[attachment=13160]
RFID Systems and Security and Privacy Implications
Uses of Automatic-ID Systems
Access control and security
Tracking of products in Supply Chain
Id of products at Point of Sale
Most widely used is the Bar Code System
Potential Application of RFID
Consider supply chain and EAN-UCC bar codes
5 billion bar codes scanned daily
Each scanned once only at checkout
Use RFID to combine supply chain management applications
Benefits of Supply Chain Management
Automated real-time inventory monitoring
Automated Quality Control
Automated Check-out
Picture your refrigerator telling you that you’re out of milk! 
Why not yet implemented
Cost too high. Needs to be <$0.10
Lack of standards and protocols
Security concerns – similar in smart cards and wireless
Privacy issues – Big Brother
RFID System Components
RFID Tag
Transponder
Located on the object
RFID Reader
Transceiver
Can read and write data to Tag
Data Processing Subsystem
Transponder
Consist of microchip that stores data and antenna
Active transponders have on-tag battery
Passive transponders obtain all power from the interrogation signal of reader
Active and passive only communicate when interrogate by transceiver
Transceiver
Consist of a RF module, a control unit, and a coupling element to interrogate tags via RF communication
Also have secondary interface to communicate with backend systems
Reads tags located in hostile environment and are obscured from view
Data Processing Subsystem
Backend System
Connected via high-speed network
Computers for business logic
Database storage
Also as simple as a reader attached to a cash register
RFID
Basic components of RFID system combine in the same manner
All objects are physically tagged with transponders
Type of tag used varies from application to application
Passive tags are most promising
RFID
Transceivers are strategically placed for given application
Access Control has readers near entrance
Sporting events have readers at the start and finish lines
Transceiver-Transponder Coupling and Communication
Passive tags obtain power from energy in EM field generated by reader
Limited resource require it to both get energy and communicate within narrow frequency band – regulatory agencies
Inductive Coupling
Uses magnetic field to induce current in coupling element
Current charges the on-tag capacitor that provides operating voltage
This works only in the near-field of signal – up to c/(2πf) meters
Inductive Coupling
Operating voltage at distance d is proportional to flux density at d
Magnetic field decreases in power proportional to 1/d3 in near field
Flux density is max when R ≈ d√2, where R is radius of reader’s antenna coil
Far Field energy harvesting
Uses reader’s far field signal to power tag
Far field begins where near field ends
Signal incident upon the tag induces voltage at input terminals of the tag, which is detected by RF front-end circuitry and is used to charge capacitor
Passive tag power
Reader uses same signal to communicate with and power tag
Any modulation of signal causes power reduction
Modulating information spreads the signal – referred to as “side band.”
Side band and max power is regulated
Transponder Communication
RFID systems generally use the Industrial-Scientific-Medical bands
In near field, communication is achieved via load modulation
In far field, backscatter is used. Backscatter is achieved by modulating the radar-cross section of tag antenna
Limitations of Passive Tag communication
Very little power available to digital portion of the IC, limited functionality
Length of transactions is limited
Length of power on
Duration within communication range
US regulations for 915 MHz limit transaction time to 400 ms
Limit of state information
Data Coding and Modulation
Determines bandwidth, integrity, and tag power consumption
Limited by the power modulation / demodulation capabilities of the tag
Readers are generally low bandwidth, due to government regulations
Passive tags can use high bandwidth
Coding
Level Codes
Non-Return-to-Zero
Return-to-Zero
Transition Codes
Manchester
Miller
Coding Considerations
Code must maintain power to tag as much as possible
Code must not consume too much bandwidth
Code must permit the detection of collisions
Coding for Readers and Tags
Reader to Tag uses PPM or PWM (lower bandwidth)
Tag to Reader uses Manchester or NRZ (higher bandwidth)
Modulation
RF communications typically modulate high frequency carrier signal to transmit baseband code
Three classes of digital modulation are ASK, FSK, and PSK.
ASK most common in 13.56 MHz load modulation
PSK most common in 915 MHz backscatter modulation
Tag Anti-Collision
Limited power consumption
State information may be unreliable
Collisions may be difficult to detect due to varying signal strengths
Cannot be assumed to hear one another
Algorithm Classification
Probabilistic
Tags respond in randomly generate times
Slotted Aloha scheme
Deterministic
Reader sorts through tags based on tag-ID
Binary tree-walking scheme
Algorithm Performance Trade-offs
Speed at which tags can be read
Outgoing bandwidth of reader signal
Bandwidth of return signal
Amount of state that can be reliable stored on tag
Tolerance of the algorithm to noise
Algorithm Performance Trade-offs
Cost of tag
Cost of reader
Ability to tolerate tags with enter and leave during interrogation period
Desire to count tags exactly as opposed to sampling
Range at which tags can be read
Regulations Effect
US regulations on 13.56 MHz bandwidth offer significantly less bandwidth, so Aloha is more common
915 MHz bandwidth allows higher bandwidth, so deterministic algorithms are generally used
13.56 MHz Advantages
Frequency band available worldwide as an ISM frequency
Up to 1 meter reading distance in proximity / vicinity read
Robust reader-to-tag communication
Excellent immunity to environmental noise and electrical interference
13.56 MHz Benefits
Well-defined transponder interrogation zones
Minimal shielding effects from adjacent objects and the human body
Damping effects of water relatively small, field penetrates dense materials
915 MHz Benefits
Long range (from a few to several meters, depending on regulatory jurisdiction)
High data rates
Fast anti-collision and tags per second read rate capabilities
The EPC System
System that enables all objects to be connected to the Internet by adding an RFID tag to the object
EPC
ONS
SAVANT
Transponders
The EPC
Electronic Product Code
ID scheme designed to enable unique id of all physical objects
Only data stored on tag, since information about object is stored on network
EPC acts like a pointer
The ONS
Object Name Service
Directory service that maps EPS to IP
Based entirely on DNS
At the IP address, data is stored in XML and can be accessed via HTTP and SOAP
The ONS
Reduces power and memory requirements on tag
Transfer data communication to backend network, saving wireless bandwidth
Makes system more robust
Reduces size of microchip on tag
Savant
System based on hierarchical control and data management
Provides automated control functionality
Manages large volumes of data
Acts as a gateway for the reader network to the next higher level
Savant
Transfers computationally intensive functionality from tag to powered system
Any single point of failure has only local effect
Enables entire system to be scalable since reader sub-systems are added seamlessly
RFID Transponder
Most numerous parts of system
Most cost-sensitive part
Protocols designed for 13.56 MHz and 915 MHz frequencies
Implement a password-protected Self Destruct command
RFID Security Benefits and Threats
Airline passenger and baggage tracking made practical and less intrusive
Authentication systems already in use (key-less car entry)
Non-contact and non-line-of-sight
Promiscuity of tags
Previous Work
Contact-less and constrained computational resource similar to smart cards
Analysis of smart card security concerns similar to RFID
RFID especially susceptible to fault induction and power analysis attacks
Security Goals
Tags cannot compromise privacy of holders
Information should not be leaked to unauthorized readers
Should not be possible to build long-term tracking associations
Holders should be able to detect and disable tags they carry
Security Goals
Publicly available tag output should be randomized
Private tag contents should be protected by access control and encryption
Spoofing tags or readers should be difficult
Low-cost RFID Issues
Inexpensive read-only tags are promiscuous and allow automated monitoring – privacy concern
Neither tags nor readers are authenticated – security concern
Full implementation of privacy and security is costly – cost concern
Possible solutions
Erase unique serial numbers at point of sale – tracking still possible by associating “constellations” of tags
Public key cryptography – too expensive
Shared key – if one tag is compromised, entire batch is effected
Approach to RFID Protection
Use one-way hash function on tag – “meta-ID”
When reader knows meta-ID, tag is ‘unlocked’ and readable
After reader is finished, tag is locked
Tag has self-destruct mechanism to use if under attack
Future Research
Development of low cost crypto primitives – hash functions, random number generators, etc.
Low cost hardware implementation w/o computational loss
Adaptation of symmetric encryption and public key algorithms from active tags into passive tags
Future Research
Developing protocols that make tags resilient to power interruption and fault induction.
Power loss graceful recovery of tags
Research on smart cards and other embedded systems