In many communication systems, such as RFID systems, it is important to be able to authenticate different parties of the communication system. For instance, RFID systems that are used for many applications consist of one or more RFID readers, also known as interrogators or base stations, and one or more RFID tags, also known as labels or transponders. Some applications (e.g. tolling) benefit from having functionality to determine if tags and their data content are genuine or counterfeit. A common approach for this functionality is to utilize cryptographic methods to perform tag authentication (TA) and/or mutual authentication (MA). TA ensures that the tag is genuine while MA ensures the reader is genuine and authorized to alter the data content of a tag.
Cryptographic methods rely upon the communicating parties to have common knowledge of a shared secret or the ability to compute a shared secret. There are two primary schemes used. One is based on symmetric cryptography while the other is based on asymmetric cryptography, often referred to as public key cryptography (PKC).
Typical symmetric cryptography includes block ciphers, such as data encryption standard (DES) and advanced encryption standard (AES), and stream ciphers, such as Grain. Symmetric cryptography requires both the communicating parties to share the same secret key. It means that the secret must be previously shared or agreed between the communicating parties. This is usually not a strong constraint in closed systems where both communicating parties are managed by the same system operator. In open systems, key management is more critical and may indeed represent a prohibitive constraint. Symmetric algorithms are extremely fast compared with asymmetric algorithms, and the hardware implementation may be efficient and economical in resource usage.
Typical asymmetric cryptography includes RSA, Diffie-Hellman (DH), or elliptic curve cryptosystems (ECC), and Algebraic Eraser™. Asymmetric algorithms use pairs of keys. Each communicating entity, e.g. a reader and a tag, has its own key pair comprising a public key and a private key. The private keys are not shared. Asymmetric algorithms are usually slow compared with symmetric algorithms, and the hardware implementations are significantly more resource-intensive.
Some applications are a combination of an open system for interoperability and a closed system to ensure integrity of the communicating party data content. For example, toll applications often use RFID and benefit from a tag originating from one agency or region (Agency A) to be used in a different agency or region (Agency B). However, the originating agency may want the exclusive ability to alter the tag's data content. Additionally, the application may have requirements for very fast transaction times (e.g. <20 ms) which further restrict possible solutions.
Assume a tag from Agency A is read by a reader from A. This is a closed system and symmetric cryptography is a natural choice for performing TA and practically the only choice for MA.
Assume a tag from Agency A is read by a reader from Agency B. TA is only possible if Agency A is willing to share the tag's key with Agency B. For symmetric cryptography, Agency A must provide the tag's secret key to Agency B. Key exchange between agencies can be difficult and represents a finite risk of compromising all the tag secret keys. This risk is often great enough to affect communication adversely between the parties. For asymmetric cryptography, Agency A must provide the tag's public key to Agency B. Key exchange between agencies is simple and represents no risk of compromising tag private keys. This helps promote communication, so asymmetric cryptography is a good choice for TA.
Often a first communication device must be able to authenticate a second communication device of unknown origin and thus to read data from that device. For instance, consider a situation in which a reader from Agency A must read a tag of unknown origin, possibly from Agency A or possibly from Agency B. The reader must perform very fast transaction times, so there is no additional time permitted to determine the origin of the tag to know if TA should be done using symmetric or asymmetric cryptography. The problem is thus related to the speed of the transaction. One of the bottlenecks is the time taken to select the appropriate authentication protocol. Additionally, if the tag is from Agency A, the reader from agency A may want to update the data content of the tag using MA. Here again, this transaction should be done as quickly as possible.