RFID Systems and Security and Privacy Implications

Auto-ID Center Massachusetts Institute of Technology www.autoi center.org

Sanjay E. Sarma Stephen A. Weis Daniel W. Engels

Auto-ID Center
! International in ustry-sponsore research center ! MIT" Cam#ri ge $ni%ersity" an $ni%ersity of A elai e ! Design" e%elop" an eploy large-scale fiel trials inclu ing &'ID projects

Overview
! ! ! ! &a io 're(uency I entification )&'ID* E+C System Security ,enefits an Threats 'uture

Uses of Automatic-ID Systems

! Access control an security ! Trac-ing of pro ucts in Supply Chain ! I of pro ucts at +oint of Sale Most wi ely use is the ,ar Co e System

Potential Application of RFID

! Consi er supply chain an EA.-$CC #ar co es ! / #illion #ar co es scanne aily ! Each scanne once only at chec-out ! $se &'ID to com#ine supply chain management applications

Benefits of Supply C ain !ana"ement

! Automate real-time in%entory monitoring ! Automate 0uality Control ! Automate Chec--out +icture your refrigerator telling you that you1re out of mil-2

# y not yet implemented

! Cost too high. .ee s to #e 345.65 ! 7ac- of stan ar s an protocols ! Security concerns 8 similar in smart car s an wireless ! +ri%acy issues 8 ,ig ,rother

RFID System Components

! &'ID Tag
8 Transpon er 8 7ocate on the o#ject

! &'ID &ea er
8 Transcei%er 8 Can rea an write ata to Tag

! Data +rocessing Su#system

$ransponder
! Consist of microchip that stores ata an antenna ! Acti%e transpon ers ha%e on-tag #attery ! +assi%e transpon ers o#tain all power from the interrogation signal of rea er ! Acti%e an passi%e only communicate when interrogate #y transcei%er

$ransceiver
! Consist of a &' mo ule" a control unit" an a coupling element to interrogate tags %ia &' communication ! Also ha%e secon ary interface to communicate with #ac-en systems ! &ea s tags locate in hostile en%ironment an are o#scure from %iew

Data Processin" Su%system

! ! ! ! ,ac-en System Connecte %ia high-spee networComputers for #usiness logic Data#ase storage

Also as simple as a rea er attache to a cash register

RFID
! ,asic components of &'ID system com#ine in the same manner ! All o#jects are physically tagge with transpon ers ! Type of tag use %aries from application to application ! +assi%e tags are most promising

RFID
! Transcei%ers are strategically place for gi%en application ! Access Control has rea ers near entrance ! Sporting e%ents ha%e rea ers at the start an finish lines

$ransceiver-$ransponder Couplin" and Communication

! +assi%e tags o#tain power from energy in EM fiel generate #y rea er ! 7imite resource re(uire it to #oth get energy an communicate within narrow fre(uency #an 8 regulatory agencies

Inductive Couplin"
! $ses magnetic fiel to in uce current in coupling element ! Current charges the on-tag capacitor that pro%i es operating %oltage ! This wor-s only in the near-fiel of signal 8 up to c9):;f* meters

Inductive Couplin"
! <perating %oltage at istance d is proportional to flu= ensity at d ! Magnetic fiel ecreases in power proportional to 69d> in near fiel ! 'lu= ensity is ma= when R ? d@:" where R is ra ius of rea er1s antenna coil

Far Field ener"y arvestin"

! $ses rea er1s far fiel signal to power tag ! 'ar fiel #egins where near fiel en s ! Signal inci ent upon the tag in uces %oltage at input terminals of the tag" which is etecte #y &' front-en circuitry an is use to charge capacitor

Passive ta" power

! &ea er uses same signal to communicate with an power tag ! Any mo ulation of signal causes power re uction ! Mo ulating information sprea s the signal 8 referre to as Asi e #an .B ! Si e #an an ma= power is regulate

$ransponder Communication
! &'ID systems generally use the In ustrial-Scientific-Me ical #an s ! In near fiel " communication is achie%e %ia loa mo ulation ! In far fiel " #ac-scatter is use . ,ac-scatter is achie%e #y mo ulating the ra ar-cross section of tag antenna

&imitations of Passive $a" communication

! Cery little power a%aila#le to igital portion of the IC" limite functionality ! 7ength of transactions is limite
8 7ength of power on 8 Duration within communication range

! $S regulations for D6/ MEF limit transaction time to G55 ms ! 7imit of state information

Data Codin" and !odulation

! Determines #an wi th" integrity" an tag power consumption ! 7imite #y the power mo ulation 9 emo ulation capa#ilities of the tag ! &ea ers are generally low #an wi th" ue to go%ernment regulations ! +assi%e tags can use high #an wi th

Codin"
! 7e%el Co es
8 .on-&eturn-to-Hero 8 &eturn-to-Hero

! Transition Co es
8 Manchester 8 Miller

Codin" Considerations
! Co e must maintain power to tag as much as possi#le ! Co e must not consume too much #an wi th ! Co e must permit the etection of collisions

Codin" for Readers and $a"s

! &ea er to Tag uses ++M or +WM )lower #an wi th* ! Tag to &ea er uses Manchester or .&H )higher #an wi th*

!odulation
! &' communications typically mo ulate high fre(uency carrier signal to transmit #ase#an co e ! Three classes of igital mo ulation are ASI" 'SI" an +SI. ! ASI most common in 6>./J MEF loa mo ulation ! +SI most common in D6/ MEF #ac-scatter mo ulation

$a" Anti-Collision
! 7imite power consumption ! State information may #e unrelia#le ! Collisions may #e ifficult to etect ue to %arying signal strengths ! Cannot #e assume to hear one another

Al"orit m Classification
! +ro#a#ilistic
8 Tags respon in ran omly generate times 8 Slotte Aloha scheme

! Deterministic
8 &ea er sorts through tags #ase on tag-ID 8 ,inary tree-wal-ing scheme

Al"orit m Performance $rade-offs

! ! ! ! Spee at which tags can #e rea <utgoing #an wi th of rea er signal ,an wi th of return signal Amount of state that can #e relia#le store on tag ! Tolerance of the algorithm to noise

Al"orit m Performance $rade-offs

! Cost of tag ! Cost of rea er ! A#ility to tolerate tags with enter an lea%e uring interrogation perio ! Desire to count tags e=actly as oppose to sampling ! &ange at which tags can #e rea

Re"ulations 'ffect
! $S regulations on 6>./J MEF #an wi th offer significantly less #an wi th" so Aloha is more common ! D6/ MEF #an wi th allows higher #an wi th" so eterministic algorithms are generally use

()*+, !-. Advanta"es

! 're(uency #an a%aila#le worl wi e as an ISM fre(uency ! $p to 6 meter rea ing istance in pro=imity 9 %icinity rea ! &o#ust rea er-to-tag communication ! E=cellent immunity to en%ironmental noise an electrical interference

()*+, !-. Benefits

! Well- efine transpon er interrogation Fones ! Minimal shiel ing effects from a jacent o#jects an the human #o y ! Damping effects of water relati%ely small" fiel penetrates ense materials

/(+ !-. Benefits

! 7ong range )from a few to se%eral meters" epen ing on regulatory juris iction* ! Eigh ata rates ! 'ast anti-collision an tags per secon rea rate capa#ilities

$ e 'PC System
! System that ena#les all o#jects to #e connecte to the Internet #y a ing an &'ID tag to the o#ject ! E+C ! <.S ! SACA.T ! Transpon ers

$ e 'PC
! Electronic +ro uct Co e ! ID scheme esigne to ena#le uni(ue i of all physical o#jects ! <nly ata store on tag" since information a#out o#ject is store on networ! E+C acts li-e a pointer

$ e O0S
! ! ! ! <#ject .ame Ser%ice Directory ser%ice that maps E+S to I+ ,ase entirely on D.S At the I+ a ress" ata is store in KM7 an can #e accesse %ia ETT+ an S<A+

$ e O0S
! &e uces power an memory re(uirements on tag ! Transfer ata communication to #ac-en networ-" sa%ing wireless #an wi th ! Ma-es system more ro#ust ! &e uces siFe of microchip on tag

Savant
! System #ase on hierarchical control an ata management ! +ro%i es automate control functionality ! Manages large %olumes of ata ! Acts as a gateway for the rea er networ- to the ne=t higher le%el

Savant
! Transfers computationally intensi%e functionality from tag to powere system ! Any single point of failure has only local effect ! Ena#les entire system to #e scala#le since rea er su#-systems are a e seamlessly

RFID $ransponder
! Most numerous parts of system ! Most cost-sensiti%e part ! +rotocols esigne for 6>./J MEF an D6/ MEF fre(uencies ! Implement a passwor -protecte Self Destruct comman

RFID Security Benefits and $ reats

! Airline passenger an #aggage trac-ing ma e practical an less intrusi%e ! Authentication systems alrea y in use )-ey-less car entry* ! .on-contact an non-line-of-sight ! +romiscuity of tags

Previous #or1
! Contact-less an constraine computational resource similar to smart car s ! Analysis of smart car security concerns similar to &'ID ! &'ID especially suscepti#le to fault in uction an power analysis attac-s

Security 2oals
! Tags cannot compromise pri%acy of hol ers ! Information shoul not #e lea-e to unauthoriFe rea ers ! Shoul not #e possi#le to #uil longterm trac-ing associations ! Eol ers shoul #e a#le to etect an isa#le tags they carry

Security 2oals
! +u#licly a%aila#le tag output shoul #e ran omiFe ! +ri%ate tag contents shoul #e protecte #y access control an encryption ! Spoofing tags or rea ers shoul #e ifficult

&ow-cost RFID Issues

! Ine=pensi%e rea -only tags are promiscuous an allow automate monitoring 8 pri%acy concern ! .either tags nor rea ers are authenticate 8 security concern ! 'ull implementation of pri%acy an security is costly 8 cost concern

Possi%le solutions
! Erase uni(ue serial num#ers at point of sale 8 trac-ing still possi#le #y associating AconstellationsB of tags ! +u#lic -ey cryptography 8 too e=pensi%e ! Share -ey 8 if one tag is compromise " entire #atch is effecte

Approac to RFID Protection

! $se one-way hash function on tag 8 Ameta-IDB ! When rea er -nows meta-ID" tag is Lunloc-e 1 an rea a#le ! After rea er is finishe " tag is loc-e ! Tag has self- estruct mechanism to use if un er attac-

Future Researc
! De%elopment of low cost crypto primiti%es 8 hash functions" ran om num#er generators" etc. ! 7ow cost har ware implementation w9o computational loss ! A aptation of symmetric encryption an pu#lic -ey algorithms from acti%e tags into passi%e tags

Future Researc
! De%eloping protocols that ma-e tags resilient to power interruption an fault in uction. ! +ower loss graceful reco%ery of tags ! &esearch on smart car s an other em#e e systems