low-cost rfid authentication protocol for anti-counterfeiting and

Y. C. Chen et al. / Asian Journal of Health and Information Sciences, Vol. 1, No. 2, pp. 189-203, 2006

189

Low-Cost RFID Authentication Protocol forAnti-Counterfeiting and Privacy Protection

YUNG-CHIN CHEN1,*, WEI-LIN WANG1, AND MIN-SHIANG HWANG2

1Department of Computer and Communication Engineering, Asia University, Taiwan2Department of Information Management, National Chung Hsing University, Taiwan

ABSRACTRFID (Radio Frequency Identification) is one of the most promising NFC (Near Field

Communication) communication technologies for pervasive and ubiquitous network societies in recentyears. The main factor for more and more interests from both industry and academic institutes is itsgreat potential for various applications, which are closely related to our daily life, due partially tolowering prices. The implementation of RFID systems, however, has also raised concerns regardinginformation security and violations of end-user privacy. Due to lower prices and weaker privacyprotection in RFID tags. A feasible security mechanism for anti-counterfeiting and privacy protection isproposed by exploring XOR operations and random number shift methods to enhance RFID tag’s security but with relative low costs.

Key words: RFID, ubiquitous, counterfeiting, XOR, random number.

1. INTRODUCTION

An RFID system generally consists of three primary components includingreaders, tags and middleware (API) that possess identification, renewable, andreusable characteristics. Applications of RFID has been increasing over the pastfew years in various areas due to the popularization pushed by Wal-Mart and theDoD of the USA. Apart from the applications in supply chain, logistics, retail, andtransportation, opportunities for manufacturing processes management, security,electronic toll systems, library management systems and healthcare are also full ofpotential (Finkenzeller, 2003; Srivastava, 2005;.Garfinkel & Rosenberg, 2005;Shepard, 2005; Weis, Sarma, & Rivest, 2003). It is expected that our daily lifewould become more convenient due to such applications in the future. Security andprivacy protection, however, will be an issue after wide-spread adoption of theRFID system due to the lowering of thetags’ price. The design of low-price tags issimple in terms of using fewer gates and vulnerable to eavesdropping as a result(Ranasinghe, Engels, & Cole, 2005). Researchers have addressed the security risksof low-price RFID tags and proposed some possible solutions including killing thetags at the check, applying a rewritable memory, mutual-authentication (Yang, Park,Lee, Ren, & Kim, 2005; Lopez, Castro, Tapiador, & Ribagordaj, 2006; Chang,2005), the key diversification scheme (Chang, 2005), hash function encryption(Weis et al., 2003; Kim, Oh, Choi, & Kim, 2006; Gao et al., 2004; Oertel, Wolk,Hilyt, & Kohler, 2005; Henrici & Muller, 2004; Dimitriou, 2005), and the XORalgorithm (Yang, Ren, & Kim, 2005; Zhang & Zhou, 2005; Li, Jeong, Sun, & Lee,

* Corresponding author. E-mail: [email protected]


190

2006). In this paper a low-cost approach with proper protection exploring the XORalgorithm is proposed.

2. SECURITY MECHANISM

There are basically two approaches to dealing with the risks of security andprivacy. One is to kill or disable the tags and the other is the adoption of tags withaccess control functionality that only responds to authorized readers. On the otherhand, RFID tags are designed to authenticate the reader first before responding toany reader. When the reader sends out a query, the tag encrypts its ID together witha random number R using the reader’s public key. Because the reader’s signal for each interrogation is different, even if the signal is eavesdropped, the adversary isstill unable to pass the authentication for the next interrogation cycle. This randomnumber based mutual authentication mechanism can in general preventcounterfeiting and repulse attacking.

2.1. Mutual Three-Pass Authentication Protocol

The security mechanism for low-cost RFID tags is in general designed with amutual-authentication protocol so that readers are unable to read tags anddistinguish counterfeit tags without having performed a correct authentication(Lopez et al., 2006; Chang, 2005). When the RFID system starts the authenticationprocess, tags are first authenticated by the reader and vice versa before anycommunication is processed.

Mutual authentication processes between the reader and the RFID tag aregenerally based on the principle of a three-pass mutual authentication, as illustratedin Figure 1. In accordance with ISO 9798 (Weis et al., 2003), both entities in thecommunication verify the other participant’s secret cryptographic key. Three-passauthentication processes are necessary between the reader and the tag to complete acommunication cycle, and the tag has the abilities of:(1) having space for secret key storage KAB;(2) generating random number RA;(3) encrypting of TokenAB and decrypting of TokenBA.

The potential source of danger is that all the tags possessing an identicalcryptographic key KAB could be found easily if there are frequent communicationsbetween the reader and the tag.

2.2. Key Diversification

The way to further enhance the security of an RFID system based on thethree-pass mutual authentication mechanism is to adopt a key diversificationscheme (Chang, 2005), as illustrated in Figure 2.

In this key diversification based three-pass mutual authentication procedure,the tag is capable of:(1) having space for secret key KS and serial number storage;(2) generating a random number RA;


191

(3) calculating KS;(4) encrypting TokenAB and decrypting TokenBA.

In this mechanism, a five-pass authentication process is necessary betweenthe reader and the tag to complete a communication cycle. The key diversificationscheme uses the tag’s serial number and, for security reasons, a secret master keystored on the reader’s security access module. This authentication strategyenhances both system security and user privacy by using a secret master key but atthe expense of higher costs of the chip. In addition, the time required forcompleting a communication cycle would be a bit longer, leading to a smallernumber of tags read per second.

Figure 1. Three-pass mutual authentication procedures between RFID tag and reader.

Figure 2. Three-pass mutual authentication procedure based on a key diversificationscheme between RFID tag and reader.

2.3. Hash Function

An extension of the authentication scheme is to use a cryptographic hashfunction that offers privacy control at low cost. All it requires is a hash function andspace for metalID storage, as shown in Figure 3 (Weis et al., 2003). It is, however,unable to prevent tags from being tracked as the tag’s responses are predictable.Thus both the random key and the tag ID could be eavesdropped by an adversary.

Reader

KAB

Tag

KAB

GET_CHALLENGE(RB)

TokenAB=EKAB(RA|||RB||I)

TokenBA=EKAB(RA|||RB)

Reader

SecurityAccessModule

GET_Serial Number

Serial Number

GET_CHALLENGE(RB)

TokenAB=EKAB(RA|||RB||I)

TokenBA=EKAB(RA|||RB)

KM

KS

Tag

Serial Number

KS


192

Gao et al. (2004) proposed a hash function based randomized access controlmechanism to avoid being tracked, as shown in Figure 4. This authenticationmechanism enables the RFID tag to authenticate the reader if the reader is amongthe authorized group. This is because the readers and the tags belonging to the samegroup share the same ReaderID. During the authentication processes, tags will notrespond to any unauthorized reader. Because the TagID sent by the tag is generatedby one-way hash function algorithms, [TagID, h (TagID)] must be stored in a database beforehand for computing TagID.

Figure 3. Hash-Locking: A reader unlocks a hash-locked tag.

Figure 4. Hash function based authentication procedure between RFID tag and reader.

In this way of authentication, the tag is capable of:(1) generating a random number r;(2) calculating the hash function of h(ReaderID||r) and h(TagID);(3) having space for the ReaderID storage.

This authentication mechanism enables tags to identify authorized readers bysending a message of h(TagID) to confirm to the reader every time that anauthentication procedure is complete. There still, however, is the possibility ofbeing eavesdropped if an unauthorized tag is able to transmit the same h(TagID) toa reader by eavesdropping h(TagID).

Despite the tag generating a random number r for the reader at the beginningto ensure that every time the authentication code provided by the reader is different,there is still a small chance of being eavesdropped due to the fixed and constantmessage of h(TagID). An unauthorized reader is therefore able to counterfeit thetag by eavesdropping and replaying the message of h(TagID) to the reader.

Reader

h(TagID)

r

h(ReaderID||r)

API

Query

r

h(ReaderID||r

h(TagID)

Reader ID

Tag

Data

Base


193

3. PROPOSED APPROACH (XOR WITH RANDOM NUMBERSHIFT)

The proposed approach for low-cost RFID tags explores the simple XORalgorithm, instead of complex encryption such as using the hash function, foranti-counterfeiting and privacy protection. The key point is to store the ReaderIDsof authorized readers in the tag’s memory in advance, so that tags are enabled toidentify authorized readers by their ReaderIDs which are stored in both tags andreaders.

The purpose for using the XOR principle with a function of random numbershift is to increase the computing speed as well as to lower the costs of tags. TheXOR principle is that if an authorized reader sends a request to the tags for TagID,it will get a series of random numbers (TagID⊕r`) only as r` is unknown, as shownin Figure 5.

Figure 5. Proposed authentication schematic diagram.

The full procedures of this proposed authentication mechanism based on theXOR principle with the function of random number shift are shown in Figure 6 anddescribed as follows.Step1: The API first generates a random number r followed by inquiring the

ReaderID from the data base for the XOR operation and then passes themessage of (ReaderID⊕r) to the reader enclosed in a query for broadcastingto the tags.

Step2: The tag receives the (ReaderID⊕r) enclosed query and solves the randomnumber r by the XOR logic operation with ReaderID, which is previouslystored in the tag’s memory. The tag will then shift r left for n bits (n is thenumber of binary value “1” of random number r) generating a new random number r`, which will perform the XOR operation with TagID. The messageof (TagID⊕r`) will then be transmitted back to the reader, as shown inFigure 7.


194

Step3: The reader passes the message of (TagID⊕r`) to the API, which calculatesr` first to obtain TagID by the XOR logic operation of r` with (TagID⊕r`).

Figure 6. XOR encryption algorithm with random number shift.

Figure 7. Illustration of proposed authentication mechanism based on XOR encryptionalgorithm.

In this proposed two-pass authentication mechanism, the tags are capable of:(1) generating random number r` by a few bits shift of r;(2) calculating (TagID⊕r`) by the XOR principle;(3) having space for the ReaderID storage.

This authentication mechanism also enables tags to identify authorizedreaders by sending a message of (TagID⊕r`) to confirm the reader every time theauthentication procedures are complete. There is very little chance of beingeavesdropped because the information of (TagID⊕r`) transmitted to the reader inthe final step is unknown as r` is unknown.

h(TagID)⊕r`

r

h(ReaderID||r)

Query

r

h(ReaderID||r

h(TagID)⊕r`

ReaderAPI

Reader ID

Tag

DataBase

DB API Reader Tag(ReaderID⊕r)

(TagID⊕r’)

Query + (ReaderID⊕r)

(TagID⊕r’)

(ReaderID⊕r) ReaderID

⊕XORr

r’

⊕

TagID

XOR

TagID⊕rTo Reader

rleftshiftingn

bits


195

Comparisons of the proposed approach with the other authenticationmechanisms in terms of the encryption algorithm and the number of passes areillustrated in Table 1.

Table 1. Encryption algorithm and the number of passesAlgorithm Number of passes Tag’s capabilities

Mutual Three-PassAuthentication Protocol

3 timesGenerating RN, Encryption of TokenAB and decryptionof TokenBA, Space for secret key and serial number

Key DiversificationScheme 5 times

Generating RN, Computation of KS, Encryption ofTokenAB and Decryption of TokenBA, Space for secretkey and serial number

Hash FunctionEncryption

4 timesGenerating RN, Hash function computation, Space forReaderID

XOR with RN Shift2 times

Generating r’(=r left shifting n-bits), TagID⊕r`calculation, Space for ReaderID

Note. *RN: Random Number.

4. SIMULATOR AND SIMULATION RESULTS

Due to the lack of real RFID facilities for verification of the proposed securitymechanism, we designed a pseudo-reader simulator and a pseudo-tag simulator, asshown in Figures 8 and 9, respectively, for verification. The pseudo-readersimulator is capable of generating a 128-bit random number, Rand128, for theoperation of (ReaderID⊕Rand128), sending the signal of (Query||ReaderID⊕Rand128) to the tag, and conducting the decryption of (TagID⊕Rand128`) toobtain the TagID. The pseudo-tag simulator is capable of receiving the(ReaderID⊕Rand128) signal enclosed query and solving the random numberRand128 followed by the XOR calculation of (TagID⊕Rand128`). The message of(TagID⊕Rand128`) will then be sent back to the pseudo-reader simulator.

The simulation steps are described as follows:Step1: The pseudo-reader simulator reads the ReaderID first from a configuration

file and generates the random number Rand128 automatically for the XORoperation with ReaderID, i.e., (ReaderID⊕Rand128), and then encloses it ina query and sends it to the pseudo-tag simulator.

Step2: The pseudo-tag simulator triggers the real reader to interrogate the ReaderIDstored in the tags’memory soon after receiving the message of(Query||(ReaderID⊕Rand128).

Step3: After receiving the ReaderID, the pseudo-tag simulator is able to obtain therandom number Rand128 by the XOR operation of (ReaderID⊕Rand128)with ReaderID. After that Rand128 is shifted left for n bits (n is the numberof binary value “1” of random number Rand128) and generates a newrandom number Rand128`.

Step4: After the pseudo-tag simulator generates Rand128`, the reader starts tointerrogate TagID from the tags to obtain (TagID⊕Rand128`) by the XORoperation of TagID with Rand128`. This is then transmitted to thepseudo-reader simulator.


196

Step5: The pseudo-reader simulator starts the XOR operation of (TagID⊕Rand128`) and Rand128` to obtain the TagID soon after receiving(TagID⊕Rand128`) from the pseudo-tag simulator.

Figure 8. The pseudo-reader simulator.

Figure 9. The pseudo-tag simulator.

The simulation flowcharts are shown in Figures 10(a)-(d). In Figure 10(a), thepseudo-reader simulator, including the data fields of ReaderID, Rand128, and(ReaderID⊕Rand128) placed on the upper left of the figure. The pseudo-tag


197

simulator, including ReaderID, Rand128, (ReaderID⊕Rand128), and a red/greenlight are placed on the upper right of the figure. The upper wave-shaped block inthe middle represents the packaged message between the two simulators. Thepseudo-tag simulator triggers the reader to interrogate the tag for ReaderID soonafter receiving the packaged message of (ReaderID⊕Rand128). The red/green lightwould turn red before receiving ReaderID, as shown in Figure 10(a), and turn greenafter receiving ReaderID, which will then be delivered to the data field of ReaderID,and in the mean time Rand128 is sent into the data field of Rand128.

Figure 10(b) shows three data fields placed down the right site of the figure,including TagID, Rand128`, (TagID⊕Rand128`), and a red/green light. AfterRand128 in the upper data fields is computed, the reader will be triggered tointerrogate the tag for TagID. The red/green light would turn red before receivingTagID and turn green after receiving TagID, which will then be delivered to thedata field of TagID. The following task is to compute (TagID⊕Rand128`) forRand128` and deliver the result to the pseudo-reader simulator, as shown in Figure10(b).

Figure 10(c) shows the three data fields of Rand128`, (TagID⊕Rand128`),and TagID placed down the left-hand side. The pseudo-reader simulator would startcomputing Rand128` and (TagID⊕Rand128`) for TagID once it had received thepackaged message of (TagID⊕Rand128`) and then match the TagID to that of thepseudo-tag simulator. A yellow circle would appear if TagID is matched and a redcross appears if not matched, as shown in Figure 10(c). But a red N would appear ifthe real reader fails to interrogate real tags as shown in Figure 10(d).

5. DISCUSSION

According to Table 1, the proposed authentication mechanism shows someadvantages in comparison with that of others, including (a) a relatively simplealgorithm (XOR), (b) a simpler algorithm leading to a smaller number of logicgates required and thus reducing cost, (c) high security (random number shift), and(d) high efficiency (two-passes only).

For better performance testing of our approach, we plan to verify theproposed design by designing a simple circuit that will integrate a shift registerwith a random number generator, XOR logic gates, antenna, and memory. Thus,possible effects of noise and/or disturbance, from the “reading range” and the non-uniformity of the antenna for signal coupling will be clearer. For such apurpose, we have done the first step of designing a novel NMOS-type shift registerwhich contains a relatively small number of transistors per stage, as shown inFigure 11 (Jone, Aliso, & Chen, 2002) that is expected to reduce the tags’ price by reducing the manufacturing processes. The challenges faced by low-cost RFIDdesign actually not only lie in the number of logic gates but also in the regulationand power consumption of circuits (Ranasinghe, Lim, Cole, & Devadas, 2006),which will also be our future work.


198

(a)

(b)Figure 10. RFID authentication simulator and flowchart.


199

(c)

(d)

Figure 10 (continued). RFID authentication simulator and flowchart.


200

Figure 11. NMOS-type shift register.

REFERENCES

Chang, G. C. (2005). A Feasible Security Mechanism for Low Cost RFID Tags.The Fourth International Conference on Mobile Business (ICMB’05), Sydney,Australia, 675–677.

Dimitriou, T. (2005). A Lightweight RFID Protocol to protect against Traceabilityand Cloning attacks. Proceedings of First International Conference onSecurity and Privacy for Emerging Areas in Communications Networks(SecureComm 2005), Athens, Greece, ISBN:0769523692.

Finkenzeller, K. (2003). RFID Handbook: Fundamentals and Applicatons inContactless Smart Cards and Identification (2nd ed.). Munich, Germany:Wiley.

Garfinkel, S., & Rosenberg, B. (2005). RFID Applications, Security, and Privacy.Boston, USA: Addison-Wesley.

Gao, X., Xiang, Z., Wang, H., Shen, J., Huang, J. & Song, S. (2004). An Approachto security and privacy of RFID system for supply chain. Proceedings of IEEEInternational Conference on E-Commerce Technology for Dynamic E-Business(CEC04EAST), Beijing, China, 164-168.

Henrici, D., & Muller, P. (2004). Hash-based Enhancement of Location Privacy forRadio-Frequency Identification Devices using Varying Identifiers.Proceedings of Second IEEE Annual Conference on Pervasive Computing andCommunications Workshops (PERCOMW'04), Washington, DC, USA,149-153.

Jone, L. M., Aliso, B., & Chen, Y. C. (2002). Bootstrapped Shift Register. WorldIntellectual Property Organization, WO 02/45091 A1.

Kim, H. S., Oh, J. H., Choi, J. Y. & Kim, J. W. (2006). The VulnerabilitiesAnalysis and Design of the Security Protocol for RFID System. Proceedings of


201

Sixth IEEE International Conference on Computer and InformationTechnology (CIT’06), Seoul, Korea, 152.

Lopez, P. P., Castro, J. C. H., Tapiador, J. M. E., & Ribagordaj, A. (2006). AnEfficient Mutual － Authentication Protocol for Low-cost RFID Tags.Retrieved May 14, 2006, from http://lasecwww.epfl.ch/~gavoine/download/papers /PerisHER-2006-otm-is.pdf

Li, Y. Z., Jeong, Y. S., Sun, N., & Lee, S. H. (2006). Low-cost AuthenticationProtocol of the RFID System Using Partial ID. Proceedings of InternationalConference on Computational Intelligence and Security, Guangzhou, China,1221-1224.

Oertel, B., Wolk, M., Hilyt, L., & Kohler, A. (2005). Security Aspects andProspective Applications of RFID Systems (BSI Report), Bonn, Germany:German Federal Office for Information Security (BSI).

Ranasinghe, D. C., Engels, D. W., & Cole, P. H. (2005). Low-Cost RFID Systems:Confronting Security and Privacy. USA Auto-ID Labs. White PaperWP-SWNET-013.

Ranasinghe, D. C., Lim, D., Cole, P. H., & Devadas, S. (2006). A Low CostSolution to Authentication in Passive RFID Systems. USA Auto-ID Labs.White Paper WP-HARDWARE-029.

Srivastava, L. (2005). Ubiquitous Network Societies: The Case of Radio FrequencyIdentification, Background Paper. Internation Telecommunication Union (ITU)New Initiatives Workshop on Ubiquitous Network Societies, Geneva,Switzerland. Retrieved from http://www.itu.int/osg/spu/ni/ubiquitous/Papers/RFID background paper.pdf

Shepard, S. (2005). RFID: Radio Frequency Identification. New York, USA: McGraw Hill.

Weis, S. A., Sarma, S. E., & Rivest, R. L. (2003). Security and Privacy Aspects ofLow-Cost Radio Frequency Identification Systems. Proceedings of FirstInternational Conference on Security in Pervasive Computing.

Yang, J., Park, J., Lee, H., Ren, K., & Kim, K. (2005). Mutual AuthenticationProtocol for Low-Cost RFID. Workshop on RFID and Lightweight Crypto,Graz, Austria.

Yang, J., Ren, K., & Kim, K. (2005). Security and Privacy on AuthenticationProtocol for Low-Cost RFID. The 2005 Symposium on Cryptography andInformation Security, Maiko, Kobe, Japan.

Zhang, L., & Zhou, H. (2005). An Improved Approach to Security and Privacy ofRFID Application System. Proceedings of International Conference onWireless Communications, Networking and Mobile Computing (WCNM2005),Wuhan, China.


202

Yung-Chin Chen received his B. S. degree in Physicsfrom Tamkang University in 1988, and his first M.S.degree in Opto-electronics engineering from NationalChiao Tung University in 1991. Dr. Chen served atTelecommunication Laboratories of Chunghwa TelecomCo., Ltd. in Jung-Li, Taiwan as an assistant R&D engineerin 1991 and served at Sinonar Co., Ltd. in Hsinchu,Taiwan as an R&D engineer in 1993. Dr. Chen received asecond M.S degree in electrical engineer from UniversityCollege, London in 1996, and a Ph.D. degree in electricalengineering from Imperial College London in 2000. Dr.

Chen served at Wintek Co., Ltd. in Taichung, Taiwan as an R&D engineer in2000 and joined the faculty of Asia University in Taiwan in November 2003,and is currently an assistant Professor in the Department of Computer andCommunication Engineering.Professor Chen’s major research interests include TFT-LCD, RFID, and

flexible electronics. So far he has published more than 20 academic papers and twointernational patents. Dr. Chen is currently a member of IEEE.

Wei-Lin Wang received his B.S. degree ininformation technology from Toko University, Chiayi,Taiwan in 2004, and an M.S. degree in computer andcommunication from Asia University, Taichung, Taiwanin 2006.

Mr. Wang has served at Lee Ching Tech Co., Ltd inTaichung, Taiwan as a research engineer since July 2006.His current research interests include RFID middlewaresoftware and authentication protocols.

Min-Shiang Hwang was born on August 27, 1960in Tainan, Taiwan, Republic of China (ROC). He receivedhis B.S. in electronic engineering from National TaipeiInstitute of Technology, Taipei, Taiwan, ROC, in 1980; anM.S. in industrial engineering from National Tsing HuaUniversity, Taiwan, in 1988; and the Ph.D. in computerand information Science from National Chiao TungUniversity, Taiwan, in 1995. He also studied appliedmathematics at National Cheng Kung University, Taiwan,from 1984-1986. Dr. Hwang passed the National HigherExamination in the field of “electronic engineer”in 1988.

He also passed the National Telecommunication Special Examination in the field of


203

“information engineering,”qualified as an advanced technician first class in 1990.From 1988 to 1991, he was the leader of the Computer Center atTelecommunication Laboratories (TL), Ministry of Transportation andCommunications, ROC. He was also the Chairman of the Department ofInformation Management, Chaoyang University of Technology (CYUT), Taiwan,from 1999-2002. He was a professor and the Chairman of the Graduate Institute ofNetworking and Communications, CYUT, from 2002-2003. He is currently aprofessor of the department of Management Information System, National ChungHsing University, Taiwan, ROC. He obtained 1997, 1998, 1999, 2000, and 2001Outstanding Research Awards of the National Science Council of the Republic ofChina. He is a member of IEEE, ACM, and the Chinese Information SecurityAssociation. His current research interests include electronic commerce, databaseand data security, cryptography, image compression, and mobile computing. Dr.Hwang has published 100 articles on the above research fields in internationaljournals.

low-cost rfid authentication protocol for anti-counterfeiting and

Documents