Lightweight Encryption Protocol for Passive RFID System using SIMON

Lightweight Encryption Protocol for Passive RFID System using SIMON Vidur Nayyar, Prajna Setty Graduate students Electrical and Computer Engineering (nayyar.vidur, prajna.setty)@rutgers.edu Rutgers,The State University of New Jersey http://vidurnayyar.com/?page id=89 Abstract In this paper we propose a mutual authentication protocol for a specific Radio Frequency Identification (RFID) system, which is under development by Prof. Ivan Marsic and Graduate student Vidur Nayyar. The system uses three RFID receivers that detect the Received Signal Strength(RSSI) and the data picked up by the sensors attached to the tag to sense the vital information from the patients. We take advantage of SIMON s lightweight cryptographic algorithm to develop a protocol that fits perfectly to the RFID system s requirement to add security to the RFID system which is a MSP-430 based RFID tag. [The project mentioned above is in the initial phase, all the experiments have been performed on a battery-powered RFID tag and the battery-less tag is under development. The security/authentication protocol is being designed keeping in mind the future of the project, that is using a battery-less RFID tag.] Index Terms RFID Tags, RSSI, RFID Receivers, Lightweight Cryptography, SIMON I. INTRODUCTION Radio-frequency identification (RFID) has proved to be a very good, decisive technique to detect movement of the medical instruments in the trauma bay. It gives a high level of accuracy by sensing the change in RSSI levels received by the RFID receiver. However, radio communications between RFID tags and readers raise a number of security and privacy concerns if there are no security measures taken to keep the system safe from adversaries. In this paper we propose a modified authentication protocol using SIMON encryption algorithm to safeguard such RFID systems that are being used without any level of security. The passive RFID tags do not use any external power supply and work off harvesting power from the RFID receiver. Providing security to RFID systems using passive/semi-passive tags is very tricky due to the memory and power constraints on them. Due to these reasons most of the RFID systems work without employing any form of data encryption algorithm. RFID systems being wireless mode of transferring data, are under high threat of security issues such as tag information leakage, tag impersonation attack, forward traceability, denial of service attack(dos), replay attack and tag location tracking. The adversaries can easily disrupt the system by using any of the mentioned attacks and steal the information from the tags. Although RFID system under study is not used to transfer highly sensitive information, it is essential to have a lightweight encryption to protect the system from attacks while not induce delays in the operation of the system. Several proposals are in place for security related to RFID systems. Most of them are generalized and encompass all RFID systems under one bracket. RFID systems are allpervasive and will replace barcodes in the near future. With the ease of their operation they find application in many areas. RFID can be used to tag virtually any instrument and authenticate it. Hence, the security concerns clearly vary depending on the field of usage. So far encryption algorithms like AES, Hummingbird etc. have been proposed where the security level required is relatively high. Some proposals do not use any encryption or hash functions but instead use basic modular addition, circular shifts, etc. and promise desired security. The usage of passive RFID has two facets. The advantage is the low cost,but this comes with a cost of restrained resource. The passive tags are energized when they are in close proximity of a RFID reader and harvest the transmitted RF power. Hence, the power availability is limited. Also, the circuit doesn t support many modules to incorporate high performing algorithms that involve a lot of computational complexity. There is a necessary trade off between security and computational ease. In the system at hand, even though high-end security is not a necessity, a secure system is still an important requirement. There is a single server that manages all the tags associated with it. Each time a tag wants to communicate with the server, both the server and tag need to authenticate themselves. Once the handshake is done, the actual data transfer from tag happens. There needs to be a foolproof way of authenticating, in the absence of which the system is prone to attack. An adversary can either act as a tag or try to access the server and gain entry into the system or can pose as the server and compromise the tag. This paper proposes SIMON as the encryption algorithm and designs a modified version of mutual authentication protocol [1] between the tag and the server. Since power is one of the major constraints in passive RFID, we incorporate a simplified variation of the power aware encryption[2]. The encryption algorithm is essentially SIMON but the number of rounds and the word size chosen can be varied based on the power availability. This enables sufficient

security at low power. Further, the system is evaluated for the security level and computational feasibility in comparison with other previous methodologies in place. II. LITERATURE SURVEY The security measures employed in RFID so far can be categorized as follows. (1) Using the existing hardware components such as micro-controller, register, memory, counter, comparator and so on to implement the encryption in transponder. (2) The operational frequency is adjusted in protecting the RFID tag data. (3) Adding redundant bits into the original data to change the bit location. So far all the security measures used in RFID is in terms of encryption/decryption algorithms or hash functions or they use a combination of the before mentioned three methods. In resource constrained environment like RFID, lightweight ciphers are most suitable. AES has been mostly used for this purpose[3]. AES meets the security requirements but it has some computational overhead on the system. AES is not a serialized algorithm. Bit-serial essentially means that the algorithm updates a single bit per cycle as opposed to an entire block. Algorithms that are fully serialized allow for very small implementations over hardware. However S-box based algorithms do not allow for efficient serialization below the width of their S-box size. Even though AES meets the security requirement, it has computational overhead that is not desirable[4]. Another algorithm Hummingbird-2 that is an improvised version of the earlier Hummingbird has been used [5]. This algorithm provides a robust protection against most attacks and also requires less hardware implementation than AES. The smallest AES implementation requires at least 2400 gates, Hummingbird can be implemented with a little more than 2000 gates [6]. However there is not significant advantage of using Hummingbird instead of AES in terms of hardware. In [7] a combination of the approaches (2) and (3) have been used. They use adaptive frequency rates and add data redundancy bits to the original data sequence. However this methodology requires design of a frequency detector to trigger a clock generator that can produce multiple clock frequencies for operating at different frequency modes. A similar method has been proposed in [2] where power aware encryption is used. Here, the level and computations of the encryption changes dynamically according to the available power on the tag. The encryption level is modified according to the power requirement so as to not cause an overhead on the system while providing some security. This however requires some special hardware components like the previous mentioned method and is not very general purpose. There are numerous encryption methodologies available and many different protocols proposed for passive RFID. However, any single one of them is not sufficient to meet the requirement of the system in use. Due to the constraint in terms of resource in our system, such power aware encryptions are not feasible. We make use of a modified mutual authentication protocol based on challenge-response as [5] and use SIMON as the encryption algorithm. The protocol has been modified to suit the security requirement that can thwart the possible attacks on the current system. III. PROPOSED SYSTEM Protocol Description: The design is a challenge-response mutual authentication protocol where the tag is first authenticated followed by the server authentication. For most part, the protocol is essentially similar to the one proposed in [5]. However for data transfer, a session key is introduced which the tag uses to transfer data to the server. Session Key: According to the requirement of the application of RFID in hospitals, the RFID tag once initiated is continuously tracked for a long period of time under the same environment. This makes the initial authentication of the server and the tag essential, but once they have been authenticated, it is an overkill to perform this authentication each time the RFID tag is queried by the Receiver. For this purpose we introduce the mechanism of session-keys that are given to the tags by the receiver once they have been authenticated. The expectation is to develop an algorithm that assigns minimum amount of work to the tags that have constrained resources. For this reason after the tag has obtained the session-key, the server authentication is no more required and the only authentication that is performed is the tag authentication. As seen in III-2 The tag authentication is essential each time a message is transmitted from the tag to eliminate the chance of replay attack. This method not only reduces the amount of computation on the tag but also isolates the session key from the authentication key to increase the security of the session key. The authentication key is only used when the initial authentication takes place whereas the session key is used continuously when the tag communicates its status with the receiver (which is approximately 10 times a minute).[8] The session key is reset every fifteen minutes and the whole authentication process is repeated so that the malicious observer who might be collecting the encrypted data using the session key is not able to break the key. Legend: r t : Random number generated by the tag r s : Random number generated by the server X T : Input to SIMON [Tag Side] K i : Authentication key K s : Session Key CT T,CT T : Encrypted text from tag X s,x s : Input to SIMON [Server Side] rs 1,rs 2 : Random numbers generated by the Server 1) System initialization: The server generates tag IDs and distributes them. The server also has all the information about the tags associated to it. The server only stores the current key and the most recently used previous key in the database.

4) Updating The Key: The server maintains two keys as mentioned earlier. The current key is pushed as the old key. The new key is generated by concatenating the previous cipher texts on both server and tag. For all authorized communications, the cipher text on both ends are the same hence should result in same key on both ends. This eliminates the necessity to communicate the key separately and risk a key leakage. Note: The initial key used by both server and tag is the one that is communicated by the server. This is the key input for the first round of SIMON. Since SIMON is a symmetric block cipher and the initial key is the same, the key generated after key expansion on each end after every round of encryption is essentially the same. So, for the corresponding round number, the key used at server and tag are the same. This is why this protocol works without having to communicate keys except for the initial stage. Figure 1. Proposed Protocol 2) Tag authentication: a) Reader: Sends a random number r t to the tag as a challenge b) Tag: Generates a random number r t and uses a function of r s and r t as the input to SIMON algorithm. The key used is the current key that is sent by the server to all tags uniquely identifying them. The tag then sends r t and the encrypted text to the server through the reader. c) Server: Uses r t and r s and the same function used by the tag and encrypts it using the key for that tag which should result in the same encrypted text as the one produced by the corresponding tag, in which case the tag is authenticated else the connection is discarded. 3) Server Authentication: a) Server: Server generates two random keys, r s1 and r s2 and uses a function of r s1 and r s2 as an input to SIMON along with the current key from the previous SIMON encryption round. It sends out r s1, r s2 and the encrypted data to the tag via reader. b) Tag: The tag uses the same function as the server and obtains an encrypted text using SIMON similar to the server. If this text matches with the encrypted data sent by the server then the server is considered to be legitimate else the communication is stopped. 5) Session Key: Server generates a key similar to the random generator. This key is SIMON encrypted using the current authentication key and sent to the tag. The tag decrypts it to obtain the session key since it has the current authentication key. The server also sends the tag a random number r s as a challenge for data transfer. The tag generates another random number r t and encrypts a function of rs and rt using the session key and sends out r t and the encrypted text to the server. The data is separately encrypted using the session key and this is sent to the server. The server first authenticates the tag using the first encrypted text received and then proceeds to decrypt the second encrypted text received to decipher the data. Power Aware System: RFID systems using passive tags operate by harvesting on the power absorbed by the RFID receiver, and hence need to be extremely power efficient. There may be times, especially when the tag is further away from the RFID receiver that it may not be able to absorb enough power from the Radio Frequency(RF) signal emitted from the receiver. Under such circumstances, if we run our system on a secure algorithm with a larger Key size and block size, it would fail to work. To make our proposed system immune to such adverse situation, we can add the mechanism of Power aware Security Module[2] to our system. The Power Aware security module induces the ability to dynamically change the level of encryption used by the system depending on the power available to be used for encryption purpose. The inference from our other paper[9] we can observe that the number of cycles taken by the controller to implement Simon is mainly due to the number of shifts performed. These shifts are dependent on the Block size used, greater the block size, more are the number of cycles are required to implement the algorithm. The power consumed by the controller is directly proportional to the number of operating cycles, so we deduce that if we reduce the number of cycles by reducing the block size of the encryption algorithm, we can run the system at a lower power. Using this understanding

we propose to monitor the power absorbed by the tag P i and determine the block size of Simon to be used. Using a lower block size at times when the power absorbed by the tag is low would avoid the instances of the tags running out of power and losing their memory contents trying to run a power extensive algorithm. The power absorbed by the tag can be sensed by the MSP430 controller and can switch between the block sizes being used. Changing the block size would also require a change in the size of the random number generated by the tag and the server for authentication process. The change in block size would need to be communicated with the server so that the server is synchronized with the tag, this communication can be established without making major changes to the proposed protocol in III. The server can detect the change in the block size being used by checking the size of the random number generated r T by the tag. If the server gets the random number r T to be 32 bits, it will correspond to a block size of 32 bits on the Tag and if it gets r T equal to 64 bits, it will correspond to a block size of 64 bits on the Tag. IV. HARDWARE SPECIFICATIONS The protocol proposed is to be run on a system comprising of Alien 9900 UHF RFID reader that is connected to a server through a Windows 7 i5 processor computer. The tags used for the system are attached to the various medical instruments available at the trauma bay of the hospital. Each tag is composed of a MSP430 microcontroller that is serially connected to a RFID transponder chip through an I2C connection. The MSP430 controller is capable of altering the Flash/EEPROM memory of the RFID chip, the RFID chip is the nxp S13SS4011, it has a memory and this memory reflects the information to the receiver of the RFID system by backscattering the RF waves adding what is in its memory when the RFID Reader sends a query to the chips. MSP430 is attached to a sensor that picks up the vital information from the patient s body and communicates it with the server through RFID. Presently the MSP430 controller is powered through a battery and the battery-less version is being developed at Rutgers University. The battery-less tag would be solely powered by RF energy harvesting, which is prone to frequent power loss. A micro-controller such as a MSP430 is widely used in constrained environment to perform various tasks like wirelessly connecting sensors or working as an RFID Transceiver. The MSP430 is a Texas Instrument microcontroller running with an internal 16MHz clock. This micro-controller is programmable via a JTAG connection. It integrates a 16 KBytes flash memory, a 512 bits RAM memory, 20 configurable Inputs/Outputs, a watchdog, 2 serial communication ports and 2 configurable timers.[10] To inspect the performance of Simon in a constrained environment, we have implemented Simon on MSP430G2553 micro controller. All the codes were written in C and Code composer studio s compiler was used to flash the programs into the micro-controller. The measurement for the time and space consumed by the algorithm was done by the simulator provided by the decoder of the code composer studio and was checked by using the internal counter of the MSP430 controller to time the execution of the program. The Timer-A of the controller was used to count the number of cycles that were executed.[11][12] As the controller was running at 16 MHz., the time taken by the algorithm was calculated by dividing the number of clock cycles by 16,000,000[13]. A. Security Goals V. PERFORMANCE EVALUATION a) Tag Information Privacy: The tag information stored on the server is secure because the RFID reader is connected to the server through a secure wired channel. Hence, only a legitimate server and reader can reach a tag after authentication. b) Tag Location Privacy: Except for the initial key distribution, there are no further key exchange. The security is purely based on the secrecy of the key. Since the server and the tag both compute keys on their own, without the key it is very difficult to break the system. Even if an adversary is observing the communication channel, it is highly unlikely that he can link the corresponding cipher text to a tag because of the usage of mere random numbers. c) Tag Impersonation Attack: Again, without the key it is difficult to generate the correct cipher text to communicate with the server. The attacker can choose to randomly generate a cipher text and send it to server but the probability of getting it right is very low. Also, the short communication time between the server and tag makes such an attack unlikely. d) Replay Attack: The random messages generated by server and tags are valid only for that session. Hence, the messages from previous sessions aren t valid. e) Denial of Service Attack: If an adversary blocks the second message flow from a tag, then the reader will generate a new random number and query the tag again. In this case the DOS attack does not affect the security of the system. If an attacker intercepts the third message flow from the reader, the server and the tag will become desynchronized. The reason is that the server will update the shared secret after authenticating the tag successfully but the tag will not. However, in our scheme the back-end server maintains both old and new key for each tag. Consequently, the server will detect the desynchronisation between the reader and the tag in the next communication session and the server will thus use the stored old key to restore the synchronization with the tag. B. Computational Goals Introduced in 2013, SIMON is by far the most suitable encryption algorithm for hardware implementation. It was designed to be a lightweight encryption algorithm that outperforms all existing ones as of now. Its performance lies in the fact that it does not employ hardware unfriendly S- Boxes[4] unlike AES, Hummingbird and other block ciphers designed as lightweight. While AES requires 2400 gates to realize minimum of implementations, SIMON can realize

an implementation with less than 1500 gates(1000 gates for 64/128 blocksize/keysize [4]). Figure 2. Performance of AES and SIMON on Hardware VI. CONCLUSION AND FUTURE WORK The protocol proposed along with SIMON encryption provides a robust mutual authentication between a RFID server and associated tags and allow for secure data communication between the two. The proposed design meets the security requirement of the RFID systems used in hospitals protecting it against the possible attacks. The design specifically meets the hardware and power requirement of the passive RFID system. Altering the Clock Rate and Saving Power: There might be a possibility to make the Power aware system more efficient by dynamically altering the the clock rate of the controller. MSP 430 can be made to operate at different frequencies and at lower frequencies, the power consumption by the controller is very low. If the rate of operating the algorithm is lowered down in case the controller/tag harvests a lower amount of power, the algorithm can be run at a lower power consumption. The effect of replacing the Authentication protocol by a signature and timestamp process while using the session key after the initial authentication would be something to be observed. Figure 3. Table of performance of AES and SIMON on Hardware It was observed that most of the time was consumed in the shifting of the keys in the Key expansion function. This is because the shifting of the key takes the most execution cycles. The power consumption of the controller is directly proportional to the time number of cycles are executed to implement an algorithm. So we can say that the key shifting which depends on the block size is the most power exhaustive process in the whole algorithm. It was also observed that it takes equal amount of time and CPU cycles for the MSP430 controller to encrypt and decrypt the text. Because the hardware has a single CPU, there was no scope of parallel processing and hence it took greater time than when it was run on a multi-processor computer. AES is the default encryption use for MSP430 and requires 80 bytes as compared to 40 bytes required by Simon [14]. The best feature of Simon is that it uses a very small portion of space in the controller s memory, which can be seen in the chart below. AES was implemented with key size of 128 only. Further experimentation with key sizes couldn t be done because of the very long execution time on the controller. However, the key size of 128 gives us a representation of AES on hardware and clearly SIMON performs better as is supposed to be. VII. REFERENCE [1]MUTUAL AUTHENTICATION PROTOCOL.Xinxin Fan and Guang Gong, Daniel W. Engels and Eric M. Smith, A Lightweight Privacy-Preserving Mutual Authentication Protocol for RFID Systems, 2011 [2]POWER AWARE ENCRYPTION. Meng-Lin Hsia and Oscal T.-C. Chen, Passive RFID Transponder with Power- Aware Encryption [3]AES. Andrea Ricci, Matteo Grisanti, Ilaria De Munari and Paolo Ciampolini,Design of an Ultra Low-Power RFID Baseband Processor Featuring an AES Cryptography Engine [4]SIMON AND SPECK. Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, Louis Wingers,The SIMON and SPECK families of lightweight of block ciphers,national Security Agency,19 June 2013 [5]HUMMINGBIRD ALGORITHM.Xinxin Fan and Guang Gong, Daniel W. Engels and Eric M. Smith, A Lightweight Privacy-Preserving Mutual Authentication Protocol for RFID Systems, 2011 [6]HUMMINGBIRD ALGORITHM. Daniel Engels, Markku-Juhani O. Saarinen, Peter Schweitzer, and Eric M. Smith,The Hummingbird-2 Lightweight Authenticated Encryption Algorithm [7]LOW COMPLEXITY ENCRYPTION.Meng-Lin Hsia and Oscal T.-C. Chen, Low-Complexity Encryption Using Redundant Bits and Adaptive Frequency Rates in RFID [8]RFID READER. http://www. alientechnology.com/wp-content/uploads/ Alien-Technology-ALR-9900-Enterprise-RFID-Reader.pdf [9]ALGORITHM COMPARISONS. HTTP://vidurnayyar. com/?page id=82 [10]MSP430 CONTROLLER. HTTP://www.ti.com/tool/

MSP-EXP430G2 [11]MSP430G2 CLOCK AND TIMERS. HTTP://e2e.ti. com/support/microcontrollers/msp430/f/166/t/243369.aspx [12]MSP430G2 TIMERS. http://www.ccs.neu.edu/home/ noubir/courses/csu610/s07/msp430-clock-timers.pdf [13]CODE COMPOSER STUDIO CPU CYCLE CALCULATION. HTTP://http://processors.wiki.ti.com/ index.php/profile clock in CCS [14]AES ON MSP430. HTTP://www.ti.com/lit/an/slaa397a/ slaa397a.pdf [15]Securing Passive RFID Tags.Martin Feldhofer, Institute for Applied Information Processing and Communications, 8010 Graz, Austria,Securing Passive RFID Tags Using Strong Cryptographic Algorithms [16]SECURITY PROTOCOLS FOR RFID. Dijiang Huang, Harsh Kapoor, Arizona State University, Towards lightweight secure communication protocols for passive RFIDs [17]CRYPTOGRAPHIC PROTOCOLS. http: //crypto.stackexchange.com [18] Introduction to Cryptography with Coding. Trappe, Washington, Introduction to Cryptography with Coding Theory c 2002 Pearson [19]Algorithmic Metrics. Norman D. Jorstad,Cryptographic Algorithmic Metrics [20]Survey and Benchmark of Lightweight Block Ciphers for Wireless Sensor NetworksMickael Cazorla, Kevin Marquet and Marine Minier,Survey and Benchmark of Lightweight Block Ciphers for Wireless Sensor Networks [21]MSP430.http://www.ti.com/tool/MSP-EXP430G2 [22]MSP430 timers. http://www.ti.com/lit/an/slaa397a/ slaa397a.pdf [23]Analytical Comparison of Cryptographic Techniques.M. Razvi Doomun and KMS Soyjaudah,Analytical Comparison of Cryptographic Techniques for Resource- Constrained Wireless Security [24]Performance of the SIMON and SPECK families of lightweight of block ciphers.ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, Louis Wingers,Performance of the SIMON and SPECK families of lightweight of block ciphers,national Security Agency,29 May 2012