Radio identification is a technique for storing and retrieving data remotely by using markers called radio tags (the term “RFID tag” is also used). A radio tag is a small object, such as a self-adhesive tag, that can be stuck on, or incorporated into, objects or products. It comprises an antenna associated with an electronic chip that allows it to receive and respond to radio requests transmitted from a transceiver called a reader. By way of example, radio tags are used to identify persons when the tags are integrated in passports, in transport tickets or in payment cards, or to identify products as with a barcode.
Conventionally, when a tag comes into range of a radio reader, the reader interacts with the tag and interrogates it. During such interrogation, the reader can retrieve information belonging to the tag, such as a tag identifier, or conventionally data that are involved in authenticating the tag to a reader. This faculty for a reader to retrieve information from a tag spontaneously is not without drawbacks in terms of security. The reason is that the reader may be corrupt and under the control of an ill-intentioned person, and in some cases the spontaneous retrieval of information from a tag leads to authentication resources that belong to the tag being exhausted. This can assist carrying out a denial of service attack against the tag. It is therefore beneficial for the tag to be able to distinguish between a corrupt reader and a legitimate, or authentic, reader. Thus, it is beneficial for a tag to be able to authenticate a reader prior to authentication of the tag to the reader.
The document WO2010/149937 discloses a method for mutual authentication between a radio tag and a radio reader. Using this method, the authentication of the tag by the reader is determined by the success of the prior authentication of the reader by the tag. In order to authenticate the reader and in order to authenticate itself to the reader, the tag selects a first index i for a tag authentication coupon xi and sends the reader a data item intended to determine the value of the first index i, and the tag authentication coupon xi. The reader retrieves a precalculated authentication coupon for the reader tj that is associated with a second index j. The authentication coupon tj of the reader is stored in memory by the reader; it has been precalculated by applying to the value j a pseudo random function “PRF” (from the English), which is parameterized by a regeneration key k′. The reader likewise generates a challenge c and sends the tag the challenge c, the authentication coupon of the reader tj and the second index j. The tag calculates a second authentication value for the reader tj′ by applying the pseudo random function PRF that it knows, parameterized by the regeneration key k′ that it has, to the second index j received from the reader. The tag then compares the second calculated authentication value tj′ with the authentication coupon tj received from the reader. If the second calculated value tj′ is identical to that received from the reader then that means that the reader has been correctly authenticated. The authentication of the reader by the tag is based on secret key cryptography. More precisely, the authentication of the reader is based on the use by the tag of the pseudo random function PRF that is used to precalculate the authentication coupons of the reader and on knowledge of the regeneration key k′. The pseudo random function is applied to the second index j received from the reader in order to calculate the second authentication value of the reader tj′ and thus to verify the validity of the coupon received from the reader, thus proving that the reader is a legitimate reader. The success of the authentication of the reader determines the authentication of the tag by the reader. In one embodiment, the authentication of the tag is implemented by the known authentication scheme of public key cryptography “GPS” (or “cryptoGPS”), from the names of the inventors “Girault, Pales, Poupard and Stern” [M. Girault, G. Poupard and J. Stern “On the Fly Authentication and Signature Based on Groups of Unknown Order”. Journal of Cryptology, pages 463-488, volume 19, number 4, 2006]. The GPS scheme is a public key authentication scheme based on the discrete logarithm problem in a multiplicative group. GPS is conventionally used so that a device, usually a device that has very little computation power, such as a radio tag, authenticates itself to a second device, typically a more powerful device, such as a radio reader. With GPS, the most costly calculations are performed by the more powerful device. This feature makes the GPS protocol highly suited to the authentication of radio tags to radio readers. In the course of the authentication of the tag, the index i initially transmitted by the tag to the reader is then advantageously used by the tag in order to calculate an authentication response to the challenge c sent by the reader. Thus, the mutual authentication method optimizes the use of the resources of the tag, which are known for being limited.
Once the mutual authentication between the reader and the tag has been performed, any additional information that flows between the tag and the reader is transmitted in plain form. However, it may be necessary to check the transmission of the information between the reader and the tag. By way of example, in the case of tags that are affixed to medicine boxes, such information intended to be read by the reader can provide details of the destination of the medicine by providing pharmacy addresses. Such information, which is sensitive, can thus be intercepted by radio by an ill-intentioned person. The authentication method described previously does not allow protection of the transmission of the information between the reader and a device that is constrained in terms of memory and computation power, such as a radio tag.