Improving Security and Usability of Low Cost

RFID Tags
Ali N M Noman
1
, Sk. Md. Mizanur Rahman
2
and Carlisle Adams
2

School of Information Technology & Engineering (SITE), University of Ottawa
Ottawa, ON, Canada.
1
anoma033@uottawa.ca,
2
{mirahman, cadams}@site.uottawa.ca


Abstract Low cost RFID tags pose unique security challenges.
Data tampering is one of such challenges that need to be
addressed. In this paper, we propose a tamper detection solution
for the EPC-Class1 Generation2 tag (a low cost passive RFID
tag) based on a cryptographic PRNG (a pseudo random number
generator for low cost RFID tags) function called LAMED and
the Skew Tent chaotic map. Most of the existing solutions can
only detect tampering in some portions (e.g. the OC or the EM
field of EPC tag) of an RFID tag; in contrast, our solution can
detect and discriminate tampering anywhere in the RFID tag.
Moreover, unlike the existing tamper detection solutions, our
proposal also includes a solution for cloning detection.
Furthermore, this solution offers better security than the
existing tamper detection solutions. Managing passwords for
each individual tag is one of the main challenges for adopting
security solutions in RFID applications, such as supply chain
management; we address this issue in our solution by
dramatically minimizing the load of password management and
thus our solution becomes quite feasible for existing low cost
RFID applications. Last, but not least, our proposed solution is
compatible with the EPC Tag Data Standards for EPC Class1
Gen2 tags proposed by the EPCglobal and GS1 (Global
Standardization Body).


Keywords RFID security; tamper detection; tag cloning; EPC
Class1 Gen 2 tag.
I. INTRODUCTION
The first instance of RFID (Radio Frequency
Identification) application was found in the 2
nd
World War
where it was deployed as a friend or foe authenticator. In
recent years, there has been a notable increase in the
deployment of RFID (Radio Frequency Identification) tags in
supply chain management, smart appliances and access
control applications and we will definitely see many more
RFID applications in the next few years due to the low
production costs and very small size of the tags [1, 2, 3, 4].
RFID technology will soon become a core enabler for
pervasive computing environments [2]. The GS1 (Global
Standardization body) forecasted that 87 million tags will be
sold in Europe alone by 2022 and around 6 million RFID
readers will be deployed by 2022 [2]. The standardization
bodies such as the EPCglobal and GSI (Global
Standardization body) are working together to ensure the
proliferation of RFID applications by proposing and managing
a global standard for RFID tags.
However, the main challenge to the proliferation of RFID
technology is to provide security solutions for low-cost
passive RFID tags. RFID technology poses unique privacy
and security concerns [20]. Humans cannot sense the RF
radiation used to read tags, and the tags themselves typically
maintain no history of past readings. As a result, tags are
promiscuous: they can be read by entities other than their
owners and without their owners' knowledge. Unfortunately, it
is infeasible to incorporate into such tags any public key
primitives, even standard symmetric key encryption/
decryption algorithms (e.g., AES). To be more precise, current
RFID tags costing below $0.50 offer up to 2000 logic gates
for security purposes where ECC, AES, and SHA-1 require
15000, 3400, 4300 logic gates respectively [2, 7]. The RFID
community has already offered a lot of security solutions for
RFID but almost all of them are asking for bit more from the
low-cost RFID tags. Either those solutions ask for additional
computation or additional memory which makes those
solutions inapplicable at the moment for the existing low cost
RFID tags. Moreover, managing passwords for each
individual tag makes those solutions unattractive to most of
the existing RFID applications.
Within the security umbrella of RFID, there are several
open issues and data tampering is one such which needs
addressing. If the data stored on the tag is tampered with, then
the tag becomes useless. Unfortunately it is relatively easy to
tamper with the data stored on the RFID tag. Grunwald
showed how vulnerable RFIDs can be when he used a small
program called RFDump to show how the tags could be read,
altered or even deleted using an inexpensive tag reader [6]. In
addition, cloning is a technique which can also be used to
tamper with an RFID tag without being detected (in most of
the time). In this case, an attacker can make a clone of a
particular tag by reading all information (e.g. product
information) from the desired tag and then writing it to a new
tag. Furthermore, the motivation of an attacker behind
launching a tampering attempt of RFID tags might be to gain
some economic benefits or thwart his/her competitors
reputation. For instance, changing the product type
information (e.g. from watch to orange) of a RFID tag
may reduce the transportation cost (or ease entry at overseas
port) and could also cause incorrect product delivery to
customers.
Even though at present there exist a number of tamper
detection solutions, almost all of them have some major
limitations: some of them are not suitable for low cost Gen2
tags, some of them include a huge burden of password
management and some of them do not offer adequate security.
Furthermore all of those solutions cannot detect the tag
modification done by cloning. So a robust and the EPC Tag
Data Standards (for Gen2 tags) compatible tamper detection
solution are required for low cost RFID tags to ensure the
integrity of RFID applications.
978-1-4577-0584-7/11/$26.002011 IEEE
2011 Ninth Annual International Conference on Privacy, Security and Trust
In this paper, we propose a complete (an
solution for the data tampering problem
tags. The basis of our proposal is a cry
function called LAMED [15] which is sp
for the Gen2 tag. Note that apart from th
there also exist other Gen2 tag compatibl
which are proposed in [21] and [22]. In a s
solution works as follows: with the k
password, a legitimate reader computes the
VC (like a hash value) from the EPC tag
function and keeps it in the user memory b
user memory bank is locked for write pro
malicious reader can modify it. Any modifi
tag will cause a deviation in the newly calc
code (VC) from the verification code (VC
memory and thus tampering can be dete
detecting data tampering in a tag, our pro
also identify the portion of a tag that has b
(i.e. tamper discrimination). Unlike the
detection solutions, our proposal provides
most importantly includes a solution for clo
A. Preliminaries
An RFID system is generally comp
Transponder (tag) and an RFID Interrogato
An RFID tag is a tiny chip with an antenn
attached to an object. It can store d
identification number of the attached object
data in response to the interrogation of a (v
using the Radio Frequency spectrum. A rea
computational capabilities) can be conne
database and gets the data by interrogatin
eventually may be fed into the datab
manipulated by an application such
management.
The latest EPC Tag Data standards for
tags (also known as EPC-C1G2 tags and G
complete specification for the 96 bit EPC (
Code) tag [5]. In the specification, the tag
into four distinct banks, each of which ma
more memory words, where each word is
memory banks are described as Reserve
and User [Figure 1a]. The Reserve mem
kill and access passwords; the EPC mem
electronic product code information (EPC)
identifying the object to which the tag is o
the TID memory bank contains data that
reader to identify the tags capability; and t
bank is intended to contain user-specific d
reserve memory bank is read and write prot
role of the 32 bit kill password is to perma
tag, the 32 bit access password is used fo
write lock) any memory bank of a Gen2 ta
reserve memory, all other memory ban
memory bank can only be locked to
protected (i.e. write locking).
In addition, the data stored in the EPC
Gen2 tag has four fields: the 8-bit Header, H
00110101 which guarantees the unique
namespace), the 28-bit EPC Manager, EM (
company or an organization); the 24-bit
(which represents a unique type of p
company); the 36-bit Serial Number, SN (
unique item within a particular product).
structure of the electronic product code (EP
Among the four fields of an EPC tag, the H
nd feasible as well)
of low cost RFID
yptographic PRNG
ecifically proposed
he PRNG LAMED,
le PRNG functions
short, our proposed
knowledge of the
e verification code,
using the LAMED
bank. After that, the
otection so that no
fication in the RFID
culated verification
C) stored in the user
ected. Apart from
oposed solution can
been tampered with
e existing tamper
better security and
oning detection.
osed of an RFID
or or RFID Reader.
na and is normally
ata (basically the
t) and transmits that
valid) RFID reader
ader (with sufficient
cted to a backend
ng a tag. That data
base and then be
as supply chain
r EPC Class1Gen2
Gen2 tags) include a
(Electronic Product
memory is divided
ay comprise one or
16 bits long. These
ed, EPC, TID
mory bank contains
mory bank contains
) which is used for
or will be attached;
can be used by the
the User memory
data. Moreover, the
tected. Whereas the
anently deactivate a
for locking (mainly
ag. Apart from the
nks, such as user
make them write
memory bank of a
H (a fixed identifier
eness in the EPC
(which represents a
Object Class, OC
products within a
(which represents a
Fig 1b shows the
PC) of a Gen2 tag.
H and the EM fields
are assigned by the EPCglobal.
responsible to assign the OC and
means an EPC manager has
prescribed format or any numbe
for assigning the OC and the SN


Fig. 1 Structure of a Gen 2 tags me

B. Related Work
Most of the existing tamper
for RFID tags do not conform t
for Gen 2 tags (from now on
specification). Yamamoto, et
based on a technique known a
which does not require passwor
new concept of special memory
which the tag itself can only
history) but the reader can
promising but unfortunately th
deployed as it requires a modif
tags. In addition Hitachi Secure
read/write lock function which
tampering on the RFID tag w
shared if the number of part
traceability is less than or eq
drawback of this solution is t
implement a modified version o
suitable for existing low cost RF
One of the main challenge
solutions in this domain is that
password management because
password for each individual ta
C1G2 tags and ISO/IEC 18000
write lock mechanisms (known
Scheme) using the 32 bit access
for tamper protection of RFI
passwords for each individual t
unattractive for most of the ex
addition, the authors of [17]
solution based on the public
detect tampering; however it is n
tags and cannot detect tamperin
a tag.
There are a number of waterm
can effectively address the data
RFID tags; some of them [12
password management issue a
asking for any modification in
authors propose a data recovery
where the watermark message i
RFID tags sequentially. This
access to the RFID tags, one af
However an EPC manager is
d SN fields of an EPC tag; that
the flexibility to choose any
er of bits ( <= maximum size)
N field of an RFID tag.

emory map and its 96 bit EPC.
detection solutions [8, 10, 11]
to the EPC Tag data standards
n we will call it EPC-C1G2
al., proposes a solution [10]
as digitally signed journal [9],
rd management. It introduces a
y block within the RFID tag to
write (to record the reading
only read. This solution is
his solution cannot be easily
fication in existing EPC-C1G2
e Tag [11] offers a block level
h can efficiently guard against
where passwords need not be
ties involved in the product
qual to 5. However the main
that a reader or writer must
of the air protocol; i.e., it is not
FID tags.
es for the existing security
t it includes a huge burden of
e of the usage of a separate
ag. For instance, current EPC-
0-6 type C tags [5, 8] provide
n as the Bank Level Locking
s password which can be used
ID tags. However managing
ag makes this kind of solution
xisting RFID applications. In
present an anti counterfeit
key cryptography which can
not suitable for low cost RFID
ng if it is done through cloning
marking based solutions which
a tampering issue of low cost
2,13, 14] can even avoid the
and can be deployed without
the existing tags. In [12], the
y solution using watermarking
s distributed among a series of
solution requires sequential
fter another (i.e. reading tag1,
then tag 2 and so on). This makes this solu
most of the RFID applications as sequenti
not desired all the time and problems ma
within the sequence is corrupted. In [13] an
provide a watermarking based tamper det
RFID where the Serial Number (SN) field i
medium to detect any modification occu
EPC Manager (EM) or in the Object Class
both at the same time. Moreover all of th
based solutions do not detect cloning and
the security of those solutions relies on
underlying watermarking algorithm.
watermarking based solution presented in
security than solutions presented in [12, 13
it requires a password to generate the w
chaotic map. Along with the huge burde
(e.g., millions of passwords for each it
management, the other limitation of this
cannot detect tampering done through cloni
Even though the solution presented in
C1G2 compatible tamper detection (tampe
also possible) solution, but this soluti
limitations: huge burden of password
inability of detecting tampering when i
cloning a tag.
On top of the existing solutions, this pap
these limitations by proposing a complete
tampering in RFID tags. Our proposed
detects data tampering anywhere in the RF
identify a cloned tag. In addition, it offers b
almost all of the existing tamper de
Furthermore, this solution is compatible
specification and thus suitable for the low c

C. Contributions
A complete data tampering solution for
tags is presented in this paper. The contribu
can be summarized as follows:
Unlike many existing solutions, our pro
detect as well as discriminate tamper
tampered portion of the tag) anywhere

In contrast to all existing tamper detec
paper includes a solution for cloning de
Compared to existing tamper detection
cost RFID tags, it provides better secur

Considering the need of the existing
we try to minimize the burden
management (by reducing it by
magnitude). Whereas all existing cryp
use a password for each individual ta
solution we assign a password for eac
that means we assign a password
category of a particular company (e.g
all Dove soaps in Wal-mart).
proposal applicable to many existing R

Our proposed solution is compatible
Data Standards for Gen 2 tags and thu
to the existing low cost RFID tags.

ution unsuitable for
al access of tags is
ay occur if any tag
nd [14], the authors
tection solution for
is used as the cover
urring either in the
s (OC), but not for
hese watermarking
d most importantly
the secrecy of the
However the
n [18] offers better
3, 14]; for each tag
watermark using a
n of the password
tem of a product)
solution is that it
ing a tag.
n [19] is an EPC-
er discrimination is
ion has also two
management and
it is done though
per tries to solve all
e solution for data
solution not only
ID tag but also can
better security than
etection solutions.
to the EPC-C1G2
cost Gen2 tags.
r the low cost RFID
utions of this paper
oposed solution can
ring (i.e. locate the
in the RFID tag.
ction solutions, this
etection.
n solutions for low
rity.
RFID applications,
of the password
several orders of
tographic solutions
ag, in the proposed
ch <EM, OC> pair;
for each product
. one password for
This makes our
RFID applications.
with the EPC Tag
us easily deployable
The remainder of the paper
system and attack model is prov
our proposed solution in detail i
perform an extensive analysis o
includes implementation issue
solution and issues regarding co
C1G2 standard. We draw our co

II. SYSTEM & A
In this paper, we consider
shown in Figure 2. This model
existing RFID applications such
and traceability applications. I
reader is considered to be conn
unit (e.g. computer) and a dat
resources to do any computatio
model are low cost passive R
limitations in doing expensive
hand, here the attackers role is
which has fewer resources than


Fig. 2 The system and attack m
We make the following reas
the attack model (i.e. regarding
An attacker gets limited tim
valid assumption becaus
applications an attacker ca
tags for a long period of
caught). To be more preci
the necessary time and com
a brute force attack to tam
order to do cloning, what
desired tag information and
he will use the recorded inf

An attacker intends to mo
OC field of an RFID tag b
financial benefit. Any tam
will make the entire tag
uniqueness of the EPC tag
the SN field does not off
attacker.

An attacker considered in
the access password from
cannot write (but read) in t
is organized as follows. The
vided in section II. We discuss
in section III. In section IV, we
of our proposed solution which
es, security of the proposed
ompatibility towards the EPC-
onclusions in section V.
ATTACK MODEL
the system and attack model
is particularly suited for many
h as supply chain management
In this model, the legitimate
nected to a central processing
tabase, and thus has adequate
on. The RFID tags used in this
RFID tags. These tags have
computations. On the other
s played by a malicious reader
the legitimate reader.

model of RFID applications
sonable assumptions regarding
the attacker):
me to modify a tag. This is a
se in most of the RFID
annot stay close to the RFID
f time (otherwise he will be
ise, an attacker does not have
mputational resources to launch
mper with a tag. However in
t he can do is just read the
d then whenever he gets time
formation to do the cloning.
odify mainly the EM and the
because it can give him some
mpering attempt in the H field
invalid as it represents the
g. Additionally tampering with
fer any kind of benefit to an
this model does not retrieve
the reserve memory and thus
the user memory bank when it
is locked for write protection. This is a valid assumption
for the EPC-C1G2 tags.

Furthermore, we also make the following valid
assumptions regarding the system model:
According to the EPC Data Standards for Gen2 tags,
implementation of the user memory bank is optional.
Since our proposed solution requires user memory, any
Gen 2 tag (e.g. Impinj Monza 4 tag) that supports user
memory can be used in our solution.

We assume that the total number of items in a particular
product does not exceed 2
32
. To be more precise, in this
system model, 32 bits (instead of 36 bits) are used for the
SN field; this is adequate for most of the RFID
applications. [The reason for this assumption is that the
proposed tamper detection solution can generate at most
2
32
unique verification codes.]

In order to optimize the password management of our
proposed solution, we assign the same password to all
items within a same product category of a particular
organization (instead of giving a separate password for
each instance of that category). It is true that theoretically
using the same password for all items of a particular
product (up to 2
32)
means a tradeoff between simplicity
(password management and computational overhead)
and security.

However according to the attack model,
using same password for all items in a particular product
does not give any additional advantage to the attacker.
Furthermore, it will significantly improve the password
management of our proposed solution.

Note that throughout this paper whenever we talk about an
RFID tag, we basically mean a GEN2 tag.


III. PROPOSED SOLUTION
In this section, we first describe a basic tamper detection
solution that can only do the overall tamper detection of a
RFID tag but cannot identify (i.e. discriminate) which portion
of the tag is tampered with. Then we discuss the extended
version of the solution which can detect and discriminate data
tampering in a RFID tag. Finally we also provide a solution
for cloning detection which can be easily incorporated with
the previous solution to make a complete tamper detection
solution (which can also detect tampering done by cloning a
tag). Note that if an RFID application wishes to ensure
complete tamper detection solution it can achieve so by just
executing the proposed tamper detection and cloning
detection solution one after another.
Notation: We use the following notation in describing our
proposed solution:
H: 8 bit Header field of EPC
EM: 28 bit EPC Manager field of EPC
OC: 24 bit Object Class field of EPC.
SN: 36 bit Serial Number field of EPC
AP: 32 bit access password
EM32, OC32
SN32:
32 bit EM and OC ( with padding)and
SN[0 to 31]
VC, VC: Verification Code used in the tamper
detection solution
Rch: A random number which is sent by the
reader to the tag as a challenge during the
cloning detection protocol.
Rp: The response of the (valid) tag sent to the
reader during the cloning detection
protocol.
Mix32: 32 bit output generated from an x-or
operation
Pad_F: A function which makes an input (which
is less than 32 bit) up to 32 bits long
using padding. We use this function to
generate EM32 and OC32
LAMED: A function (Pseudo Random Number
Generator) which produces a 32 bit
output. It is mainly used in the
verification code (VC) generation
process of the tamper detection solution.
LAMED-EPC: It is almost the same as the LAMED
function. Here a 16 bit output is
generated by doing an x-or operation
between the two halves (MSB16 and
LSB16) of the 32-bit output generated by
the LAMED function.
A. Tamper Detection
The concept of our tamper detection solution is very
simple. For each tag, a 32-bit long verification code (VC) is
generated from the EM, OC and SN fields of an EPC tag. This
VC is generated using a cryptographic PRNG function called
LAMED which is specifically proposed for the EPC-C1G2
tag; the 32-bit access password is used as the key for this
function. This VC is unique for each tag since the SN field of
each tag is unique. Note that according to the system model
considered in this paper, 32 bits (SN [0 to 31]) are used for
the SN field. Prior to deploying the tag into any RFID
application, such as supply chain management a legitimate
reader generates this VC and keeps it in the user memory
bank of the EPC tag. Note that we use a chaotic map (the
Skew Tent map) to randomly choose the locations in the user
memory for the VC. At the end, the legitimate reader locks
the user memory for write protection using the access
password. As a result, every reader can read from the user
memory but cannot modify it without knowing the access
password. That means even though a malicious reader can
easily modify the EPC tag information such as the EM, OC
and SN fields, but he cannot modify the VC
memory bank (since he does not know the
However in order to do the tamper dete
reader first recomputes the VC for the t
procedure and then compares it with the
the user memory bank. The detailed descrip
detection procedure is given below:

a. Tag Verification Code (VC) Generatio
Figure 3 shows the procedure for g
verification code by a legitimate tag reade
following 3 steps:

Step 1: Make the 28 bit EM and the 24 b
(EM32 and OC32 respectively) using the
According to the system model, the effectiv
field is 32 (SN32 = SN [0 to 31]).


Fig. 3 Verification code (VC) generation proce
.
Pad_F function: [no secret key required]
Begin
a. Calculate the number of bits for padding
Example: In the case of EM [0 to
28=4).
b. Use j number of MSBs (Most Signif
pad. For example, Pad [0 to 3]:=EM
c. Append the Pad with the Least Sign
portion of the input.
Example: EM32 [4 to 31]:= EM [
EM32 [0 to 3]:= Pad [0
d. Thus a 32 bit output is produced.
Example: EM32 [0 to 31] and
(Similarly) OC [0 to 31]
End

Step 2: Generate the 32 bit long Mix32 by
operation between the EM32, the OC32 and S

Step 3: Generate the 32 bit VC by feeding
hash like PRNG (Pseudo Random N
function called LAMED. Note that the ac
is used as the secret key in this function
C stored in the user
e access password).
ection, a legitimate
tag using the same
VC code stored in
ption of the tamper
on:
generating the tag
er. It includes the
bit OC into 32 bits
Pad_F function.
ve length of the SN

edure
ng (j).
27], it is 4(j=32-
ficant Bits) as the
[24 to 27];
ificant Bit (LSB)
[0 to 27];
0 to 3];
].
y applying an x-or
SN32.
ng the Mix32 into a
Number Generator)
ccess password, AP
LAMED Function: This exis
PRNG function is based on
suitable for low cost RFID ta
function consists of an initiali
Mix
32
as the iv) and a key, s (
which is only known by legi
Whereas a detailed description
[15], a short summary of the
below:
Begin
a. A 32bit output is generated




Where n is the numbe
this case it is 32),
Generator (MTG), a0 a
integers (generated by M
End
b. Embedding the VC into the
In order to make it more diff
break our proposed solution,
positions from the n bit long u
32 bit) to keep the 32 bit long V
tag supports up to 512 bit user
map for this purpose. A chaot
properties of pseudo-randomn
conditions (i.e. a minor change
a major change in the output,
effect), is suitable for randomly
locations where m < n. In this
very simple one-dimensional c
Tent map to randomly choose 3
long user memory. The skew
generates a sequence which is
the interval [0, 1] and distribute
Fig. 4 depicts the sensitivity
conditions (shown on the le
parameters (shown on the right)



Where o onJ x

are s
condition respectively.


Fig. 4 The sensitivity of the Skew Te
figure) as well on the system
o
o
n+1
= _
o
1
n
+ i:
o
1
n
@ i:
o
1
n+1
= _
(a
0
n
, a
1
n
)@
(a
0
n
, a
1
n
) +
x
+1
= F(o, x

) = _
x

o
,
1 - x
1 - o
sting EPC-CIG2 compatible
a genetic algorithm and is
ags. The seed of this PRNG
zation vector, iv (we use the
(i.e. the access password, AP
itimate readers and the tag).
n of LAMED can be found in
e LAMED function is given
d from the following equations:
(1)
(2)
er of inner state variables (in
0 is the Mersenne Twister
and a1 are 32 bit long unsigned
MTG).
user memory bank:
ficult for a malicious reader to
we randomly choose 32 bit
user memory bank (here n >>
VC. [Note that Impinj Monza 4
r memory.] We use a chaotic
tic map, having the desirable
ness and sensitivity to initial
in the initial condition makes
also known as the butterfly
y choosing m locations from n
s proposed solution, we use a
chaotic map, called the Skew
32 bit positions from the N bit
w tent map, outlined below,
s expansionary everywhere in
ed uniformly within this range.
y of this equation on initial
eft) as well on the system
).

(3)
system parameter and initial

ent map on the initial condition (left
m parameter (the right one).
: i n is oJJ
: i n is oJJ

@ s i n is oJJ
+ s i n is c:cn

x

= |u, o)
x

o
, x

(o, 1]

VC Embedding Algorithm: [secret key requ
It includes the following 4 steps:

Step1: Calculate the initial condition, x

b
bit secret key(s) into decimal fractions as fo


For password management simplicity,
16 bits of the 32 bit access password (AP)
It means s[0 to 15] =AP[0 to 15].

Step 2: Generate the random vector, Ron
(got from eqn. 4) into eqn. (3) with a fixed
[We consider decimal fraction of last 16
password (AP) as the system parameter
sequence which is uniformly distributed on
the size of the user memory bank.


Step3: Apply the floor function on each e
real numbers) of the RonJ
cc
to convert th
format and then select the first 32 disti
integer values) as the embedding location
provides the 32 bit embedding location in
bank.

Step4: Embed the VC into the recently
positions of the user memory bank. T
positions of the user memory (i.e. n-32) a
some random values.

Step5: The legitimate reader then locks th
write protection using the access password.

c. VC Extraction & Tamper Detection
Whenever a legitimate RFID reader
whether a particular RFID tag is tampered
do it using the following algorithm:

VC Extraction & Tamper Detection Algorit
[secret key required]
Begin
a. Extract the 32 bit VC from the user m
target EPC tag following the VC embed

b. Recompute the 32 bit verification code
and SN fields of the target EPC tag u
verification code generation procedure d
save it in VC.

c. The legitimate reader then makes the de

IF (VC [0 to 31] != VC[0 to 31
Tampering occurred in the R
ELSE
No tampering occurred;
End
x

= s
n-1
- 2
-1
+ s
n-2
- 2
-2
+ s
n-3
-
+ +s
0
- 2
-n

RonJ
cc
= (n - 1) - x
+1

uired;]
by converting the n
ollows:

(4)
we take the first
as s.
nJ
cc
by feeding x

d parameter, .
bits of the access
r, .] It includes a
[0, n-1] where n is

(5)
element (which are
hem into the integer
inct elements (i.e.
ns for the VC. It
n the user memory
y identified 32 bit
The remaining bit
are then filled with
he user memory for
r wants to check
with or not, he can
thm:
memory bank of the
dding algorithm.
e from the EM,OC
using the same Tag
discussed above and
ecision as follows:
1])
RFID tag

B. Tamper Discrimination
Along with the overall tamp
some RFID applications migh
location in the RFID tag which
tamper discrimination). The
solution can be easily extended
tamper discrimination task. To b
changes have to be made in the
First of all, 32 more bits are
(VC); as a result now the veri
Figure 5 shows how the 64-b
generated for this tamper discrim
a 16-bit verification code is gen
the OC fields of an RFID t
function and then these 32 bits
positions with the previous 32-
LAMED function). Note that th
same as the LAMED function
output by doing an x-or operati
the 32-bit output generated by
additional 32-bit VC (16 bits e
OC fields) will be used in the
tamper discrimination for a targ
Secondly, the VC embedding
as the previous solution exce
(instead of 32 bits) need to be e
bank (so the size of the user mem


Fig. 5 Verification Code (VC) Gener

Finally after extracting the
from the user memory bank (
discussed in previous solution)
tamper discrimination (along
detection) for a particular tag as
the 64-bit verification code, VC
logic to make a decision reg
discrimination.

IF (VC[0 to 63] != V
Tampering occurr
IF (VC [32 to 47
Tampering oc
IF (VC [48 to63]
- 2
-3
per detection of a RFID tag,
ht want to also identify the
h has been tampered with (i.e.
proposed tamper detection
so that it can also perform the
be more precise, the following
previous solution.
added to the verification code
ification code is 64 bits long.
bit long verification code is
mination solution. In this case,
nerated for each of the EM and
tag using the LAMED-EPC
s are appended onto the LSB
bit long VC (generated by the
he LAMED-EPC (is almost the
n) function generates a 16-bit
ion between the two halves of
y the LAMED function. This
each for both the EM and the
verification process to do the
get RFID tag.
g process is exactly the same
ept that in this case 64 bits
embedded in the user memory
mory bank should be > 64).

ration for tamper discrimination
64-bit verification code, VC
following the same approach
a legitimate reader can do the
g with the overall tamper
s follows. He first recomputes
C. Then he uses the following
garding tamper detection and
VC [0 to 63)
red in the RFID tag
7] != VC[32 to 47])
ccurred in the EM field
] != VC[48 to 63])
Tampering occurred in the
ELSE
No tampering occurred;
END

Note that whereas this tamper discrimin
do the overall tamper detection correctly fo
it can discriminate tampering (i.e. iden
portion of the tag [e.g. the OC or the EM])
since we use a 16-bit verification code for e
the OC fields. However, the given tam
limitation can be easily resolved by just inc
the VC for both the EM and the OC fields.


C. Cloning Detection
Along with reading the EPC tag inform
EM, OC and SN fields), an adversary can a
user memory bank. So it is quite possible
clone an existing tag; in this case all he
those information into a new RFID tag.
proposed tamper detection and discriminati
unable to detect the data tampering the ta
by cloning a particular tag); the VC
legitimate reader will be similar to the ver
extracted from the user memory. In or
problem, we also present a fix (i.e. a ch
protocol) to our proposed solution in order
tag. Whenever a legitimate reader wants
particular tag is a cloned one or not, h
following challenge response protocol show

Fig.6 A challenge response protocol for Clo

Step1: A legitimate reader first generates
R
ch
as a challenge and sends it to the target
use the LAMED function to generate this c

Step2: A valid tag is supposed to genera
from the challenge R
ch
as follows: R
p
=LAM
AP is the access password stored in the res
tag then sends the response back to the read

Step3: The legitimate reader computes R
to the received response R
p
. If R
p
equals
tag will be considered as a valid one; ot
considered as a cloned one.
e OC field
nation solution can
or all (i.e. 2
32
) tags,
ntify the tampered
) for only 2
16
tags
each of the EM and
mper discrimination
creasing the size of


mation (such as the
also easily read the
for an adversary to
needs to write all
It implies that our
ion solution will be
ag (when it is done
recomputed by a
rification code, VC
rder to solve this
hallenge- response
r to detect a cloned
to check whether a
he can execute the
wn in figure 6.

oning Detection
a random number,
t RFID tag. He can
challenge.
ate the response R
p
MED
AP
(R
ch
) where
serve memory. The
der.
R
p
and compares it
R
p
, then the target
therwise it will be
This simple but effective clo
as follows. An adversary (a mal
the access password from the r
is able to clone a tag by using
EPC and the user memory bank
does not have the correct acc
memory) to generate the correc
detection protocol; as a result th
by the legitimate reader.

IV. DISCUSSION
Our proposed solution is c
Data Standards for the Gen 2
suitable for the existing resourc
In the proposed tamper dete
solutions, most of the comput
legitimate reader who has adequ
memory resources (according
RFID tag has to do is nothin
function once to generate th
detection solution. Except the
operations (e.g. x-or, padding) u
are very cheap and can be eas
low cost RFID tags. However,
the EPC-C1G2 specification [1
by the existing low cost Gen
shown in [15] that LAMED req
gates which is less than half the
available for security purposes
tent map function used in th
verification code, VC in the
computed by a legitimate r
embedding algorithm can be co
system initialization phase a
legitimate RFID readers to
overhead. Since this solution d
resources (in terms of compu
resource limited Gen 2 tags, it
the EPC Gen2 tag data standard
Furthermore, the propose
security specifications for the G
the main pillar of the proposed
LAMED-EPC) function satisfie
the Gen2 tags specified in the
A thorough standard security a
LAMED-EPC) function is prov
serial correlation test, differ
exhaustive bit and byte predictio
The most practical securi
detection solution for the low
against an illegitimate reader
RFID tag without being detect
an attacker does not know the
he can neither modify the user
LAMED function and thus can
tag. In addition even if he tri
detected since the cloned tag d
password, which is required to
using the LAMED function. So
no other option but to launch a
he has to try all possibilities) a
challenges: predicting the outpu
ning detection protocol works
licious tag reader) cannot read
eserve memory. So even if he
the information read from the
k of a valid tag, the cloned tag
cess password (in its reserve
ct response (R
p
) of this cloning
he cloned tag will be detected
N & ANALYSIS
compatible with the EPC Tag
tags; to be more precise it is
ce-limited low cost RFID tags.
ection and cloning detection
tations are performed by the
uate computational power and
to our system model); all an
ng but execute the LAMED
he response of the cloning
LAMED function, all other
used in our proposed solutions,
sily computed by the existing
, the LAMED function meets
5] i.e., it can also be executed
n2 tags. It has been formally
quires slightly less than 1.6 K
e memory threshold value (4K)
s [16]. Furthermore the skew
he embedding process of the
tamper detection solution, is
reader. However, this VC
omputed only once during the
and then shared among all
reduce the computational
does not ask for any additional
utation or memory) from the
t is certainly compatible with
ds.
ed solution also meets the
Gen 2 tags. To be more precise,
d solution, the LAMED (also
es the security requirement of
EPC-C1G2 tag data standard.
analysis of the LAMED (and
vided in [15] which include a
ential analysis test and an
on tests.
ity challenge for a tamper
w cost RFID tags is to guard
modifying a portion of the
ted. In this proposed solution,
access password. That means
memory bank nor execute the
nnot do tampering in a RFID
ies to clone a tag it will be
does not have the right access
prepare the response message
o in this case, an attacker has
brute force attack (that means,
and it mainly includes 3 major
ut of LAMED (which requires
2
32
attempts from an attacker), guessing the 32-bit access
password which is required to unlock the user memory block
for writing (which requires 2
32
attempts) in the user memory
bank and finding the embedding locations of the verification
code (VC) i.e. choosing m locations (m==32 or m==64)
from n (n > m) locations (which requires P (n, m) attempts).
To be more precise, an attacker has to try (2
32+32

* P(n, m))
times in order to tamper with a tag (without being detected).
However, the attacker considered in this paper cannot try all
possibilities (i.e. 2
32+32

* P(n, m)) and thus cannot tamper
with a tag and remains undetected; note that this assumption
(regarding the attackers capability) is valid for most of the
existing RFID applications.
On the other hand, most of the existing tamper detection
solutions [10, 17] are not suitable for low cost RFID tags as
they ask for additional capabilities from either the reader or
the low cost tags, or from both. The existing watermarking
based solutions are suitable for low cost RFID tags but their
security relies on the secrecy of the watermarking algorithm.
Moreover, in [12, 13, 14] even a brute force attack requires
only 2
12
attempts since the size of the watermark is 12 bits
long. Furthermore, according to the best of our knowledge,
none of the existing tamper detection solutions [10, 12, 13, 14,
17, 18, 19] can detect tampering done by cloning a tag. So it
can be concluded that the solution proposed in this paper is
better than the existing EPC-C1G2 compatible tamper
detection solutions in terms of either performance or security
(or both).
The other significant advantage of this solution over the
existing security solutions [17, 18, 19] is that it reduces the
burden of password management by many orders of
magnitude. For instance, when a separate password is used
for each individual tag, a company has to manage 2
(24+36)

passwords (in the worst case); on the other hand, our
proposed solution (which uses a password for each <EM, OC>
pair) requires the management of 2
24
passwords (in the worst
case). Recall that the EM (an organization) is itself
responsible for assigning the OC field of the RFID tag, so an
organization has always the flexibility to use either fewer bits
or a specific pattern for the OC field. In this case, our
proposed solution has to deal with a very reasonable number
of passwords. As a result many existing applications, which
were not willing to incorporate cryptographic solutions
because of the huge burden of password management, can
adopt our proposed solution.

V. CONCLUSIONS
In this paper, we propose a complete tamper detection
solution for low cost RFID tags; this solution has the
potential to improve the security and usability of low-cost
RFID tags. Unlike the existing tamper detection solutions,
our proposed solution can also detect cloning and has good
security. Furthermore, the significant reduction of the
password management of this proposed solution makes it
quite feasible for many existing RFID applications. Moreover,
we also conducted a thorough analysis of this proposed
solution to show that it conforms to the EPC-C1G2
specification. Last, but not least, it also justifies why the
proposed solution is better than the existing tamper detection
solutions.


REFERENCES
[1] Juels,A.: RFID Security and Privacy: A Research Survey, An invited
paper, IEEE Journal on Selected Areas in Communications, vol. 24 no.
2, pp. 381-394, February 2006.
[2] Spiekermann,S., Evdokimov, S.:Privacy Enhancing Technologies for
RFID - A Critical Investigation of State of the Art Research,IEEE
Privacy and Security 2009, 2009.
[3] Deursen,T., Radomirovic,T.: Security of an RFID Protocol for Supply
Chains, ICEBE '08: Proceedings of the 2008 IEEE International
Conference on e-Business Engineering, pp. 568-573, 2008.
[4] RFIDExchange, Accessed on March 11, 2010.
http://www.rfidexchange.com/applications.aspx
[5] EPCglobal Inc., "EPCglobal Tag Data Standards Version 1.4", 2008.
[6] Claburn, T., Hulme, G., V.: RFID's Security Challenge- Security and
its high cost appears to be the next hurdle in the widespread adoption of
RFID. In InformationWeek, Accessed on March11,2010.
http://www.informationweek.com/story/showArticle.jhtml?articleID=5
2601030
[7] Lehtonen, M., et al.: From Identification to Authentication - A Review
of RFID Product Authentication Techniques.in Workshop on RFID
Security 2006 (RFIDSec 06). 2006. Graz: Springer Verlag.
[8] ISO/IEC, ISO/IEC 18000-6 Part 6:Parameters for air interface
communications at 860 MHz to 960 MHz AMENDMENT 1: Extension
with Type C and update of Types A and B, 2006.
[9] S. Suzuki and M. Harrison, "Data Synchronization Specification",
Auto-ID Labs AEROID-CAM-007, 2006.
[10] Yamamoto, A.; Suzuki, S.; Hada, H.; Mitsugi, J.; Teraoka, F. \&
Nakamura, O.A Tamper Detection Method for RFID Tag Data IEEE
International Conference on RFID, 2008, 51-57
[11] Hitachi Ltd., Report of Rationalization of energy use in fiscal 2006-
Project of RFID tag system Development Survey, 2007.
[12] M. Madan and P. Vidyasagar and C. Elizabeth, Recovering and
Restoring Tampered RFID Data using Steganographic Principles,ICIT
2006. IEEE International Conference on, 2006, 2853-2859.
[13] V. Potdar and E. Chang, Tamper detection in RFID tags using fragile
watermarking, 10th IEEE International Conference on Industrial
Technology (ICIT2006), Mumbai, INDIA, Dec. 1517, 2006.
[14] Potdar V, Wu C, Chang E (2005) Tamper detection for ubiquitous
RFID-enabled supply chain. In: Computational intelligence and
securityCIS 2005. LNCS,pp. 273278. Springer, Berlin
[15] Peris-Lopez, Pedro and Hernandez-Castro, Julio Cesar and Estevez-
Tapiador, Juan M. and Ribagorda, LAMED - A PRNG for EPC Class-1
Generation-2 RFID specification,Comput. Stand. Interfaces. vol. 31,no
1,pp. 88-97,Elsevier Science Publishers B. V.(2009)
[16] D. Ranasinghe, D. Engels, P. Cole, Low-cost RFID systems:
Confronting security and privacy, Auto-ID Labs Research Workshop,
2004.
[17] P. Bernadi, F. Gandino, et al., An Anti-Counterfeit Mechanism for the
application Layer in Low cost RFID Devices, In 4th European
Conference on Circuits and Systems for Communications, 2008, pp.
227 -231. 2008.
[18] M. Fan, H. Wang, Tamper Discrimination in RFID Tags Using Chaotic
Fragile Watermark, In. International Conference on Network Security,
Wireless Communications and Trusted Computing, 09, pp. 147-150,
2009.
[19] A. Noman, K. Curran, T. Lunney, Tamper Detection for Low Cost
RFID Tags: Using Watermarking with Chaotic Mapping, In. 6
th

International Conference on Intelligent Information Hiding and
Multimedia Signal Processing (IIHMSP10), pp. 98-101 Germany,
2010.
[20] M. Hell, T. Johansson, W. Meier. Grain: a stream cipher for
constrained environments. International Journal of Wireless and Mobile
Computing, 2(1):86-93, Nov. 2007.
[21] J. Melia-Segui, J. Garcia-Alfaro, J. Herrera-Joancomarti. Analysis and
Improvement of a Pseudorandom Number Generator for EPC Gen2
Tags. LNCS, vol. 6054 Financial Cryptography and Data Security
Workshops, Springer, Pages 34-46. Tenerife (Spain), Jan. 2010.
[22] J. Garcia-Alfaro, M. Barbeau, E. Kranakis. "Security threats on EPC
based RFID systems". 5th International Conference on Information
Technology: New Generations (ITNG 2008), IEEE Computer Society,
Las Vegas, Nevada, USA, April 2008.