Secure EPC Gen2 Compliant Radio Frequency Identification
Summary (3 min read)
1 Introduction
- Radio Frequency Identification (RFID) is a promising new technology that is widely deployed for supply-chain and inventory management, retail operations and more generally for automatic identification.
- To promote the adoption of RFID technology and to support interoperability, EPCGlobal [10] and the International Organization for Standards (ISO) [12] have been actively engaged in defining standards for tags, readers, and the communication protocols.
- In this paper the authors are concerned with the security of EPCGen2 compliant protocols.
- It is important therefore to employ lightweight cryptographic protocols that are compatible with the existing standardized specifications.
- Obviously, the level of security may not be sufficient for sensitive applications.
2 The EPCGen2 standard
- This standard defines the physical and logical requirements for a passive-backscatter, Interrogator-talks-first (ITF), radio-frequency identification (RFID) system operating in the 860 MHz - 960 MHz frequency range.
- The EPCGen2 standard defines a protocol with two layers, the physical and the Tag-identification layer, which together specify the physical interactions, the operating procedures and commands, and the collision arbitration scheme used to identify a Tag in a multiple-tag environment.
- Physical Layer – Communications are half-duplex, meaning that Interrogators and Tags cannot talk simultaneously.
- – TID memory that contains sufficient information to identify to a Reader the (custom/optional) features of the Tag and tag/vendor specific data.
- The Interrogator sends a parameter Q, that is an integer in the range (0, 15); the Tags load a random Q-bit number into a slot counter.
2.1 The Pseudo-Random Number Generator
- A pseudorandom number generator (RNG) is a deterministic function that outputs a sequence of numbers that are indistinguishable from random numbers by using as input a random binary string, called seed.
- The length of the random seed must be selected carefully to guarantee that the numbers generated are pseudorandom.
- The state of the RNG changes each time that a new random number is drawn.
- For a tag population of up to 10,000 tags, the probability that any two or more tags simultaneously draw the same sequence of RN16s is < 0.1%, regardless of when the tags are energized.
2.2 The 16-bit Cyclic Redundancy Code
- Cyclic Redundancy Codes (CRC) are error-detecting codes that check accidental (non-malicious) errors caused by faults during transmission.
- Since the modulo g(x) operator is a homomorphism, CRC16 inherits strong linearity aspects.
- (1) It follows that the CRC16 of a sequence of numbers can be computed from the CRC16s of the numbers.
- Consequently CRC16 by itself will not protect data against intentional alteration.
- Its functionality is to support strong error detection particularly with respect to burst errors, not security.
3 Weaknesses in recently proposed EPCGen2 compliant RFID protocols
- The Quingling-YijuYonghua minimalist mutual authentication protocol [17], and the Sun-Ting authentication protocol [18].the authors.
- The authors show that these protocols fall short of their claimed security.
- The authors assume that S and R are linked with a secure channel, and for simplicity, only consider the case when the authentication is online.
3.2 Analysis of the Quingling-Yiju-Yonghua protocol
- The Quingling-Yiju-Yonghua protocol is a challenge-response mutual authentication protocol [17].
- In the protocol T gets identified by revealing information about its keypool, which S uses to locate the tag in DB.
- The protocol is also subject to a more complex statistical attack in which A first eavesdrops on a number of tag interrogations and then replays the tag flows to the Reader R, changing adaptively the last challenge.
- Below the authors describe the attack in more detail.
- A repeats this step for each one of the l words of the keypool.
4.1 The protocol
- In their protocol each tag T is identified by drawing consecutive numbers from its RNG.
- S then draws and sends the next number RN4 as challenge and T responds by sending RN5.
- Each tag T shares with the back-end server S an identifier IDtag, its generator (including mutable state) RNG(gtag) and at least one pseudorandom number among the most recent six values extracted from the RNG (which guarantees synchronization as described below).
- This protocol is optimistic in the sense of communication efficiency, because just three flows are necessary to identify a tag T when the adversary A is passive.
5.1 RFID deployments
- A typical RFID deployment involves tags T , Readers R and a back-end Server S. Tags are wireless transponders that typically have no power of their own and respond only when they are in an electromagnetical field, while Readers are transceivers that generate such fields.
- Readers implement a radio interface to the tags and a high level interface to a back-end server.
- Readers do not store locally any private data.
- All parties including the adversary A are modeled as a probabilistic Turing machines.
- However the channels that link the Server and authorized Readers are assumed to be secure.
5.2 The UC framework
- The universal composability (UC) framework specifies a particular approach to security proofs for protocols, and guarantees that proofs that follow that approach remain valid if the protocol is, say composed with other protocols and under arbitrary concurrent protocol executions (including with itself).
- Tag authentication requires that the Server can corroborate values produced by the tag in terms of the state of their shared RNG.
- Â, of the real adversary, Ŝerver, of the real Server, t̂ag, of real tags, and the interactions of the protocol with Z, in particular its invocations of Fauth.
- Finally, in the real world all protocol flows involve pseudorandom numbers whereas in the ideal world the authors have random numbers: the environment Z cannot distinguish these because it is a PPT machine.
- However it will only succeed with negligible probability in guessing RN5 in response to the Server’s query RN4.
Did you find this useful? Give us your feedback
Citations
63 citations
52 citations
Cites methods from "Secure EPC Gen2 Compliant Radio Fre..."
...Even pseudorandom functions (PRF) based on PRNG (as in [van Le et al. 2007; Burmester et al. 2009b] are too slow for EPCGen2 applications (to generate an n-bit output of a PRF by running a PRNG as in [Goldreich et al. 1986] requires 2n numbers to be drawn)....
[...]
...We then extend the Universally Composable (UC) security framework for RFID systems presented recently in this journal [Burmester et al. 2009b], to capture lightweightto-.yweight RFID applications, and, in particular, forward and backward security with refreshment....
[...]
...A Flyweight RFID protocol that provides mutual authentication with session un linkability, extending work in [Burmester et al. 2009a; Burmester and Munilla 2009] (Section 4)....
[...]
...A UC framework that adapts the model in [Burmester et al. 2009b] to capture availability,1 mutual authentication, and session unlinkability with forward and backward security (Section 8)....
[...]
...Furthermore, we restrict concurrency by prohibiting RFID tags from executing more than one session at a time (as in [Burmester et al. 2009b])....
[...]
36 citations
Cites background from "Secure EPC Gen2 Compliant Radio Fre..."
...In Burmester et al. (2009), a similar attack is suggested but its proof is not included....
[...]
34 citations
Cites background from "Secure EPC Gen2 Compliant Radio Fre..."
...So private information can easily be manipulated, and only one eavesdropped interrogation is needed to clone a tag (for details see [6])....
[...]
...This is also subject to a replay attack because only the tag provides randomness (for details see [6])....
[...]
...This is subject to a replay attack because the flows of the Reader and tag use independent randomness (for details see [6])....
[...]
33 citations
Cites background from "Secure EPC Gen2 Compliant Radio Fre..."
...However, it is demonstrated that the EPC C-1 G-2 specification has important security flaws in this standard [14], which motivates researchers to try to propose EPC-compliant schemes, analyze the security of existing EPCcompliant schemes, or improve the vulnerable schemes [15–22]....
[...]
References
69 citations
48 citations
"Secure EPC Gen2 Compliant Radio Fre..." refers methods in this paper
...In this section we consider three recently proposed EPCGen2 compliant protocols: the Chen-Deng mutual authentication protocol [7], the Quinling-YijuYonghua minimalist mutual authentication protocol [18], and the Sun-Ting authentication protocol [19]....
[...]
...Recently three RFID authentication protocols specifically designed for compliance with EPCGen2 have been proposed [7, 18, 19]....
[...]
...The Quinling-Yiju-Yonghua protocol is a challenge-response mutual authentication protocol [18]....
[...]
41 citations