Low-Cost RFID Authentication Protocol for Anti-Counterfeiting and Privacy Protection YUNG-CHIN CHEN 1,*, WEI-LIN WANG 1, AND MIN-SHIANG HWANG 2 1 Department of Computer and Communication Engineering, Asia University, Taiwan 2 Department of Information Management, National Chung Hsing University, Taiwan ABSRACT RFID (Radio Frequency Identification) is one of the most promising NFC (Near Field Communication) communication technologies for pervasive and ubiquitous network societies in recent years. The main factor for more and more interests from both industry and academic institutes is its great potential for various applications, which are closely related to our daily life, due partially to lowering prices. The implementation of RFID systems, however, has also raised concerns regarding information security and violations of end-user privacy. Due to lower prices and weaker privacy protection in RFID tags. A feasible security mechanism for anti-counterfeiting and privacy protection is proposed by exploring XOR operations and random number shift methods to enhance RFID tag s security but with relative low costs. Key words: RFID, ubiquitous, counterfeiting, XOR, random number. 1. INTRODUCTION An RFID system generally consists of three primary components including readers, tags and middleware (API) that possess identification, renewable, and reusable characteristics. Applications of RFID has been increasing over the past few years in various areas due to the popularization pushed by Wal-Mart and the DoD of the USA. Apart from the applications in supply chain, logistics, retail, and transportation, opportunities for manufacturing processes management, security, electronic toll systems, library management systems and healthcare are also full of potential (Finkenzeller, 2003; Srivastava, 2005;.Garfinkel & Rosenberg, 2005; Shepard, 2005; Weis, Sarma, & Rivest, 2003). It is expected that our daily life would become more convenient due to such applications in the future. Security and privacy protection, however, will be an issue after wide-spread adoption of the RFID system due to the lowering of the tags price. The design of low-price tags is simple in terms of using fewer gates and vulnerable to eavesdropping as a result (Ranasinghe, Engels, & Cole, 2005). Researchers have addressed the security risks of low-price RFID tags and proposed some possible solutions including killing the tags at the check, applying a rewritable memory, mutual-authentication (Yang, Park, Lee, Ren, & Kim, 2005; Lopez, Castro, Tapiador, & Ribagordaj, 2006; Chang, 2005), the key diversification scheme (Chang, 2005), hash function encryption (Weis et al., 2003; Kim, Oh, Choi, & Kim, 2006; Gao et al., 2004; Oertel, Wolk, Hilyt, & Kohler, 2005; Henrici & Muller, 2004; Dimitriou, 2005), and the XOR algorithm (Yang, Ren, & Kim, 2005; Zhang & Zhou, 2005; Li, Jeong, Sun, & Lee, * Corresponding author. E-mail: ycchen@asia.edu.tw 189
2006). In this paper a low-cost approach with proper protection exploring the XOR algorithm is proposed. 2. SECURITY MECHANISM There are basically two approaches to dealing with the risks of security and privacy. One is to kill or disable the tags and the other is the adoption of tags with access control functionality that only responds to authorized readers. On the other hand, RFID tags are designed to authenticate the reader first before responding to any reader. When the reader sends out a query, the tag encrypts its ID together with a random number R using the reader s public key. Because thereader s signal for each interrogation is different, even if the signal is eavesdropped, the adversary is still unable to pass the authentication for the next interrogation cycle. This random number based mutual authentication mechanism can in general prevent counterfeiting and repulse attacking. 2.1. Mutual Three-Pass Authentication Protocol The security mechanism for low-cost RFID tags is in general designed with a mutual-authentication protocol so that readers are unable to read tags and distinguish counterfeit tags without having performed a correct authentication (Lopez et al., 2006; Chang, 2005). When the RFID system starts the authentication process, tags are first authenticated by the reader and vice versa before any communication is processed. Mutual authentication processes between the reader and the RFID tag are generally based on the principle of a three-pass mutual authentication, as illustrated in Figure 1. In accordance with ISO 9798 (Weis et al., 2003), both entities in the communication verify the other participant s secret cryptographic key. Three-pass authentication processes are necessary between the reader and the tag to complete a communication cycle, and the tag has the abilities of: (1) having space for secret key storage K AB ; (2) generating random number R A ; (3) encrypting of Token AB and decrypting of Token BA. The potential source of danger is that all the tags possessing an identical cryptographic key K AB could be found easily if there are frequent communications between the reader and the tag. 2.2. Key Diversification The way to further enhance the security of an RFID system based on the three-pass mutual authentication mechanism is to adopt a key diversification scheme (Chang, 2005), as illustrated in Figure 2. In this key diversification based three-pass mutual authentication procedure, the tag is capable of: (1) having space for secret key K S and serial number storage; (2) generating a random number R A ; 190
(3) calculating K S ; (4) encrypting Token AB and decrypting Token BA. In this mechanism, a five-pass authentication process is necessary between the reader and the tag to complete a communication cycle. The key diversification scheme uses the tag s serial number and, for security reasons, a secret master key stored on the reader s security access module. This authentication strategy enhances both system security and user privacy by using a secret master key but at the expense of higher costs of the chip. In addition, the time required for completing a communication cycle would be a bit longer, leading to a smaller number of tags read per second. GET_CHALLENGE(R B) Reader Token AB=E KAB(R A R B I) Tag K AB Token BA=E KAB(R A R B) K AB Figure 1. Three-pass mutual authentication procedures between RFID tag and reader. Reader Security Access Module K M GET_Serial Number Serial Number GET_CHALLENGE(R B) Token AB=E KAB(R A RB I) Token BA=E KAB(R A RB) Serial Number Tag K S K S Figure 2. Three-pass mutual authentication procedure based on a key diversification scheme between RFID tag and reader. 2.3. Hash Function An extension of the authentication scheme is to use a cryptographic hash function that offers privacy control at low cost. All it requires is a hash function and space for metalid storage, as shown in Figure 3 (Weis et al., 2003). It is, however, unable to prevent tags from being tracked as the tag s responses are predictable. Thus both the random key and the tag ID could be eavesdropped by an adversary. 191
Gao et al. (2004) proposed a hash function based randomized access control mechanism to avoid being tracked, as shown in Figure 4. This authentication mechanism enables the RFID tag to authenticate the reader if the reader is among the authorized group. This is because the readers and the tags belonging to the same group share the same ReaderID. During the authentication processes, tags will not respond to any unauthorized reader. Because the TagID sent by the tag is generated by one-way hash function algorithms, [TagID, h (TagID)] must be stored in a data base beforehand for computing TagID. Figure 3. Hash-Locking: A reader unlocks a hash-locked tag. Query Reader ID API r Reader r Tag Data Base h(readerid r) h(readerid r h(tagid) h(tagid) Figure 4. Hash function based authentication procedure between RFID tag and reader. In this way of authentication, the tag is capable of: (1) generating a random number r; (2) calculating the hash function of h(readerid r) and h(tagid); (3) having space for the ReaderID storage. This authentication mechanism enables tags to identify authorized readers by sending a message of h(tagid) to confirm to the reader every time that an authentication procedure is complete. There still, however, is the possibility of being eavesdropped if an unauthorized tag is able to transmit the same h(tagid) to a reader by eavesdropping h(tagid). Despite the tag generating a random number r for the reader at the beginning to ensure that every time the authentication code provided by the reader is different, there is still a small chance of being eavesdropped due to the fixed and constant message of h(tagid). An unauthorized reader is therefore able to counterfeit the tag by eavesdropping and replaying the message of h(tagid) to the reader. 192
3. PROPOSED APPROACH (XOR WITH RANDOM NUMBER SHIFT) The proposed approach for low-cost RFID tags explores the simple XOR algorithm, instead of complex encryption such as using the hash function, for anti-counterfeiting and privacy protection. The key point is to store the ReaderIDs of authorized readers in the tag s memory in advance, so that tags are enabled to identify authorized readers by their ReaderIDs which are stored in both tags and readers. The purpose for using the XOR principle with a function of random number shift is to increase the computing speed as well as to lower the costs of tags. The XOR principle is that if an authorized reader sends a request to the tags for TagID, it will get a series of random numbers (TagID r`) only as r` is unknown, as shown in Figure 5. Figure 5. Proposed authentication schematic diagram. The full procedures of this proposed authentication mechanism based on the XOR principle with the function of random number shift are shown in Figure 6 and described as follows. Step1: The API first generates a random number r followed by inquiring the ReaderID from the data base for the XOR operation and then passes the message of (ReaderID r) to the reader enclosed in a query for broadcasting to the tags. Step2: The tag receives the (ReaderID r) enclosed query and solves the random number r by the XOR logic operation with ReaderID, which is previously stored in the tag s memory. The tag wil then shift r left for n bits (n is the number of binary value 1 of random number r) generating a new random number r`, which will perform the XOR operation with TagID. The message of (TagID r`) will then be transmitted back to the reader, as shown in Figure 7. 193
Step3: The reader passes the message of (TagID r`) to the API, which calculates r` first to obtain TagID by the XOR logic operation of r` with (TagID r`). Query Reader ID API r Reader r Tag Data Base h(readerid r) h(readerid r h(tagid) r` h(tagid) r` Figure 6. XOR encryption algorithm with random number shift. (ReaderID r) Query + (ReaderID r) DB API Reader Tag (TagID r ) (TagID r ) (ReaderID r) r left shifting n bits XOR To Reader r r XOR ReaderID TagID TagID r Figure 7. Illustration of proposed authentication mechanism based on XOR encryption algorithm. In this proposed two-pass authentication mechanism, the tags are capable of: (1) generating random number r` by a few bits shift of r; (2) calculating (TagID r`) by the XOR principle; (3) having space for the ReaderID storage. This authentication mechanism also enables tags to identify authorized readers by sending a message of (TagID r`) to confirm the reader every time the authentication procedures are complete. There is very little chance of being eavesdropped because the information of (TagID r`) transmitted to the reader in the final step is unknown as r` is unknown. 194
Comparisons of the proposed approach with the other authentication mechanisms in terms of the encryption algorithm and the number of passes are illustrated in Table 1. Table 1. Encryption algorithm and the number of passes Algorithm Number of passes Tag s capabilities Mutual Three-Pass Generating RN, Encryption of Token AB and decryption 3 times Authentication Protocol of Token BA, Space for secret key and serial number Key Diversification Scheme 5 times Generating RN, Computation of K S, Encryption of Token AB and Decryption of Token BA, Space for secret key and serial number Hash Function Generating RN, Hash function computation, Space for 4 times Encryption ReaderID XOR with RN Shift Generating r (=r left shifting n-bits), TagID r` 2 times calculation, Space for ReaderID Note. *RN: Random Number. 4. SIMULATOR AND SIMULATION RESULTS Due to the lack of real RFID facilities for verification of the proposed security mechanism, we designed a pseudo-reader simulator and a pseudo-tag simulator, as shown in Figures 8 and 9, respectively, for verification. The pseudo-reader simulator is capable of generating a 128-bit random number, Rand128, for the operation of (ReaderID Rand128), sending the signal of (Query ReaderID Rand128) to the tag, and conducting the decryption of (TagID Rand128`) to obtain the TagID. The pseudo-tag simulator is capable of receiving the (ReaderID Rand128) signal enclosed query and solving the random number Rand128 followed by the XOR calculation of (TagID Rand128`). The message of (TagID Rand128`) will then be sent back to the pseudo-reader simulator. The simulation steps are described as follows: Step1: The pseudo-reader simulator reads the ReaderID first from a configuration file and generates the random number Rand128 automatically for the XOR operation with ReaderID, i.e., (ReaderID Rand128), and then encloses it in a query and sends it to the pseudo-tag simulator. Step2: The pseudo-tag simulator triggers the real reader to interrogate the ReaderID stored in the tags memory soon after receiving the message of (Query (ReaderID Rand128). Step3: After receiving the ReaderID, the pseudo-tag simulator is able to obtain the random number Rand128 by the XOR operation of (ReaderID Rand128) with ReaderID. After that Rand128 is shifted left for n bits (n is the number of binary value 1 of random number Rand128) and generates a new random number Rand128`. Step4: After the pseudo-tag simulator generates Rand128`, the reader starts to interrogate TagID from the tags to obtain (TagID Rand128`) by the XOR operation of TagID with Rand128`. This is then transmitted to the pseudo-reader simulator. 195
Step5: The pseudo-reader simulator starts the XOR operation of (TagID Rand128`) and Rand128` to obtain the TagID soon after receiving (TagID Rand128`) from the pseudo-tag simulator. Figure 8. The pseudo-reader simulator. Figure 9. The pseudo-tag simulator. The simulation flowcharts are shown in Figures 10(a)-(d). In Figure 10(a), the pseudo-reader simulator, including the data fields of ReaderID, Rand128, and (ReaderID Rand128) placed on the upper left of the figure. The pseudo-tag 196
simulator, including ReaderID, Rand128, (ReaderID Rand128), and a red/green light are placed on the upper right of the figure. The upper wave-shaped block in the middle represents the packaged message between the two simulators. The pseudo-tag simulator triggers the reader to interrogate the tag for ReaderID soon after receiving the packaged message of (ReaderID Rand128). The red/green light would turn red before receiving ReaderID, as shown in Figure 10(a), and turn green after receiving ReaderID, which will then be delivered to the data field of ReaderID, and in the mean time Rand128 is sent into the data field of Rand128. Figure 10(b) shows three data fields placed down the right site of the figure, including TagID, Rand128`, (TagID Rand128`), and a red/green light. After Rand128 in the upper data fields is computed, the reader will be triggered to interrogate the tag for TagID. The red/green light would turn red before receiving TagID and turn green after receiving TagID, which will then be delivered to the data field of TagID. The following task is to compute (TagID Rand128`) for Rand128` and deliver the result to the pseudo-reader simulator, as shown in Figure 10(b). Figure 10(c) shows the three data fields of Rand128`, (TagID Rand128`), and TagID placed down the left-hand side. The pseudo-reader simulator would start computing Rand128` and (TagID Rand128`) for TagID once it had received the packaged message of (TagID Rand128`) and then match the TagID to that of the pseudo-tag simulator. A yellow circle would appear if TagID is matched and a red cross appears if not matched, as shown in Figure 10(c). But a red N would appear if the real reader fails to interrogate real tags as shown in Figure 10(d). 5. DISCUSSION According to Table 1, the proposed authentication mechanism shows some advantages in comparison with that of others, including (a) a relatively simple algorithm (XOR), (b) a simpler algorithm leading to a smaller number of logic gates required and thus reducing cost, (c) high security (random number shift), and (d) high efficiency (two-passes only). For better performance testing of our approach, we plan to verify the proposed design by designing a simple circuit that will integrate a shift register with a random number generator, XOR logic gates, antenna, and memory. Thus, posible efects of noise and/or disturbance, from the reading range and the non-uniformity of the antenna for signal coupling will be clearer. For such a purpose, we have done the first step of designing a novel NMOS-type shift register which contains a relatively small number of transistors per stage, as shown in Figure 11 (Jone, Aliso, & Chen, 2002) that is expected to reduce the tags price by reducing the manufacturing processes. The challenges faced by low-cost RFID design actually not only lie in the number of logic gates but also in the regulation and power consumption of circuits (Ranasinghe, Lim, Cole, & Devadas, 2006), which will also be our future work. 197
(a) (b) Figure 10. RFID authentication simulator and flowchart. 198
(c) (d) Figure 10 (continued). RFID authentication simulator and flowchart. 199
Figure 11. NMOS-type shift register. REFERENCES Chang, G. C. (2005). A Feasible Security Mechanism for Low Cost RFID Tags. The Fourth International Conference on Mobile Business (ICMB 05), Sydney, Australia, 675 677. Dimitriou, T. (2005). A Lightweight RFID Protocol to protect against Traceability and Cloning attacks. Proceedings of First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SecureComm 2005), Athens, Greece, ISBN:0769523692. Finkenzeller, K. (2003). RFID Handbook: Fundamentals and Applicatons in Contactless Smart Cards and Identification (2nd ed.). Munich, Germany: Wiley. Garfinkel, S., & Rosenberg, B. (2005). RFID Applications, Security, and Privacy. Boston, USA: Addison-Wesley. Gao, X., Xiang, Z., Wang, H., Shen, J., Huang, J. & Song, S. (2004). An Approach to security and privacy of RFID system for supply chain. Proceedings of IEEE International Conference on E-Commerce Technology for Dynamic E-Business (CEC04EAST), Beijing, China, 164-168. Henrici, D., & Muller, P. (2004). Hash-based Enhancement of Location Privacy for Radio-Frequency Identification Devices using Varying Identifiers. Proceedings of Second IEEE Annual Conference on Pervasive Computing and Communications Workshops (PERCOMW'04), Washington, DC, USA, 149-153. Jone, L. M., Aliso, B., & Chen, Y. C. (2002). Bootstrapped Shift Register. World Intellectual Property Organization, WO 02/45091 A1. Kim, H. S., Oh, J. H., Choi, J. Y. & Kim, J. W. (2006). The Vulnerabilities Analysis and Design of the Security Protocol for RFID System. Proceedings of 200
Sixth IEEE International Conference on Computer and Information Technology (CIT 06), Seoul, Korea, 152. Lopez, P. P., Castro, J. C. H., Tapiador, J. M. E., & Ribagordaj, A. (2006). An Efficient Mutual - Authentication Protocol for Low-cost RFID Tags. Retrieved May 14, 2006, from http://lasecwww.epfl.ch/~gavoine/download /papers /PerisHER-2006-otm-is.pdf Li, Y. Z., Jeong, Y. S., Sun, N., & Lee, S. H. (2006). Low-cost Authentication Protocol of the RFID System Using Partial ID. Proceedings of International Conference on Computational Intelligence and Security, Guangzhou, China, 1221-1224. Oertel, B., Wolk, M., Hilyt, L., & Kohler, A. (2005). Security Aspects and Prospective Applications of RFID Systems (BSI Report), Bonn, Germany: German Federal Office for Information Security (BSI). Ranasinghe, D. C., Engels, D. W., & Cole, P. H. (2005). Low-Cost RFID Systems: Confronting Security and Privacy. USA Auto-ID Labs. White Paper WP-SWNET-013. Ranasinghe, D. C., Lim, D., Cole, P. H., & Devadas, S. (2006). A Low Cost Solution to Authentication in Passive RFID Systems. USA Auto-ID Labs. White Paper WP-HARDWARE-029. Srivastava, L. (2005). Ubiquitous Network Societies: The Case of Radio Frequency Identification, Background Paper. Internation Telecommunication Union (ITU) New Initiatives Workshop on Ubiquitous Network Societies, Geneva, Switzerland. Retrieved from http://www.itu.int/osg/spu/ni/ubiquitous/papers /RFID background paper.pdf Shepard, S. (2005). RFID: Radio Frequency Identification. New York, USA: Mc Graw Hill. Weis, S. A., Sarma, S. E., & Rivest, R. L. (2003). Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. Proceedings of First International Conference on Security in Pervasive Computing. Yang, J., Park, J., Lee, H., Ren, K., & Kim, K. (2005). Mutual Authentication Protocol for Low-Cost RFID. Workshop on RFID and Lightweight Crypto, Graz, Austria. Yang, J., Ren, K., & Kim, K. (2005). Security and Privacy on Authentication Protocol for Low-Cost RFID. The 2005 Symposium on Cryptography and Information Security, Maiko, Kobe, Japan. Zhang, L., & Zhou, H. (2005). An Improved Approach to Security and Privacy of RFID Application System. Proceedings of International Conference on Wireless Communications, Networking and Mobile Computing (WCNM2005), Wuhan, China. 201
Yung-Chin Chen received his B. S. degree in Physics from Tamkang University in 1988, and his first M.S. degree in Opto-electronics engineering from National Chiao Tung University in 1991. Dr. Chen served at Telecommunication Laboratories of Chunghwa Telecom Co., Ltd. in Jung-Li, Taiwan as an assistant R&D engineer in 1991 and served at Sinonar Co., Ltd. in Hsinchu, Taiwan as an R&D engineer in 1993. Dr. Chen received a second M.S degree in electrical engineer from University College, London in 1996, and a Ph.D. degree in electrical engineering from Imperial College London in 2000. Dr. Chen served at Wintek Co., Ltd. in Taichung, Taiwan as an R&D engineer in 2000 and joined the faculty of Asia University in Taiwan in November 2003, and is currently an assistant Professor in the Department of Computer and Communication Engineering. Professor Chen s major research interests include TFT-LCD, RFID, and flexible electronics. So far he has published more than 20 academic papers and two international patents. Dr. Chen is currently a member of IEEE. Wei-Lin Wang received his B.S. degree in information technology from Toko University, Chiayi, Taiwan in 2004, and an M.S. degree in computer and communication from Asia University, Taichung, Taiwan in 2006. Mr. Wang has served at Lee Ching Tech Co., Ltd in Taichung, Taiwan as a research engineer since July 2006. His current research interests include RFID middleware software and authentication protocols. Min-Shiang Hwang was born on August 27, 1960 in Tainan, Taiwan, Republic of China (ROC). He received his B.S. in electronic engineering from National Taipei Institute of Technology, Taipei, Taiwan, ROC, in 1980; an M.S. in industrial engineering from National Tsing Hua University, Taiwan, in 1988; and the Ph.D. in computer and information Science from National Chiao Tung University, Taiwan, in 1995. He also studied applied mathematics at National Cheng Kung University, Taiwan, from 1984-1986. Dr. Hwang passed the National Higher Examination in the field of electronic engineer in 1988. He also passed the National Telecommunication Special Examination in the field of 202
information engineering, qualified as an advanced technician first class in 1990. From 1988 to 1991, he was the leader of the Computer Center at Telecommunication Laboratories (TL), Ministry of Transportation and Communications, ROC. He was also the Chairman of the Department of Information Management, Chaoyang University of Technology (CYUT), Taiwan, from 1999-2002. He was a professor and the Chairman of the Graduate Institute of Networking and Communications, CYUT, from 2002-2003. He is currently a professor of the department of Management Information System, National Chung Hsing University, Taiwan, ROC. He obtained 1997, 1998, 1999, 2000, and 2001 Outstanding Research Awards of the National Science Council of the Republic of China. He is a member of IEEE, ACM, and the Chinese Information Security Association. His current research interests include electronic commerce, database and data security, cryptography, image compression, and mobile computing. Dr. Hwang has published 100 articles on the above research fields in international journals. 203