RFID Reader will
be attached to a guarded or protected asset. RFID Reader is usually a peripheral for a computer [8].
RFID Reader consists of a microprocessor or microcontroller and an antenna [15]. Fig. 1 gives an
overview of an RFID reader.
2) The antenna functions as a transmitter and receiver of radio frequency signals between RFID
readers and RFID tags [15]. RFID tags have a compact form so that this antenna is not visible. In
Fig. 1 can be seen that this tag is spiraling around the card. This antenna is hidden in the outer
layers of the card and not visible. [16]. RFID card communication is passive, meaning that this
card receives power from the emission of an RFID Reader signal to send data.
B. Legacy RFID-Based Classroom Attendance System
The Telkom University Classroom Attendance System is used as a case study in this research. In this case,
The Student ID Card given to each student is actually an RFID card. This Student ID Card can be used for
class attendance. In each class, one RFID Reader has been installed and is connected to the campus
information system. During class, students can do the tapping. This tapping will go into the campus
information system and be considered as attendance at the class. Tapping is considered valid only if the
lecturer concerned has already done the tapping. If outside of lecture time tapping is done, tapping will not be
considered valid.
C. Attack Schemes
As discussed in Chapter 1 and Chapter 2, there are many scenarios that can be launched against an RFID
system and specifically in an RFID-based Classroom Attendance System. The First scheme is attendance
forgery. There have been two scenarios. The first scenario is done by tapping attendance in an opportunity
window between the end of class and the next class. The second scenario is done by substituting a friend,
bringing the friend's RFID Card, and tapping on the friend's behalf without the lecturer paying attention. The
second scheme is brute force. The adversary uses a fake card, with fake UID but does not know the correct
UID, hence trying a UID one by one. The third scheme is the Replay attack. The adversary saves the data
inside a card emulator and uses it for fraud intent. The last is cloning; the card is copied into another card,
thus creating a replicate card, used for fraud.
D. Secure Multiparty-Computation
In a conventional RFID-based attendance system, the RFID Reader will be located near the classroom door
[9]. The reason is to follow the flow of students entering the classroom. In an SMC system, the tap of the
student's RFID Card will need to be simultaneous with the tap of the lecturer's RFID Card. Hence, another
Reader is required. To ease the flow mentioned before, the Reader for the lecturer's RFID Card needs to be
near by the lecturer's desk. Fig. 2 shows the planning of the classroom and the Two RFID placements.
In Fig. 2 it can be seen that there are two RFID Readers; One near the Door and one above the Lecturer
Desk. Students will tap their cards on the reader near the door, and lecturers will tap their RFID Cards on the
reader on the desk.
PUTRADA ET AL.:
I
NCREASING THE
S
ECURITY OF
RFID
-
BASED
C
LASSROOM
A
TTENDANCE
YSTEM WITH
S
HAMIR
S
ECRET
HARE
14
RFID
READER
RFID TAG
CHIP
Antenna
Antenna
Communication
Fig. 1. RFID Reader and Tag wireless communication
E. System Block Diagram
To implement the system, two RFID Readers are required. Each RFID reader needs to be connected to a
common database, so each RFID Reader will be connected to a NodeMCU. A NodeMCU is a microcontroller
with Wi-Fi capabilities. A database is deployed in a server. The server communicates with the NodeMCU,
creating the Shamir Secret Share system. Fig. 3 shows a comprehensive view of the system.
Lecturer
Desk
Whiteboard
Student
RFID
Reader
Student Area
16 sq. m.
Lecturer
RFID
Reader
Classroom
Door
Fig. 2. Placement of Student RFID Reader and Lecturer RFID Reader in Classroom
INTL. JOURNAL ON ICT VOL. 6, NO.1, JUNE 2020 15
Lecturer
Reader
Student
Reader
Student Lecturer
Internet
Server Attendance
Database
Shamir
Secret Share
Fig. 3. System Block Diagram
F. Shamir Secret Share
Shamir Secret provides a very important basic secret sharing scheme concept. In understanding this sharing
scheme, it is divided into sections in the secret scheme, which are separated into n sections to share with the
participants. When using it by doing a merge that has been agreed to access the secret. The process of
reconstructing this secret is very important for the prevention of attacks against the system. In 1979, Shamir
and Blakley each proposed a method of sharing this secret with the Lagrange interpolation formula and the
nature of vector spaces. The proposition is given a value of N + 1 points (xi, f (xi)) in a polynomial [17]. One
can identify the polynomial f(x) degree n by calculating formula (1).
𝑓(𝑥)= (𝑦

 )
 (1)
where x is the input variable, y is the output variable, k is the degree of each equation, and i is the degree of
the equation.
Equation (1) is a Lagrange formula that has been modified to optimize the computation of the Shamir
Secret Share. The resultant of the secret will be the free coefficient of the final formula.
The way to share the secret is to divide it into n pieces. In Shamir Secret Share, these n pieces form a line.
For example, if three pieces of points of a parabola curve are known, the function of the curve can be
calculated via Lagrange Formula in equation (1). Without one piece of information, the function cannot be
formed. The number of pieces of information needed to open the secret is known as k.
PUTRADA ET AL.:
I
NCREASING THE
S
ECURITY OF
RFID
-
BASED
C
LASSROOM
A
TTENDANCE
YSTEM WITH
S
HAMIR
S
ECRET
HARE
16
As defined by Shamir, k pieces of points are needed to form a polynomial of degree k-1. Because in this
case, the secret is shared between the lecturer and the student, the k value is 2, meaning that the degree of the
polynomial is 1, in other words, a linear curve.
By limiting the case to s = k = 2, and the use of a linear curve, as an alternative to equation (1), the slope-
intercept mechanism can also be used to find the curve. By deriving the slope-intercept equations, the
equation to find the secret is as in equation (2).
𝑐 = 𝑦
𝑥 (2)
where c is the intercept or the free coefficient of a linear curve or the secret itself, (x1, y1) is the first point,
and (x2, y2) is the second point. It should also be noted that y2 and x2 in the equation above can be
substituted by y1 and x1; the result will not differ.
Technically this secret division will become a share by using two users. So, in this case, the calculation of
interpolation theory is used to form a linear equation, namely y = a0 + a1x. So we need two points, the points
are (x1, y1) and (x2, y2). The steps taken are as follows:
Interpolate two points on a straight line y = a0 + a1x, namely (x1, y1) and (x2, y2). Where (x1, y1) is
determined as the lecturer point and (x2, y2) is determined as the student point
The two points are translated into the following linear equations:
a) y1 = a0 + a1x1
b) y2 = a0 + a1x2
Fig. 4 illustrates an example of the Shamir Secret Share in the RFID-based Classroom Attendance. In the
example shown in Fig. 4, the secret piece saved in the lecturer's RFID Card is (6,5), and the secret piece saved
in the student's RFID Card is (10,7). By illustration, when the two tap their cards together, the two points will
show up and form a line. The line's intersection with the Y-axis will be the secret to unlock the student's
attendance of that class at that time.
The real process is to reconstruct the equation of the two points. This is done by executing equation (2),
producing C, which is the secret to unlock the attendance.
To implement the system, two RFID Readers are required. Each RFID reader needs to be connected to a
common database, so each RFID Reader will be connected to a NodeMCU. A NodeMCU is a microcontroller
with Wi-Fi capabilities. A database is deployed in a server. The server communicates with the NodeMCU,
creating the Shamir Secret Share system. Fig. 4 shows a comprehensive view of the system.
As shown in Fig. 4, the absence of a single point will give infinite possibilities of intercepts to the only
point in the graph with the Y-axis.
Shamir Secret Share also addresses the issue of scalability. A classroom does not only consist of one
lecturer and one student. Also, one student can have many lecturers, meaning that there are many
relationships between students and lecturers. To illustrate that Shamir's Secret Sharing can be scaled and can
adapt to scale-up systems, an example is given. An example can be seen in Fig. 5.
INTL. JOURNAL ON ICT VOL. 6, NO.1, JUNE 2020 17
Fig. 4. Illustration of Shamir's Secret Share on RFID-based Classroom Attendance System
The RFID-based Classroom Attendance System with Shamir Secret will apply polynomials of degree 1, aka
linear curves. One can argue that the number of polynomials must follow the number of students in the class.
So that all students plus lecturers must do tapping so that attendance is recognized. But this is not applied,
because if there is at least one student not present, then the whole class cannot do the tapping. In addition, the
complexity increases because there must be adjustments to polynomials for different class sizes. The solution
for a class with many students is to make one point in the graph that is unique to one lecturer or one student,
which means that the relationship between each pair of lecturer-student points in the graph will lead to secrets.
The system can be designed to be user friendly. For example, lecturers feel bothered because they have to
tap repeatedly every student doing the tapping. This will not happen because lecturers can place and leave
their card on the lecturer tapping machine while the students take turns tapping.
Fig. 5. A scalability showcase that is an illustration of a multiclass - multistudent secret sharing system
PUTRADA ET AL.:
I
NCREASING THE
S
ECURITY OF
RFID
-
BASED
C
LASSROOM
A
TTENDANCE
YSTEM WITH
S
HAMIR
S
ECRET
HARE
18
IV. RESULTS AND ANALYSIS
A. Analysis over Attendance Forgery Attack
There are two scenarios of attendance forgery attack concerned in this paper. To explain each forgery
attack, Fig. 5 has been made. There it can be seen that a window is present between the end of the class and
the next class where an adversary can forge an attendance.
A hypothetical system can be imagined where the problem in the sequence diagram in Fig. 5 can be
overcome by a second lecturer tap. The second tap of the lecturer will end the attendance session. After the
second tap, students cannot tap again. But this does not address the second attendance forgery scheme. The
second forgery scheme is when a student carries two RFID cards; a student card and a friend's card, and taps
both of them without the teacher realizing it [9]. That will be called Substitute Attendance Forgery. Fig. 6
explains the scheme. It can be seen here that forged tapping can still occur in permitted sessions.
LECTURER STUDENT READER SERVER
RFID CARD TAPPING
1.1 STUDENT 1:
RFID CARD TAPPING
2.2 ATTENDANCE SUCCEEDS:
LEGITIMATE
3.1 STUDENT 3:
RFID CARD TAPPING
1.2. ATTENDANCE FAILS
CLASS SESSIONS STARTS BY TIME
2.1 STUDENT 2:
RFID CARD TAPPING
LECTURER ENDS CLASS
AND LEAVES
ATTENDANCE SESSION STARTS
LEGITIMATE TAPPING
TIME OVER 3.2 ATTENDANCE SUCCEEDS:
FORGED
CLASS SESSION ENDS BY TIME
Fig. 5. Legacy RFID-based Attendance System and Fragilities
Fig. 7 shows how Shamir Secret Share will defend against the first forgery scheme. It can be seen that the
adversary cannot tap the forged attendance because the lecturer's RFID Card is released from the reader.
INTL. JOURNAL ON ICT VOL. 6, NO.1, JUNE 2020 19
LECTURER STUDENT READER SERVER
RFID CARD TAPPING
2.2 ATTENDANCE SUCCEEDS:
LEGITIMATE
CLASS SESSIONS STARTS BY TIME
4.1 STUDENT 4:
SELF RFID CARD TAPPING
RFID CARD TAPPING
ATTENDANCE SESSION STARTS
5.2 ATTENDANCE SUCCEEDS:
FORGED
CLASS SESSION ENDS BY TIME
ATTENDANCE SESSION ENDS
5.1 STUDENT 4:
SUB RFID CARD TAPPING
STUDENT 5
Fig. 6. RFID Card Substitution Tapping Attendance Forgery Scheme
Fig. 7 also shows how Shamir Secret Share will defend against the second forgery scheme. It can be seen
that only one pair of secret pieces will work at one time. Hence tapping two cards at the same time will not
work. Here an assumption must be made where the reader used has anti-interference. Anti-interference
prevents two or more cards from being tapped at once. So if a student wants to tap two cards at a time, the
student must have to wait for a while until there is a sign where the student can do a second card tapping.
LECTURER
READER
STUDENT
READER
SHAMIR
SECRET
SHARE SERVER
RFID CARD TAPPING CLASS SESSIONS STARTS BY TIME
2.1 STUDENT 2:
RFID CARD TAPPING
RFID CARD RELEASE
SECRET PIECE 1
CLASS SESSION ENDS BY TIME
6.1 STUDENT 6:
FORGED TAPPING
2.2 SECRET PIECE 2
2.3 SECRET
RECONSTRUCTED:
ATTENDANCE COUNT
6.2 SECRET PIECE 2
6.3 PIECE INCOMPLETE:
FORGERY FAILS
Fig. 7. Shamir Secret Share solution to Attendance Forgery
PUTRADA ET AL.:
I
NCREASING THE
S
ECURITY OF
RFID
-
BASED
C
LASSROOM
A
TTENDANCE
YSTEM WITH
S
HAMIR
S
ECRET
HARE
20
B. Analysis over Brute Force Attack
In order so that the attendance forgery scheme in the previous part can succeed, the lecturer should be
present, or at least the lecturer's card should take place in the second card reader. This can only happen if the
card is stolen or in a second scenario, a rewritable UID card or clone card is used. If the real card is not
present to be copied, one can only brute force the lecturer's secret piece into the system.
In order to brute force the lecturer's secret piece, the complexity cost will be 232 that is the number of
possible UIDs if the field is 32 bits long. This is still a higher cost compared to the legacy system where brute
force is not required.
C. Analysis over Other Attacks
Despite being safe from attendance forgery and relatively safe from brute force attacks, the system is still
vulnerable to other attacks. The attacks discussed here are eavesdropping, cloning, and replay attack. Through
eavesdropping, the adversary can receive transmission between the communication between card and reader,
thus retrieving the UID for the cloned card. Through cloning, the adversary can steal the card for a moment or
use phishing readers to create a clone card for fraud intentions. Through a replay attack, the adversary can
create a card emulator by tapping the emulator to the lecturer's card; the adversary emulates the same card to
forge attendance.
Cloning is also a threat for the legacy system. Despite the threat of cloning by Shamir Secret Share, cloning
lecturer's card will be more challenging than cloning a student's card for forgery. The effort also increases
because two cards need to be cloned for a complete cloning attack. Other solutions to these attacks are such as
metaID and mutual hashing or synchronized secrets. These methods can be implemented in future work.
Table I summarizes the security comparison of the legacy system and the new system against all the attacks
that have been discussed, namely Forgery, Brute Force, Eavesdropping, Cloning, and Replay Attack.
TABLE I
SECURITY COMPARISON
No. System
Security Attack
Forgery Brute
Force
Eaves-
Dropping
Cloning Replay
1 Legacy System X X X X X
2
RFID-based
Classroom Attendance
System with Shamir
Secret Share
O
O = secure, = partially secure, X = vulnerable
D. Performance Analysis
Performance Analysis of the addition of security in the form of Shamir Secret Share is done by comparing
the time complexity and the communication round of the new system with the legacy system. The new system
or RFID-based Class Attendance System with Shamir Secret Share consists of two main processes; linear
curve reconstruction and linear search of shared key results. The linear curve reconstruction algorithm is an
equation that is not limited by the size of the variable, meaning that whatever the value is sought, the time
spent will be the same. This means that linear curve reconstruction has a constant time complexity; the big O
notation is O(1). Furthermore, the linear search of the shared key result has linear time complexity; the big O
INTL. JOURNAL ON ICT VOL. 6, NO.1, JUNE 2020 21
notation is O(n). So the big O notation (worst case) of the overall time complexity of the RFID-based Class
Attendance System with Shamir Secret Share is O(n). Whereas the legacy system only uses linear search to
find ID tags from a lecturer or student cards, the time complexity is linear, and the big O notation is O(n).
Then the time complexity of the two systems is the same.
The second performance analysis is done by calculating the communication round of the two systems.
Legacy systems require three communication rounds, the first to activate class time, the second to activate
lecturer time, the third to activate student time. The same number of communication rounds needed by the
new system. The first round is for class time. Class time activates the possibility of a shared secret. The
second round is for the first secret piece, and the third round is for the second secret piece. The conclusion is
that both systems have the same number of communication rounds. A summary of the RFID Based
Attendance System with Shamir Secret Share performance analysis can be seen in Table II. The second
performance
TABLE II
PERFORMANCE ANALYSIS
No. System Computational Cost
Operation
Time
Complexity
Communication Round
1 Legacy System LS O(n) 3
2
RFID-based Classroom
Attendance System with Shamir
Secret Share
LCR + LS O(n) 3
LCR = Linear Curve Reconstruction, LS = Linear Search
V. CONCLUSION
An RFID-based Classroom Attendance System using Shamir Secret Share has been implemented. The
system consists of two RFID Readers with Wi-Fi Connection capabilities and a Server containing a Database
and the Shamir Secret Share computation. The implementation exercises one of the Shamir Secret Share
properties, which is flexible, as it is proven to no be burdened by the complexity of the multiclass –
multistudent nature of a university. The implementation is tested over several attack scenarios and is proved
to tackle the main problem addressed in this paper, which is Attendance Forgery. Two forgery scenarios have
been proven not applicable in this secure system. The linear curve reconstruction of the second-degree
polynomial type Shamir Secret Share is computationally lightweight, meaning that the addition of the security
will not be a difference in time complexity compared to the legacy system. For the proposed system, in order
so that attendance forgery can succeed, the brute force needs to take place. In this case, the implementation
also proves to complicate the brute force attack, although, through eavesdropping attacks, the cost of brute
force can decrease. Despite this situation, the complication is still at a high level compared to the legacy
system. For future work, a finite field algorithm can be implemented to harden the system against the
eavesdropping attack. Moreover, the system can be enhanced to defend against other attacks. The
implementation of a metaID can be used against cloning attack threats. The implementation of hashing and
random number generation can be used against replay attacks.
ACKNOWLEDGEMENT
The author would like to thank Telkom University for allowing making the problem in the RFID-based
classroom attendance system a case study in this research.
PUTRADA ET AL.:
I
NCREASING THE
S
ECURITY OF
RFID
-
BASED
C
LASSROOM
A
TTENDANCE
YSTEM WITH
S
HAMIR
S
ECRET
HARE
22
REFERENCES
[1] S. Singh, A. Kaushik, and S. S. Chitkara, "Ubiquitously controlled personalized smartlock," Proc. Int. Conf. IoT Soc. Mobile,
Anal. Cloud, I-SMAC 2017, pp. 686–691, 2017.
[2] Y. M. Hwang, M. G. Kim, and J. J. Rho, "Understanding Internet of Things (IoT) diffusion: Focusing on value configuration of
RFID and sensors in business cases (2008–2012)," Inf. Dev., vol. 32, no. 4, pp. 969–985, 2016.
[3] S. L. Ting, A. H. C. Tsang, and Y. K. Tse, "A framework for the implementation of RFID systems," Int. J. Eng. Bus. Manag.,
vol. 5, no. 1, pp. 1–16, 2013.
[4] T. S. Lim, S. C. Sim, and M. M. Mansor, "RFID based attendance system," 2009 IEEE Symp. Ind. Electron. Appl. ISIEA 2009 -
Proc., vol. 2, no. Isiea, pp. 778–782, 2009.
[5] M. Burmester, J. Munilla, and A. Ortiz, "Comments on 'Unreconciled collisions uncover cloning attacks in anonymous RFID
systems,'” IEEE Trans. Inf. Forensics Secur., vol. 13, no. 11, pp. 2929–2931, 2018.
[6] F. Kerschbaum and N. Oertel, “Privacy-preserving pattern matching for anomaly detection in RFID anti-counterfeiting,” Lect.
Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 6370 LNCS, pp. 124–137,
2010.
[7] M. Meghdadi and A. A. Azar, “The Possibility of Using RFID System to Automate and Integrate the Attendance of Professors
and Students in the Classroom,” Intell. Control Autom., vol. 07, no. 04, pp. 93–109, 2016.
[8] P. Tan, H. Wu, P. Li, and H. Xu, “Teaching Management System with Applications of RFID and IoT Technology,” Educ. Sci.,
vol. 8, no. 1, p. 26, 2018.
[9] P. Sihombing, J. Timanta Tarigan, A. Khair, and H. Rumapea, “The Student Attendance Controlling by Using RFID (Radio
Frequency Identification) to Increase the Time Optimization and Accurate of Data,” J. Phys. Conf. Ser., vol. 1235, p. 012039,
2019.
[10] J. S. Cho, Y. S. Jeong, and S. O. Park, “Consideration on the brute-force attack cost and retrieval cost: A hash-based radio-
frequency identification (RFID) tag mutual authentication protocol,” Comput. Math. with Appl., vol. 69, no. 1, pp. 58–65, 2015.
[11] S. Piramuthu, “On Existence Proofs for Multiple RFID Tags,” no. June, pp. 317–320, 2006.
[12] T. Dimitriou, “A lightweight RFID protocol to protect against traceability and cloning attacks,” Proc. - First Int. Conf. Secur.
Priv. Emerg. Areas Commun. Networks, Secur. 2005, vol. 2005, pp. 59–66, 2005.
[13] S. Nath, P. Banerjee, R. N. Biswas, S. K. Mitra, and M. K. Naskar, “Arduino based door unlocking system with real time
control,” Proc. 2016 2nd Int. Conf. Contemp. Comput. Informatics, IC3I 2016, pp. 358–362, 2016.
[14] Z. Zhi-yuan, R. He, and T. Jie, “A method for optimizing the position of passive UHF RFID tags BT - RFID-Technology and
Applications (RFID-TA), 2010 IEEE International Conference on,” no. June, pp. 92–95, 2010.
[15] M. Andriansyah and M. Subali, “e-KTP as the Basis of Home Security System using Arduino Uno,” CAIPT, pp. 1–5, 2017.
[16] K. V. Seshagiri Rao, Pavel V. Nikitin, and Sander F. Lam, “Antenna design for UHF RFID Tags: A review and a practical
application,” IEEE Trans. Antennas Propag., vol. 53, no. 12, p. 3870, 2005.
[17] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11, pp. 612–613, 1979.
... To maintain privacy, SMPC allows many parties to collaboratively calculate a function over their private inputs while guaranteeing that no participant learns anything beyond the computation's output [176]. The technology underlying SMPC relies on cryptographic protocols, such as secret sharing, and cryptographic primitives like homomorphic encryption [177]. By employing those technologies, SMPC enables secure communication and computation among multiple parties while preserving the privacy of their inputs [178]. ...
Article
Full-text available
Understanding the landscape of privacy protection in governmental systems is crucial for ensuring the trustworthiness of public services and safeguarding citizens’ sensitive data from breaches or misuse. Systematic mapping and synthesis of previous research can help identify existing privacy-preserving techniques, assess their effectiveness, and highlight areas for improvement, offering valuable insights for policymakers and practitioners. We aim to conduct a systematic literature review (SLR) of privacy-preserving tools and technologies, focusing on their adoption and governments’ challenges. This study also uncovers emerging trends and future research directions, contributing to developing more robust privacy strategies tailored to government needs.Given its extensive reach and government-centric methodology, this evaluation distinguishes itself from previous research. Our work methodically synthesizes privacy-preserving tools and technologies from the distinct perspective of government roles, in contrast to previous assessments that concentrate narrowly on certain technologies or areas. Our findings offer a synthesis of the government’s diverse roles in privacy preservation—regulator, enforcer, user, and service provider—and address existing concerns and key privacy-related technologies. Finally, we identify significant research opportunities, such as improving privacy-preserving mechanisms to strengthen the integrity of public services and mitigate the risks of data breaches and misuse.
... RFID cards has a microchip that can store information, including user identification (UID) containing a unique code. Communication between the tag and the reader occurs wirelessly, using radio frequency technology, hence the name RFID (Putrada and Abdurohman, 2020). The communication between the tag and the reader is validated for authentication, and the proper way of authentication is to tap the RFID card to the RFID reader. ...
Article
Full-text available
The main purpose of the study is to develop an IoT-based computer laboratory security solutions. To provide its security and at the same time for the purpose of checking attendance, RFID cards were used that can be done by doubling the security to add code by implementing Secure Multiparty Computation (SMC), which performs simple correlations using card patterns. An RFID-based encryption algorithms is proposed to secure communication between the RFID reader and tags that provides a secure and reliable method of attendance monitoring, reducing the risk of identity and unauthorized access of computer laboratories This process is to increase security and to prevent attendance fraud by students who can use more than one RFID card.
... Those approaches vary in the security aspect, accuracy aspect, and actualization of data. Like in [4]- [9], radio-frequency identification (RFID) is used to provide a robust, scalable, secure, and automatic attendance system. Those RFID approaches are requiring workers to bring the ID device to work so the attendance system can identify them and automatically fill the attendance data. ...
Article
Full-text available
Human resource management requires good documentation and good data processing. In workspaces such as offices and factories, employee salaries are determined by calculating attendance at each hour of work. Tracking and collecting attendance data for a large number of employees is a difficult thing to do. We need a secure system to facilitate the process of collecting and tracking presence data. We propose an attendance system that uses random quick response code (QR-codes) as one time password (OTP) to improve security. Employees are required to scan the QR-code within ten seconds before it is changed and randomized each time. The proposed attendance system facilitates data collection using employees’ smartphones and Mac-Address as unique identification numbers. The system is able to track employees’ arrival and departure times. We have implemented the system at the local university to collect lecturer attendance data then analyze its security and statistic in all scanning activities. The average time needed by a user to authenticate their presence in the system is 25.8877 seconds. The steps needed to sign in and out from the system are fewer than other previous researches. Those findings tell us that the approach is straightforward and more uncomplicated than other proposed methods. We conclude that randomized QR-code scanning is a relevant scheme to be applied in a secure attendance system. © 2022 Institute of Advanced Engineering and Science. All rights reserved.
... Most security schemes deploy biometrics, such as the real-time face detection-based approach (Kuang & Baul, 2020;Mady & Hilles, 2017;Srivastava et al., 2020;Shrestha et al., 2018;Kumar et al., 2020;Yusof et al., 2018) and fingerprints (Thejaswini et al., 2021;Hasan et al., 2020). Moreover, a number of studies have suggested hardware-based authentications as something you have such as RFID (Putrada & Abdurohman, 2020;Maramis & Rompas, 2018), Near-Field Communication (NFC) (Oo et al., 2018), and wireless sensor networks (Alassery, 2019), while location-based services for area restrictions have been used to track employees (Fatkharrofiqi et al., 2020) and students (Ding, Cao & Zhu, 2018). In terms of multi-factor attendance systems, a two-factor system using RFID and face identification has been implemented for employees (Kurniawan & Zaky, 2020). ...
Article
Full-text available
In information security, it is widely accepted that the more authentication factors are used, the higher the security level. However, more factors cannot guarantee usability in real usage because human and other non-technical factors are involved. This paper proposes the use of all possible authentication factors, called comprehensive-factor authentication, which can maintain the required security level and usability in real-world implementation. A case study of an implementation of a secure time attendance system that applies this approach is presented. The contribution of this paper is therefore to provide a security scheme seamlessly integrating all classical authentication factors plus a location factor into one single system in a real environment with a security and usability focus. Usability factors emerging from the study are related to a seamless process including the least number of actions required, the lowest amount of time taken, health safety during the pandemic, and data privacy compliance.
Conference Paper
This study proposes an e-attendance system that improves students’ safety and preserves user privacy and children's rights. The system provides an access control system that combines Radio Frequency Identification (RFID) technology and identity management schemes. This technique can be used to track student attendance while guaranteeing their privacy is maintained precisely. In contrast to current methods, this work prioritises security and privacy concerns. The suggested method incorporates the blockchain strategy and privacy attribute-based credentials (P-ABCs) for secure and controlled identity management. Notably, the system avoids using cameras or biometric data to allay privacy concerns. To further improve student safety, future improvements might incorporate GPS technology.
Article
Full-text available
RFID (Radio Frequency Identification) is a wireless technology which uses to a purpose of identifying and tracking an object via radio waves to transfer data from an electronic tag, called RFID tag. In this paper, the using of RFID for an accurate student attendance tracking controlling is developed. Integrated with an Arduino Uno microcontroller and sensor to read student’s RFID tags. Each tag contains a unique identity (ID) that mapped to a single student ID in the database. We have tested in classroom of Computer Science Department, Universitas Sumatera Utara. The result shows that the average total time taken to record the attendance of a class with 50 students are around 40 seconds, compared to approximately 200 seconds (3.33 minutes) total time when using a conventional method. The system also able to record effectively with no error during our test.
Article
Full-text available
Currently, Internet of Things (IoT) technologies are used in many areas, such as intelligent transportation, smart city, hospital, games, education. Earlier interactive response system uses infrared or radio frequency (RF) wireless communication technologies to transmit the students’ answer to teachers’ managerment system, where there exists high cost, inconvenient usage, difficult deployment. How to use IoT to improve the quality of higher education becomes a very important topic in the researh area of teaching. Radio Frequency Identification (RFID) is one of key technologies to implement IoT applications, and most of universities use the High Frequency (HF) RFID card as the students’ identification devices in China. In this paper, a kind of WiFi supported RFID reader (WiRF) is implemented using open source hardware platforms, such as Node MCU and RFID-RC522. Then the proposed WiRF system is used to assist teacher to perform automatic attendance record and students’ behavior record. In addition, Quick Response (QR) code is another technology to enable IoT. In this paper, QR code is designed to quickly access course video and perform real-time interactive response in the classroom, which will provide multidimensional learning and strengthen the motivation of students’ learning. This IoT system can improve the attendance of students, and give a positive impact on students’ learning process for higher education.
Article
Full-text available
One of the most important goals followed in most systems is to increase efficiency, reduce errors and enhance ease of data entry tasks such as better services in organizations. Therefore, the use of intelligent tools is of the most important requirements for a management system in order to collect complete and accurate data and create complete information. In management, use of new technologies is recommended to have smart systems and reduce human errors. This study aimed to investigate “professors and students attendance system using RFID” and research population consists of professors and students. Findings show that, as attendance checking system in universities and schools is done through the class list and checking attendance of students needs to spend time and energy so it leads to a waste of valuable time and energy of professors to teach. Therefore, it is essential to use efficient and modern systems, because with the design and implementation of RFID attendance system and replacing the traditional system, time and energy waste could be avoided and attendance system could be promoted to an intelligent and integrated one. The designed system includes a number of hours of presence and absence, delays and rush to pay the salaries of professors at the University with its automatic identification through radio frequency. This system aims to create changes in this area and it is economic in whole.
Article
Full-text available
There are an increasing number of organizations planning to implement Radio Frequency Identification (RFID) systems to enhance their competitiveness. Due to the novelty of the technology, many managerial challenges exist in determining and planning for the implementation of such systems. These challenges often lead to wasted efforts and resources, as well as to failed implementations. This paper presents a systematic and holistic RFID implementation framework which has been validated by both users and experts. The framework outlines the important tasks to be performed in each step of the implementation process. To enable practitioners to make informed go/no‐go decisions, essential considerations of implementation are also discussed in this paper. Furthermore, the critical success factors for the deployment of such systems are also elaborated.
Article
In a recent publication in this journal, K. Bu et al. (IEEE Trans. on Information Forensics and Security, vol. 8, no. 3, pp. 429–439, Mar. 2013) presented a protocol that detects cloned tags (replicas of genuine tags) in anonymous radio frequency identification (RFID) systems by leveraging unreconciled collisions in the medium access control layer. This does not require RFID readers to implement cryptographic mechanisms, or know the identities of tags. Improved versions have since been published that claim that detection can also be deterministic. In this paper, we analyze this protocol and show that the physical limitations of collision detection have not been adequately addressed and that, without any further assumptions, unreconcilable collisions cannot be detected. We then propose a solution for which the responses of tags are randomized and show that: 1) there is a tradeoff between the accuracy of detecting cloning attacks and execution time and 2) detection of cloned tags cannot be deterministic.
Article
A radio-frequency identification (RFID) system is a promising automatic identification technology that uses communication via radio waves to identify and track moving objects. RFID systems are expected to replace bar-code systems in object identification fields in the future, but various security problems are obstructing their diffusion. The most important problem of RFID system is that an attacker can access the tag information, which raises privacy infringement and forgery problems. This paper proposes a hash-based RFID tag mutual authentication protocol to solve these security problems of RFID systems. The proposed protocol is designed to demand high cost of acquiring the tag information for attackers.
Conference Paper
The ability to securely authenticate RFID (radio-frequency identification) tags is of paramount importance in RFID-tagged applications where the integrity of the system as well its security can be compromised by an adversary. RFID tags have resource constraints including limited memory and processing capacity which restrict utilization of cryptographic primitives that have been used in other applications. We consider the case where two or more RFID tags need to be simultaneously scanned. Juels (2004) provided a proof for the simultaneous existence of two RFID tags. Saito and Sakurai (2005) later showed the proof described in Juels (2004) to be vulnerable to `replay attack', and proposed new proofs to alleviate this problem. However, the proofs provided by Saiko and Sakurai (2005) are not immune to `replay attack.' We propose a modified proof and provide its security analysis