Both passive and active RFID technologies are being used increasingly to control access, such as building access, vehicle access, etc. Typically, in an RFID-enabled system, access to a building or vehicle requires an RFID tag (hereinafter referred to simply as a tag) to be placed in proximity of an RFID tag reader (hereinafter referred to simply as a reader). The positioning of the tag vis-à-vis the reader can be done either deliberately, by flashing a tag-containing card in front of a suitable reader, or as a matter of course if the tag is embedded in a badge or under the skin. Access to the building or vehicle is then allowed only if the data stored in and received from the tag (e.g., a user ID) corresponds to an entry in a database of authorized user IDs, typically stored in a server remote from the reader.
As RFID technology gains widespread usage in an increasing number of industries, at least two problems are expected to arise in the above-described access control context. The first such problem is related to security, and is especially evident if one imagines the situation where a malicious entity gains access to the database of authorized user IDs. With this information, the malicious entity can engage in the production of tags that emulate those of the persons associated with the authorized user IDs in the database. Recognizing this deficiency, the industry has attempted to address the security problem, at least in part, through the use of encryption techniques. Specifically, instead of storing a user ID, a given tag is designed to store the user ID as encrypted by a secret encryption key. A reader reading the tag proceeds to decrypt the user ID using a known decryption key, and then compares the (decrypted) user ID to the database of authorized user IDs in the usual fashion. In this scenario, a malicious entity that gains access to the database of authorized user IDs, but without the secret encryption key, will not be able to reproduce the encrypted user ID required to permit access to the building or vehicle.
The second problem that is expected to arise is one related to volume. As RFID tag readers become more sensitive and as the number of objects possessing RFID tags increases, there may be, at any given moment, a wide array of tag-containing objects in the vicinity of a given reader. Yet the vast majority of these tag-containing objects are not intended to be submitted to the reader for access control purposes. For example, a reader positioned at the entranceway to a building may, in the future, be exposed to signals emitted by one or several (or none!) building access cards, while also being in the vicinity of hundreds of other tag-containing items (briefcases, laptops, vehicles, automobile tires, wallets, credit cards, etc.) that are completely unrelated to building access. Unfortunately, however, the reader has no way of knowing which tags are being intentionally presented to it for access control purposes, and therefore must make the assumption that each tag needs to be authenticated.
The risk of picking up signals emitted by multiple tags can only increase as the RFID industry advances on the standardization front. On the one hand, there are indications of industry preparedness, such as the development of protocols in order to manage collisions at a reader performing data acquisition (e.g., by using random back-off techniques reminiscent of LAN access protocols). However, an issue that is overlooked by these and other prior art proposals is the difficulty caused by the delay resulting from having to perform numerous queries to a database of user IDs, where such database is typically located remotely from the reader. As a result, the bandwidth between the reader and the database, as well as the computational speed of the database, become significant bottlenecks in the quest for real-time performance in an access control scenario. These bottlenecks become even more obstructive if the above-described encryption techniques are employed, as the net effect is the introduction of further delay in the process.
Against this background, it is clear that there is a need for improved access control techniques in RFID-based systems.