The use of radio frequency identification (RFID) technology has evolved to such an extent that it has become an every-day item used in a large number of applications. Examples of such uses are scanning and identification of items/articles in boxes, identification and authorization when requesting access to, e.g., a bank account via an ATM, when requesting entry via a building entrance locked by means of an electronic lock, e.g. a hotel room, or when starting a vehicle whose engine starting mechanism is protected by an electronic lock. Very simple RFID devices are used as identification tags attached to items in shops for the purpose of theft protection.
RFID devices are activated by an RF field produced by an antenna connected to a reader/writer terminal, typically being integrated within an access control or an authorization mechanism as exemplified above. The RFID devices comprise a control unit, which typically holds private and proprietary information, and which is integrated in the device together with a coil inductor antenna. The coil inductor antenna is used to draw necessary supply of power for operation from the RF electromagnetic field provided by the reader terminal. Additionally, through the same RF field the control unit is communicating modulated information with the reader terminal. The mechanism is standardized as described, e.g., in ISO/IEC 14443.
One of the features of RFID devices is the identification based on the unique serial number embedded in the device. It is impossible to change that number and a manufacturer guarantees that no duplicates are ever present. It is also a very difficult task to make a duplicate with the same serial number.
RFID devices are configured to interact and communicate information that is stored in internal memory with a reader terminal whenever the device is placed within reach of an appropriately configured RF electromagnetic field, irrespective of whether or not a user/owner of the card is aware of such an RF field being present. This means that it is difficult for a user/owner to have total control over access to the information stored in the device.
The interaction between the RFID device and the reader terminal is performed in a query-response manner, where the reader transmits requests to the device, and the device responds by transmitting reply data. The content carried by such interaction may be either simple (e.g. the device identifies itself to the reader by an identifying number, ID), or complex (e.g. the device and the reader perform an authentication scheme and exchange a session encryption key).
When multiple devices are present in vicinity of a reader, a collision detection protocol is used to determine the number of devices and their IDs, so that the reader can query a specific device, indicated with its own unique ID. When a single device is present in the field, no collision with another occurs, and the device is able to respond to the queries without disturbance.
That is, typical usage of RFID is oriented towards ensuring that a RFID device is readable and writeable: if a device is alone in the RF field, there is no interference from other devices and the device is readable and writeable. If there are multiple devices present in the same RF field, special communication procedures are used to make sure all tags are readable and writeable.
A drawback with prior art RFID systems is hence that RFID devices will respond to any legitimate read/write request from any compatible reader. Anyone equipped with a reader is able to retrieve or modify data stored in an RFID device. In areas where data security is crucial, secure, smart devices must be used to protect the data cryptographically. These devices are expensive, have complex structure, and require complex software on a reader for normal operation. An example of such prior art is to be found in United States Patent Application Publication 2005/0099268A1, which discloses a radio frequency identification system with privacy policy implementation based on device classification.