The present invention relates to radio frequency identification (RFID) devices such as RFID tags, processes therefor, and processing thereof. The present invention also relates to apparatus and protocols for implementing such processes and processing. The present invention relates in particular, but not exclusively, to RFID tags attached to or otherwise associated with items in a supply chain.
RFID tags are well known. RFID tags are circuits in the form of label-like items that can be read (and sometimes also written on) by reader (and writer) units communicating with the tags at RF frequencies. Further details of RFID tag technology can found in, for example, Landt, Jerry (2001), “Shrouds of Time: The history of RFID”, AIM, Inc.
It is known to attach RFID tags, written with batch or unique codes, to items, and to monitor received items.
An example of a proposed standardised approach using RFID technology is known as EPCglobal, further details of which can be found at, for example, www.epcglobalinc.org or from GS1 US, Princeton Pike Corporate Center, 1009 Lenox Drive, Suite 202, New Jersey 08648 Lawrenceville. EPCglobal is incorporated herein by reference.
EPCglobal has proposed an architecture where each tag is given a 96-bit unique code and where each entity in the supply chain can publish information about the product through a so-called EPC information service. An EPC information service is a database that provides a standardized query interface. EPCglobal allows for an EPCglobal tag to respond to a so-called “kill” command. When a secure tag receives a kill command from the RFID reader the tag becomes inoperative. The killing command can be password protected.
An arrangement that allows for delegation of the ability to identify a tag is disclosed in the article “A Scalable, Delegatable Pseudonym Protocol—Enabling Ownership Transfer of RFID Tags”, David Molnar, Andrea Soppera and David Wagner, Selected Areas in Cryptography, pages 276-290, Aug. 11-12, 2005, Queen's University, Kingston, Ontario, Canada. The described delegation-enabled scheme associates a tag to an ownership-domain by delegating a time-limited ability for identification.
A starting point for the arrangement described in the preceding paragraph is a tree-based scheme to identify tags based on encryption with shared secrets, which was described in the article “Privacy and Security in Library RFID—Issues, Practices, and Architectures”, David Molnar and David Wagner, Proceedings of the 11th ACM Conference on Computer and Communications Security, Oct. 25-29, 2004, Washington D.C., USA.
The book Finkenzeller: “RFID-Handbuch”, 1998 contains a chapter on “Data Security” (see Kapitel 8: “Datensicherheit”) and a part of a chapter on “Transponders with a Memory Function” (see Kapitel 10.1: “Transponder mit Speicherfunktion”). This book includes discussions of the use of different keys to access different memory segments, and of the use of different keys, one allowing read access and another that grants both read and write access.
An article by Fouladgar and Afifi entitled “A Simple Privacy Protecting Scheme Enabling Delegation and Ownership Transfer for RFID Tags” discusses various privacy issues relating to the potential tracking of an RFID tag bearer and the possibility of an illegitimate reading device collecting information about him, and introduces a privacy protecting scheme based on pseudonyms that is intended to allow an online database to delegate temporarily and in a secure manner the capability to identify tags to selected readers, and to allow a reader which receives delegation for a given tag to identify this tag without referring to the on-line database. A protocol proposed therein also aims to allow transfer of tag ownership without threatening the new owner's privacy.
Referring now to prior patent documents, WO 2006/075146 relates to RFID tag security systems, and discusses how security and privacy of tag information in an RFID-based system can be achieved through the usage of pseudonyms generated based on one-way hash functions. A system based on binary one-way trees allows for the scalable generation and decoding of authentication keys to obtain access to tag identities.
The present inventors have realised, that despite the advantages offered by the arrangement described in the above mentioned article by Molnar, Soppera and Wagner, two drawbacks are that the tag has to incorporate a counter, which effectively means maintaining a state and allowing for denial-of-service attacks, and, due to a relative lack of precision, a new owner needs to be able to manipulate the counter, if the old owner still owns valid secrets. The present inventors have realised it would be desirable to provide a new RFID tag ownership scheme and RFID tag form to alleviate these disadvantages and to provide further benefits arising from such a scheme and tag. The present inventors have also realised it would be desirable to provide new RFID reader properties and authorisation processes and systems particularly suited to such a scheme and that allow further advantages to be derived.
In a first aspect the present invention provides an RFID device, comprising: a current read key for enabling the RFID device to be read by an RFID reader system holding the current read key; a current ownership key; means for receiving, from the RFID reader system, a change read key command and an indication that the RFID reader system holds the current ownership key; and means for replacing, responsive to receiving the change read key command and the indication that the RFID reader system holds the current ownership key, the current read key with a new current read key enabling the RFID device to be read by an RFID reader system holding the new current read key.
The RFID device may further comprise: means for generating random numbers; means for encrypting the random numbers with the relevant ownership and/or read key; means for sending the encrypted random number to the RFID reader system; means for receiving the random numbers in responses from the RFID reader system; and means for checking the received random numbers to authenticate that the RFID reader system holds the relevant ownership key and/or read key.
The RFID device may further comprise means for receiving a take ownership command from the RFID reader system.
The RFID device may further comprise: means for generating, responsive to receiving a take ownership command, a new ownership key; and means for sending the new ownership key to the RFID reader system.
The RFID device may further comprise: means for receiving acknowledgement of the RFID reader system receiving the new ownership key; and means for deleting, responsive to receiving the acknowledgement of the RFID reader system receiving the new ownership key, the current ownership key and treating the new ownership key as a new current ownership key.
The RFID device may further comprise one or more identification keys for use by an authorisation apparatus for identifying the RFID device.
The RFID device may further comprise a current authorisation key; means for receiving, from the RFID reader system, a take ownership command and an indication that the RFID reader system is authorised by an authorisation apparatus which holds the current authorisation key; and means for replacing, responsive to receiving the take ownership command and the indication that the RFID reader system is authorised by an authorisation apparatus which holds the current authorisation key, the current ownership key with a new current ownership key enabling the current read key of the RFID device to be replaced with a new current read key by an RFID reader system holding the new current ownership key. Where appropriate, the new ownership key may be encrypted using the current authorisation key.
In a further aspect, the present invention provides a method for an RFID device, the method comprising: storing a current read key for enabling the RFID device to be read by an RFID reader system holding the current read key; storing a current ownership key; receiving, from the RFID reader system, a change read key command and an indication that the RFID reader system holds the current ownership key; and in response to receiving the change read key command and the indication that the RFID reader system holds the current ownership key, replacing the current read key with a new current read key enabling the RFID device to be read by an RFID reader system holding the new current read key.
The method may further comprise: generating random numbers; encrypting the random numbers with the relevant ownership and/or read key; sending the encrypted random number to the RFID reader system; receiving the random numbers in responses from the RFID reader system; and checking the received random numbers to authenticate that the RFID reader system holds the relevant ownership key and/or read key.
The method may further comprise receiving a take ownership command from the RFID reader system.
The method may further comprise: generating a new ownership key in response to receiving a take ownership command; and sending the new ownership key to the RFID reader system.
The method may further comprise: receiving acknowledgement of the RFID reader system receiving the new ownership key; and in response to receiving the acknowledgement of the RFID reader system receiving the new ownership key, deleting the current ownership key and treating the new ownership key as a new current ownership key.
The method may further comprise sending the identity of the RFID device encrypted by one or more identification keys to the RFID reader system for use by an authorisation apparatus for identifying the RFID device.
The method may further comprise the RFID device successfully responding to being read by an RFID reader system holding the new current read key.
The method may further comprise: storing a current authorisation key; receiving, from the RFID reader system, a take ownership command and an indication that the RFID reader system is authorised by an authorisation apparatus which holds the current authorisation key; and in response to receiving the take ownership command and the indication that the RFID reader system is authorised by an authorisation apparatus which holds the current authorisation key, replacing the current ownership key with a new current ownership key enabling the current read key of the RFID device to be replaced with a new current read key by an RFID reader system holding the new current ownership key. Where appropriate, the new ownership key may be encrypted using a current authorisation key.
In a further aspect the present invention provides the following method, and an RFID device adapted to perform the following method: storing a current read key and a current ownership key; and receiving a take ownership command from an RFID reader system. The method may further comprise: sending a new ownership key to the RFID reader system and replacing the current ownership key with the new ownership key. The method may further comprise: replacing, responsive to a change read key command and an indication that the RFID reader system holds the new current ownership key, the current read key with a new current read key enabling reading of the RFID device by an RFID reader system holding the new current read key. The method may further comprise: generating and encrypting random numbers for authenticating that the RFID reader system holds the relevant ownership key and/or read key. The method may further comprise: the RFID device successfully responding to being read by an RFID reader system holding the new current read key.
In a further aspect the present invention provides an RFID system comprising: means for issuing a take ownership command to an RFID device; means for receiving a new ownership key from the RFID device, the new ownership key having been transmitted in an encrypted form; means for applying for authorisation of the new ownership key from authorisation apparatus of an authorisation entity, the authorisation signifying that the RFID reader system is permitted to take ownership of the RFID device; and means for receiving from the authorisation apparatus the new ownership key and an acknowledgement that may be communicated to the tag as evidence of authorisation.
The RFID reader system may further comprise means for using the new ownership key to authenticate, with the RFID device, a process of instructing the RFID device to change its current read key to a new read key for use by the RFID reader system when reading the RFID device. In such an RFID reader system, the means for using the new ownership key to authenticate the process of instructing may comprise means for performing a challenge and response involving a random number encrypted and decrypted using the new ownership key.
In a further aspect the present invention provides a method for an RFID reader system to process an RFID device, comprising: issuing a take ownership command to an RFID device; receiving a new ownership key from the RFID device, the new ownership key having been transmitted in an encrypted form; applying for authorisation of the new ownership key from authorisation apparatus of an authorisation entity, the authorisation signifying that the RFID reader system is permitted to take ownership of the RFID device; receiving from the authorisation apparatus the new ownership key and an acknowledgement that may be communicated to the tag as evidence of authorisation.
The method for an RFID reader system may further comprise using the new ownership key to authenticate, with the RFID device, a process of instructing the RFID device to change its current read key to a new read key for use by the RFID reader system when reading the RFID device. In such a method, using the new ownership key to authenticate the process of instructing may comprise performing a challenge and response involving a random number encrypted and decrypted using the new ownership key.
In the following section, the term “RFID tag”, will generally be used, the word “tag” indicating that the RFID device may be suitable for “tagging” one or more items. It will be understood that “tags” may be any of a variety of sizes and shapes.