A conventional RFID tag typically comprises an integrated circuit transceiver capable of transmitting a unique serial number or other identifying information to a nearby reader in response to a query from the reader. Many RFID tags are “passive” in that they do not include a battery or other power source, but instead obtain the power necessary to operate from the query signal itself.
Ongoing RFID tag development efforts have led to significant cost and size reductions, which should result in a rapid proliferation of RFID tags into many new areas of use. For example, RFID tags are expected to replace printed barcodes in consumer product applications. The Electronic Product Code (EPC) tag is a form of RFID device that is emerging as a successor to the printed barcode. EPC tags are an evolving standard under development by an organization called EPCglobal, a joint venture between the UCC and EAN, the organizations that oversee barcode standards in the U.S. and Europe, respectively. An EPC is the form of identifier that an individual EPC tag emits as prescribed by the EPCglobal standard. An EPC includes not just the information contained in a conventional printed barcode, namely the manufacturer and type of a particular product, but also a unique serial number. Additional details can be found in the current version of the EPCglobal standard document, “EPC™ Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communications at 860 MHz-960 MHz,” Version 1.0.9, 2006, and in the corresponding conformance specification, “Class-1 Generation-2 UHF RFID Conformance Requirements,” Version 1.0.2, 2006, both of which are incorporated by reference herein.
The unique serial number of an EPC tag associated with an object can serve as a pointer to a database entry containing a detailed history of the object. Thanks to the features of automated scanning and unique identification, RFID systems promise fine-grained tracking of inventory on an unprecedented scale.
Certain commercial segments, like the pharmaceutical industry, are coming to view EPC tags as an anti-counterfeiting tool. EPC tags are a potent mechanism for object identification, and can facilitate the compilation of detailed object histories and pedigrees. They are poor authenticators, though, as they possess no explicit authentication functionality. The EPCglobal standards prescribe no mechanism for EPC readers to authenticate the validity of the tags they scan. An EPC tag emits its EPC promiscuously, i.e., to any querying reader. Readers accept the validity of the EPCs they scan at face value. Thus, EPC tags are vulnerable to counterfeiting or other types of cloning attacks.
An attacker can learn an EPC tag's essential data, its EPC, simply by scanning it or by gaining access to an appropriate tag database. The term “skimming” is used herein to denote the process of scanning an EPC tag to obtain its EPC for the purpose of cloning the tag. Furthermore, if the unique identifiers in a manufacturer's EPCs are not random, e.g., if they are sequential, then an attacker that sees an EPC on one item can guess or fabricate another valid EPC. In brief “identity theft” of EPC tags is a straightforward matter because EPCs are data objects that are easily separable from EPC tags.
Although EPC tags carry no explicit mechanisms for authentication, they do possess some data-security features. The description herein will make reference to basic and enhanced EPC tags. A basic EPC tag is one that carries only the mandatory features of the EPCglobal standard, while an enhanced EPC tag additionally includes an access-control function that is optional in the EPCglobal standard. Basic EPC tags have only one significant security feature, namely a privacy-enhancing kill command. When an EPC tag receives this command, it “self-destructs,” which is to say that it renders itself completely and permanently inoperable. To protect against accidental or malicious killing of tags, the kill command only takes effect when accompanied by a valid password, referred to as a personal identification number (PIN). In the EPCglobal standard, the kill PIN is 32 bits in length.
With regard to enhanced EPC tags, such tags respond to a command called access, whose implementation is optional in the EPCglobal standard. When accompanied by a valid 32-bit access PIN, the access command causes a tag to transition into what is called a “secured” state. Tags may be configured such that certain commands only function when a tag is “secured.” In particular, read access to the memory banks for the access and kill PINs may be made dependent on an EPC tag being “secured.” The standard supports no PINs other than the access and kill PINs.
In consequence, although the EPC of a tag may be readily skimmed, a properly configured EPC tag does not promiscuously emit its PINs. Thus the PINs are resistant to skimming.
Some commercially available RFID tags can perform cryptographic challenge-response protocols. Such tags offer resistance to cloning attacks involving skimming. They typically cost significantly more than EPC tags, though, and may therefore be practical only for certain niche applications such as defense logistics.
The above-cited U.S. patent application Ser. No. 10/782,309 discloses an authentication approach referred to as “minimalist” cryptography, including a security model for RFID environments that permits a form of dynamic challenge-response protocol without the use of complex cryptographic operations. However, even this minimalist approach may require greater tag resources than are available in the current generation of EPC tags.
A number of new, lightweight cryptographic primitives have been proposed for RFID authentication. See, for example, A. Juels, “‘Yoking-proofs’ for RFID tags,” PerCom Workshops 2004, pp. 138-143, IEEE Computer Society, 2004; A. Juels and S. Weis, “Authenticating Pervasive Devices with Human Protocols,” In Advances in Cryptology-CRYPTO 2005, pp. 293-308, Springer-Verlag, 2005, Lecture Notes in Computer Science, Volume 3621; and I. Vajda and L. Buttyan, “Lightweight Authentication Protocols for Low-Cost RFID Tags,” In Workshop on Security in Ubiquitous Computing-Ubicomp 2003, 2003.
Other recent work has led to more compact implementations of symmetric-key primitives like advanced encryption standard (AES) for RFID tags. See, for example, M. Feldhofer et al., “Strong Authentication for RFID Systems Using the AES Algorithm,” In M. Joye and J.-J. Quisquater, editors, Workshop on Cryptographic Hardware and Embedded Systems—CHES '04, Volume 3156 of Lecture Notes in Computer Science, pp. 357-370, Springer-Verlag, 2004. However, these implementations are still well beyond the reach of Class-1 Gen-2 EPC tags today, and unsupported in the EPCglobal standard.
The Auto-ID Lab, the research arm of EPCglobal, operates a special interest group devoted to use of RFID to combat counterfeiting. Researchers there have proposed uses of EPC to combat counterfeiting of consumer items. See T. Staake et al., “Extending the EPC Network—the Potential of RFID in Anti-Counterfeiting,” In ACM Symposium on Applied Computing, pp. 1607-1612, ACM Press, 2005. They suggest that track-and-trace technologies, i.e., supply-chain monitoring based on current EPC tags, can yield good improvements over existing security. They also discuss the benefits of challenge-response protocols for tag authentication, and review extensions to existing EPC architecture for this purpose. They do not investigate incorporation of cryptography into Class-1 Gen-2 EPC tags. Instead, they propose support in future, higher-class EPC standards.
The above-cited U.S. patent application Ser. No. 11/191,633 discloses techniques for authenticating EPC tags and other types of RFID devices, so as to prevent counterfeiting or other cloning attacks without requiring cryptographic operations. In one aspect, an identifier transmitted by a given one of the REID devices is received by a reader, or by a separate verifier via the reader. At least first and second codes are determined by the reader or verifier, with the first code being a valid code for the identifier, and the second code being an invalid code for the identifier. These codes are communicated to the given RFID device by the reader, or by the verifier via the reader, Return communications are processed by the reader or verifier to determine if the RFID device is able to confirm that the first code is a valid code and the second code is an invalid code. If the RFID device can so confirm, it has been authenticated. In an illustrative embodiment, the given RFID device is an EPC tag, with the first code being a valid kill code of the EPC tag, and the second code being a spurious or invalid kill code of the EPC tag. Such an embodiment leverages the PIN controls of Class-1 Gen-2 EPC tags to achieve authentication in a manner compliant with the standard.
Despite the considerable advances disclosed in U.S. patent application Ser. No. 11/191,633 and the other patent applications cited above, a need remains for further improvements in providing authentication and other security features in standards-compliant RFID systems, such as systems which include Class-1 Gen-2 EPC tags. For example, it would be desirable if improved authentication protocols with enhanced resistance to eavesdropping and other attacks could be provided in a manner suitable for use with Class-1 Gen-2 EPC tags or other simple RFID devices.