The Design of an RFID Security Protocol

For Saving in DB Transaction Costs!

Kwang-Jin Paek, Pyeong Soo Mah, Chang Wook Lee and Ui-Sung Song§
Convergence SW Research Division, ETR!
§Dept. of Computer Education, Busan National University of Education
{pkj, pmah,leecw0929}@etri.re.kr, §ussong@bnue.ac.kr

Abstract- The low-cost RFID system will become pervasive in

the ubiquitous computing environment as a common
infrastructure. It presents a lot of advantages, but brings a
number of open issues that need to be solved before its successful
realization. One of the open issues is about the backend system
loading. In this paper, we proposed an RFID security protocol
that has two features, dynamic key generation function for
increasing cryptographic key complexity and the efficient
message protocol for the transactional load of back-end database
server.
Keywords - RFID, Security, Cryptography, Authentication,
Load Reduction.
1. Introduction
Radio Frequency Identification (RFID) is an automatic
identification method, relying on storing and remotely
retrieving data using devices called RFID tags or transponders.
A combination ofRFID technology and ubiquitous computing
Figure 1 illustrates the overview of RFID system
architecture. RFID readers interrogate tags for their data
through an RF interface. To provide additional functionality,
readers may contain internal storage, processing power or
connections to back-end databases. Computations, such as
cryptographic calculations, may be carried out by the reader
on behalf of a tag. Readers may use tag contents as a look-up
key into a back-end database. It is assumed that a secure
connection exists between a back-end database and the RFID
reader. However, the RF channel between readers and tags is
an insecure channel. Figure 2 illustrates a typical security
protocol in RFID system. When a RFID reader reads RFID
tags, a DB transaction occurs.
In brief, In Section 2, the proposed security protocol is
presented. Future works and conclusions are presented in
Section 3.
RF Channel

are revolutionizing the manner in which we look at simple

~r-::I
Q
objects [1, 2]. RFID systems provide increased productivity,
efficiency, convenience and many advantages over bar codes - - - - - l••

for numerous applications, especially global supply chain

management.
Despite all the advantages RFID technology offers there are Secure channel Insecure channel
serious concerns about security and privacy as well. Several
researchers have attempted to resolve the security concerns Figure 1. The architecture of RFID system
related to the use of RFID tags and have proposed protocols
that claim either to achieve secure authentication or to prevent
Query
unauthorized traceability. However, there are open research
metalD
issues. One of the issues is back-end system loading issue that metalD

is rarely studied by researchers[3, 4]. We are motivated by this Session Key. ID READER TAG

•
Session Key
issue. 10
•
We consider that the RFID system has four components within
an RFID system:
Figure 2. A typical security protocol in RFID system
• The RFID tag, or transponder, carries
object-identifying data.
• The RFID reader, or transceiver, reads and writes tag
data. 2. Proposed Security Protocol
• The RFID channel through which the reader and tags
communicate. In order to reduce the load of back-end database server, we
• The back-end database holds meta information of propose a security protocol that based on the dynamic key
each tag. generating function and the minimized message

1 This work was supported by the IT R&D program ofMKE/IITA, Rep. of Korea
[2008-S-023-01, Development ofNanoQplus-Based Sensor Network Simulator].

ISBN 978-89-5519-139-4 -1937- Feb. 15-18, 20091CACT 2009

exchanged protocol. Table 1 shows the notation used in the
protocol descriptions. MK is a master secret key and a material
key for generating S-box (Substitution box). Ids; is the
identification of MK for Si. Si is the identification of S-box i.
Sbox[i] stands for the element of index i in S-box. Sri is the
S-box of tag i. SKr; is the dynamically generated secret key for
tag i.
To minimize resource requirements, we used a MAC
pseudo-random function (F) to derive the S-box, implemented
asF(K,x) =MAC(K,x).
acts as S-Box. The length of Sbox is z. Second, KGF function
picks up two elements of Sbox with Sbox[a and b]. Third, a
dynamic key to encrypt/decrypt message data is made with
F(Sbox[aj, Sbox[bj). Forth, the secret key, SK is used for the
encryption/decryption of message data.
The proposed scheme consists of two phases: retrieval and
update. The retrieval phase is performed to interrogate the ID
of a RFID tag. The update phase is performed to renew a
random number of a RFID tag or allocates a new MK to a
RFID tag.

Table 1. Notation used in security protocols and cryptographic

operatIons
~.

MK Master secret key for deriving S-box

Retrieval
idsi Identification ofMK for Si
Si Identification of S-box i
KGF( ...) Key generation Function for dynamic symmetric keys
II Concatenation operator ReQ.newMK I
I Update
Sbox[i] Element of index i in S-box I

If (c,;:threshold) 1---------....:E2Ud..d 1a2llb21Ir31IEsdidT)llc~:

I I
I

Ii Identification of tag i
'I
STi S-box for tag i
SKTi Secret key for tag i Secure connection RF connec~lon

F(...) A MAC pseudo-random function: MAC( ...)

EK( ••• ) Symmetric encryption function using key K Figure 3. The proposed security protocol
Req.newMK A request message for a new MK
R A RFID reader Figure 3 shows the process of message exchanges in the
T A RFID tag proposed protocol. In the retrieval phase, there are 2 message
DB A RFID DB server transactions as follows:

In cryptography, a substitution box (or S-box) is a basic R -7 T: r1

component of symmetric key algorithms. It is used to obscure R ~ T: Er]+e(idsJ//a1//b1//r2//EsK(idr)//c).
the relationship between the plaintext and the ciphertext. In the
proposed protocol, Sbox is used as an S-box and generated If the RFID reader doesn't have MK;, it requests MK; ofthe tag
from F(MK, n). Sbox makes it possible to resist cryptanalysis, as follows:
thereby increasing key lifetime and the interval of rekeying.
DB ~ R: ids]
DB -7R:MK;.

In the update phase, there are 2 cases depending on the value

of c, the count number of reading RFID tag. If c < the
threshold value, the reader sends increased counter number
(c+ 1) and a new random number for next transaction as
follows:
Sbox[a] Sbox[b]
R -7 T: E r2 (c+ljjr3).

Otherwise, the reader makes a request for the new MK. The
I F(Sbox[a],Sbox[bJ) I MK update procedure is performed as follows:

DB ~ R: Req.newMK
DB -7 R: ids2jjM~

and the reader sends it to the tag. The tag replies to the reader
as the acknowledgement.
Figure 2. An overview of cryptography logic in RFID reader

R -7 T: Er2(ids2//a2//b2//r3//EsK,(idr)//coJ
Figure 2 illustrates the procedure of creating a dynamic
R ~ T: Er3+e(F(ids2,a1//b1//r3))
composition key to encrypt/decrypt message data between a
reader and a tag. First, Sbox[n] is created with F(MK, n) and

ISBN 978-89-5519-139-4 -1938- Feb. 15-18, 20091CACT 2009

 In the proposed protocol, we assume that a RFID reader has
memory, processing power, and connection to the DB server.
If a group of tags has the same MK, there is only one
transaction between the RFID reader and the DB server during
reading the tags in the same group. Therefore, transaction
costs can be saved according to the number of MKs used by
tags.
The proposed protocol provides the cost effectiveness in DB
transactions as well as the high complexity ofthe dynamic key.
Figure 3 shows the difference between the proposed protocol
and the previous protocol.

10 - -\ - - - ,. - - r - -

- - the previous protocol 1 1 , I : 1

9 _._._•• the proposed protocol 1- - - -I - - - T - - - ,- - - - - - I
C/) 1 I 1 , 1 1

8
1
8 ---:---~---~---:---~---~---I --~---~
7 - - _: - - - ~- - - ~- - _:_ - - ~- - - 1 - - -:- - - ~ - - - ~
jg 1 1 I I 1 1 1 I

'0 6 ~ - ~ - - - ~ - - -: - - - :- - - +- - -:- - - -: - - - ~
! I 1 1 1 1 1 I 1 I

~ 5 - - -: - - - ~ - - - ~ - - 1- - - ~ - - - ~ - - -:- - - ~ - - - ~

I 4 ~ - _: ~ ~ - ~ - - - I - - -: - - - ~ - - - ~ - - -:- - - -: - - - ~
'3 1 I I I 1 I 1 1 1

~ 3 ---:--- I---~---:---~---t---:----:---~
~ 1 I I I I 1 1 I 1
Q) 2 - - - - -t - - - t- - - ~ I- - ~ -j - - - +- - - 1- - - -j - - - --j

£
·---r-+---+·_·--r--:---+·_·_·-r---:---~
I 1 1 1 I 1 1 1 I

1
1 1 1 I 1 1 I 1 I

0'-----'----------'--------'-----'---------'-----'-----'-------'-----'
1 4 5 6 7 10
the number of reading RFID tags

Figure 3. The number of trahsactions between an RFID reader and a DB

3. Conclusions and Future Work

We designed an RFID security protocol that reduces the load

of the back-end DB server as well as the high complexity of
dynamic keys. Especially in large scale RFID systems, the
load of back-end DB server is an important issue and we
believe that our protocol is a good solution for reducing
transaction costs.
Our future work includes comparing its properties with
others' and implementing the proposed protocol in RFID
systems.

REFERENCES

[1] Ari Juels, "RFID Security and Privacy: A Research Survey," IEEE
Journal on selected areas in communications, vol. 24, no. 2, February
2006, pp. 381·394.
[2] Zongwei Luo, Terry Chan and Jenny S. Li, "A Lightweight Mutual
Authentication Protocol for RFID Networks," Proceedings of the 2005
IEEE International Conference on e-Business Engineering (lCEBE'05).
[3] Hyun-Seok Kim and Jin-Young Choi, "The Design and Verification of
RFID Authentication Protocol for Ubiquitous Computing," Proceedings
of the 18th International Workshop on Database and Export Systems
Applications, pp. 693-697.
[4] Tom Ahlkvist Scharfeld, "An Analysis ofthe Fundamental Constraints on
Low Cost Passive Radio-Frequency Identification System Design," the
thesis for the Degree of Master of Science, Massachusetts Institute of
Technology, August 21,2001.

ISBN 978-89-5519-139-4 -1939- Feb. 15-18, 20091CACT 2009