In the most basic terms, RFID systems consist of a RFID tag implemented to provide information stored in the tag pertaining to the identity and perhaps features or characteristics of an object to which the tag is affixed, and to communicate that information via an RF signal to a RFID reader in response to an RF interrogation signal received by the tag from the reader. In most instances of current use, a single reader is used to commence individual communication sessions or transactions with a multiplicity of tags.
Typically, objects bearing the tags are moved past the fixed location of the reader, which is remote from the tags but within the communication range, or response range, of each tag as the tag traverses the reader's position. An example of such an application of a RFID system is a roadway toll collection system in which authorized vehicles—that is, vehicles bearing a RFID tag that designates permitted use under the authority of a government agency—are queried or commanded by a RFID reader positioned in a designated lane of the toll collection area to identify themselves as they move “on the fly” past the reader. The remote collection of identities of the vehicles enables the government authority to charge or debit the account of each individual vehicle's owner as registered in conjunction with a computer-aided mailing or other notification system. Such systems represents not only a vast improvement in traffic control, but in efficiency of toll collection and reduction in labor intensive operations as well. This is to be contrasted with the physical collection of the toll at manned (a toll taker person) or unmanned (e.g., coin collection trough) booths in open lanes where each vehicle must stop or at least slow to roll through the lane.
Another example of a RFID system application where the reader is fixed and the object bearing the tag is moved past the reader, is one in which security is to be maintained either to allow passage of the object (e.g., a person wearing a badge that incorporates the tag) into a secure part of a facility, or to announce or prevent passage of the object (e.g., goods to which the tag is secured) from an exit location of a facility as by sounding an alarm or locking the exit.
But depending on the particular application of the RFID system, the reader may be movable so as to acquire stored information from relatively immobile objects, such as in supply chain applications where common goods are temporarily held in cases or on pallets bearing the RFID tag in an inventory setting. The inventoried cases or pallets may be scanned occasionally or periodically by a hand-held RFID reader to acquire the goods' identity information from the tag(s). In still other applications both the tags and the reader may be mobile during the scanning process, such as during rapid scanning of RFID-tagged objects on a moving conveyor belt by a RFID reader being transported in a direction opposite that of the moving belt. In any event, in every application of a RFID system, the reader and the tag must be relatively positioned within a range suitable for RF communication to take place between them; that is, communication range of reader and tag, or response range of the tag.
In its simplest form, the conventional RFID tag consists of a transponder and an antenna. Sometimes, the RFID tag itself is referred to as a transponder. In any event, the tag is provided with data storage capacity, usually in the form of read-only memory (ROM) or read/write (R/W) memory (such as electrically erasable programmable ROM, or EEPROM) embodied in the integrated circuit (IC) of a semiconductor chip (sometimes called a microchip). The electronics circuitry integrated in the microchip of the RFID tag, together with or without the impedance matching circuitry that couples the electronics and the tag's antenna, may be termed a RFIC (RF integrated circuit) or an ASIC (application-specific IC).
RFID tags may be either passive or active. A passive RFID tag lacks an internal self-sufficient power supply, e.g., a battery, and relies instead on the incoming RF query by the reader to produce sufficient power in the tag's internal circuitry to enable the tag to transmit a response. In essence, the query induces a tiny electrical current in the tag's internal antenna, which serves as the power source that enables a reflected or backscattered response. Accordingly, a passive RFID tag is quite limited with respect to the amount of data that can be furnished in its response to a reader's query, usually consisting of only fixed, invariable information stored in the tag, e.g., an ID number and perhaps a small amount of additional data. But the absence of a battery leads to certain advantages, primarily that a passive tag can be fabricated at much lower cost and in smaller size than an active tag.
Among other uses, passive RFID tags are projected to eventually replace the ubiquitous universal product code (UPC), or imprinted bar code, strip found on myriad products in the stream of commerce, the strip requiring a line of sight optical scan to obtain a readout of the identifying UPC. The readout may then be used, for example, to retrieve computerized price information for the product, and to produce a display and/or printout of the product's current price, at a point of sale (e.g., cash register location) for the product.
The on-board, or on-chip, battery of an active RFID tag can give the tag a greater response range, along with greater accuracy, reliability and data storage capacity, but the active tag has the aforementioned disadvantages of greater cost and size relative to the passive tag. The battery itself can be quite small, but not enough to overcome the size disadvantage.
A typical conventional RFID tag reader employs a transceiver, a control unit and an antenna for communicating with the tag at a designated RF frequency among several allocated for this purpose. An additional interface such as RS 232, RS 485, or other, may be provided with the reader to allow data received from the tag to be forwarded to another system.
In many applications it may be important to assure the privacy of information transferred between tag and reader, particularly information stored in the tag. Consider, for example, a vehicle that bears one or more RFID tags whose R/W memory is continuously or periodically updated with mileage driven, current location, daily operating routine, current cargo, owner's identity, authorized driver(s), and other information that the vehicle owner may want to be held confidential. There are concerns, however, over potential loss of privacy and theft of personal identity information as a result of the growing use of RFID tags.
Attempts have been made to protect and to allay concerns regarding the privacy and security of data stored in tags. In general, these attempts have been directed toward protocols and schemes to prevent access to secret, confidential, private information stored in RFID tags through interrogation or interception by unauthorized readers, sometimes called rogue readers, illegitimate readers, intruders, attackers, interceptors or adversaries. These and similar appellations are collectively referred to herein as “unauthorized reader.”
One proposed solution is found in an article by I. Vajda et al., titled “Lightweight Authentication Protocols for Low-Cost RFID Tags,” Budapest University of Technology and Economics, Hungary, Aug. 5, 2003. In the Vajda article, the desire to provide security in low-cost RFID tags is viewed as challenging because of the highly resource-constrained nature of the tags, and their inability to support strong cryptography. A purported need for special lightweight algorithms that take into account the limitations of RFID tags and the headlong rush toward universal deployment of RFID systems is addressed through a listing of certain tag authentication protocols previously presented by others.
However, Vajda presents the complexity of requiring two states or modes of operation of the tags, and the distinct possibility that an unauthorized reader could penetrate a tag's defense against acquisition of its secure data by gaining entry through the more open ID mode notwithstanding its designation as the locked state. In addition, Vajda's use of a list of pseudonyms has problems in the relatively large number of messages required, as well as the cost factor associated with frequent updating of those pseudonym lists and secret keys, and over-reliance on the premise that an unauthorized reader can only observe a limited number of consecutive runs of the protocol.
Another attempt to protect data stored on tags is discussed in an article by D. Molnar et al., titled “Privacy and Security in Library RFID Issues, Practices and Architecture,” CCS '04, Oct. 25-29, 2004, Washington, D.C. Molnar addresses reader and tag authentication before communication of tag information is allowed, specifically in the context of tracking tags in a RFID tagging regime applied to the checking out and in of library books. Such tracking of tagged library books raises the specter of surveillance of library patrons and their reading habits.
As a practical matter, RFID products operating at designated frequencies up to ultra high frequency (UHF) have had relatively minimal need for session verification since most commerce-based transactions have been performed with passive devices. But where a RFID tag is active, and powered by a battery as well, it is relatively easy to remove the battery powered RFID tag from the vicinity of a reader. Therefore, it becomes incumbent from the standpoint of security to afford protection against the tag being removed by an attacker from communication range with an authorized RFID reader during an authenticated session, and then positioning it within range of an unauthorized reader (or positioning the unauthorized reader in the response range of the tag). Such action would enable wide open access to the tag's protected memory locations by the unauthorized reader.
Concern over violations of security and privacy of communications between authorized reader and tag may also be present with a passive tag, but the ability to set up equipment that maintains power at the tag via RF energy at all times is much more difficult, albeit possible.
It would be desirable to provide a simple and yet efficient protocol or method to assure the privacy and security of a communication session between an authorized RFID reader and a RFID tag, especially an active tag.