A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme

Introduction - EPCglobal

EPCglobal Inc

Industry-driven standards RFID in supply chain management EPCglobal Architecture Framework EPCglobal Class 1 Gen 2 UHF RFID Protocol

We consider

Contents

Introduction RFID-based supply chain management system

EPCglobal Architecture Framework

Security Threats and Requirements

Security Assessment of Class 1 Gen 2 UHF RFID Protocol Proposed Tag-Reader Mutual Authentication Scheme

Scheme Analysis

Conclusion and Future Work

EPCglobal Architecture Framework

EPC-IS

Introduction - Tags 4 Memory Blocks

**We Focus on RESERVED memory Block** RESERVED memory Block has. Access Password (APwd) Kill Password (KPwd)

Introduction - RESERVED Memory Block

Manufacturer of the product stores APwd and KPwd in the Reserved Memory Bank Reserved Memory Bank is R/W LOCKED,

Cannot be Read Cannot be Re-Written

Security Threats and Requirements

Tag-Reader Mutual Authentication

Malicious RFID Readers

Snoop, corrupt, manipulate Counterfeit products Eavesdrop and impersonate

Cloned Fake RFID Tags

Man-in-the-Middle Attack

Tamperproof Tags

RFID Tag Snatching

One-Way Reader to Tag Authentication Proposed by EPCglobal

RFID Tag

RFID Reader

1. ReqR
2. R T1
3. CCPwdM=APwdM R T1

4. Verify If: APwdM== (CCPwdM R T1 )

5. ReqR
6. RT2

7. CCPwdL =APwdL R T2
8. Verify If: APwdL == (CCPwdL R T2 )

9. If (4 & 8) = Yes: Reader Authentic; No: End Communication with Reader

Proposed by EPCglobal Class 1 Gen 2 UHF RFID Protocol Not Secure Un-encrypted openly sent random numbers used as pads to cover-code tags APwd Tags Access Password easily exposed to disgruntled employee managing hand-held reader

Security Weakness EPCglobal Schheme Exposed APwd

Manufacturer Malicious, Compromised Reader Disgruntled Employee Reader Tag Only one-way Reader-to-Tag Authentication Unauthorized Access Fake Cloned Tags APwd APwd

Apwd (Exposed)

Goals

Tag-Reader mutual authentication

simple, light-weight, practically secure (supply chain)

A better cover-code or obscure tag APwd Secure distribution of obscured tags' APwd to stakeholder's RFID readers The manufacturer: implicitly keep track on the whereabouts of its products. Our scheme adheres to EPCglobal standards

10

Goals

NO cryptographic (hash) functions/keys within the tag NO tag - reader synchronization security keys/hash values.

We improve scheme proposed by EPCglobal to accommodate tag-reader mutual authentication.

Our scheme utilizes tag's already existing,

16-bit random number generator, XOR function, Access & Kill Passwords.

11

Proposed Tag-Reader Mutual Authentication Scheme

Emphasis on Tags Access & Kill Password Manufacturer of the product is involved in the mutual authentication process Scenario:

A pallet has reached the distributor Distributors reader query tag on pallet Reader and Tag must authenticate each other Reader does not know tags Apwd Reader contact manufacturer and follow this procedure

12

Insecure Channel RFID Tag Tag Already Has: EPC; Apwd(32)=ApwdM (16) || APwdL (16) ; KPwd(32)=KPwdM (16) || KPwdL (16) ; 16it-Random No. Genarator: RTx ; PadGen(.) function STEP 1: ReqR Step 1.1: Generate & Temporarily Store {RT1, RT2} STEP 2: {EPC, RT1, RT2} Step 5.1: Temporarily Store {RM1, RM2, RM3, RM4} Step 5.2: Execute PAD3 = PadGen(RT1,RM1) PAD4 = PadGen(RT2,RM2) Step 5.3: Verify IF APwdM = = CCPwdM1 PAD3 APwdL = = CCPwdL1 PAD4 Y: Reader Authentic N: Stop Comm. With Reader RFID Reader

Secure Channel Manufacturer Manufacturer Already Has: EPC; Apwd(32)=ApwdM (16) || APwdL (16) ; KPwd(32)=KPwdM (16) || KPwdL (16) ; 16it-Random No. Genarator: RMx ; PadGen(.) function Step 3.1: Store {RT1, RT2} Step 3.2: Generate & Store {RM1, RM2, RM3, RM4} Step 3.3: Execute PAD1 = PadGen(RT1,RM1) PAD2 = PadGen(RT2,RM2) STEP 3: {EPC, RT1, RT2} Step 3.4: Compute CCPwdM1 = APwdM PAD1 CCPwdL1 = APwdL PAD2

STEP 4: {EPC, CCPwdM1, CCPwdL1, RM1, RM2, RM3, RM4} STEP 5: {CCPwdM1, CCPwdL1, RM1, RM2, RM3, RM4}

Proposed TagReader Mutual Authentication

Reader Authentiction Process

Step 6.1: Generate {RT3, RT4} Step 6.2: Execute PAD5 = PadGen(RT3,RM3) PAD6 = PadGen(RT4,RM4) Step 6.3: Compute CCPwdM2 = APwdM PAD5 CCPwdL2 = APwdL PAD6 STEP 7: {EPC, CCPwdM2, CCPwdL2, RT3, RT4} STEP 8: {EPC, CCPwdM2, CCPwdL2, RT3, RT4}

Tag Authentiction Process

Step 8.1: Store {RT3, RT4} Step 8.2: Execute PAD7 = PadGen(RT3,RM3) PAD8 = PadGen(RT4,RM4) Step 8.3: Verify IF APwdM = = CCPwdM1 PAD7 APwdL = = CCPwdL1 PAD8 Y: Tag Authentic N: Tag is Fake

13

STEP 9: {EPC, AUTHENTIC: Y/N}

Insecure Channel RFID Tag Tag Already Has: EPC; Apwd(32)=ApwdM (16) || APwdL (16) ; KPwd(32)=KPwdM (16) || KPwdL (16) ; 16it-Random No. Genarator: RTx ; PadGen(.) function STEP 1: ReqR Step 1.1: Generate & Temporarily Store {RT1, RT2} STEP 2: {EPC, RT1, RT2} Step 5.1: Temporarily Store {RM1, RM2, RM3, RM4} Step 5.2: Execute PAD3 = PadGen(RT1,RM1) PAD4 = PadGen(RT2,RM2) Step 5.3: Verify IF APwdM = = CCPwdM1 PAD3 APwdL = = CCPwdL1 PAD4 Y: Reader Authentic N: Stop Comm. With Reader
14

Secure Channel RFID Reader Manufacturer Manufacturer Already Has: EPC; Apwd(32)=ApwdM (16) || APwdL (16) ; KPwd(32)=KPwdM (16) || KPwdL (16) ; 16it-Random No. Genarator: RMx ; PadGen(.) function Step 3.1: Store {RT1, RT2} Step 3.2: Generate & Store {RM1, RM2, RM3, RM4} Step 3.3: Execute PAD1 = PadGen(RT1,RM1) PAD2 = PadGen(RT2,RM2) STEP 3: {EPC, RT1, RT2} Step 3.4: Compute CCPwdM1 = APwdM PAD1 CCPwdL1 = APwdL PAD2

STEP 4: {EPC, CCPwdM1, CCPwdL1, RM1, RM2, RM3, RM4} STEP 5: {CCPwdM1, CCPwdL1, RM1, RM2, RM3, RM4}

Reader Authentiction Process

Step 5.3: Verify IF APwdM = = CCPwdM1 PAD3 APwdL = = CCPwdL1 PAD4 Y: Reader Authentic N: Stop Comm. With Reader

STEP 5: {CCPwdM1, CCPwdL1, RM1, RM2, RM3, RM4}

Reader Authentiction Process

Step 6.1: Generate {RT3, RT4} Step 6.2: Execute PAD5 = PadGen(RT3,RM3) PAD6 = PadGen(RT4,RM4) Step 6.3: Compute CCPwdM2 = APwdM PAD5 CCPwdL2 = APwdL PAD6 STEP 7: {EPC, CCPwdM2, CCPwdL2, RT3, RT4} STEP 8: {EPC, CCPwdM2, CCPwdL2, RT3, RT4}

Tag Authentiction Process

Step 8.1: Store {RT3, RT4} Step 8.2: Execute PAD7 = PadGen(RT3,RM3) PAD8 = PadGen(RT4,RM4) Step 8.3: Verify IF APwdM = = CCPwdM1 PAD7 APwdL = = CCPwdL1 PAD8 Y: Tag Authentic N: Tag is Fake

STEP 9: {EPC, AUTHENTIC: Y/N}

15

Pad Generation Function: PadGen(.) [1/3]

16

Pad Generation Function: PadGen(.) [2/3]

Random Numbers from Tag and Manufacturer

17

Pad Generation Function: PadGen(.) [3/3]

18

LSBs C5D6h

3Fh 3Eh 3Dh 3Ch 3Bh 3Ah 39h 38h 37h 36h 35h 34h 33h 32h 31h 30h
Addr.

0 1 1 0 1 0 1 1 1 0 1 0 0 0 1 1 Bit

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Locn.

Tags Logical Memory & Access Password Map

MSBs AC9Eh

2Fh 2Eh 2Dh 2Ch 2Bh 2Ah 29h 28h 27h 26h 25h 24h 23h 22h 21h 20h
Addr.

0 1 1 1 1 0 0 1 0 0 1 1 0 1 0 1 Bit

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Locn.

19

Security Analysis [1/4]

Possible Attacks

APwd & KPwd are only 32-bits Brute-force attack or ciphertext-only attack

Practically Secure

An enclosure (warehouse) that is sealed from external noise and radio signals from malicious readers. RFID supply chain processing environment

Extremely fast paced Not feasible to continuously eavesdrop on one particular tagreader communication channel Several bulks of items pass through several readers with in a very short interval of time.

20

Security Analysis [2/4]

Reader Impersonation Attack:

Reader to authenticate first to tag A malicious reader

Does not posses both the APwd and KPwd cannot access manufacturer (EPC-IS) due to lack credentials.

Cloned Fake Tags and Tag Impersonation Attack:

Tag to authenticate to the manufacturer. A malicious tag or a cloned fake tag

Do not posses both the APwd and KPwd, if a tag emulator using the same or weak random numbers if tag is not moving through the supply chain processing

Manufacturer must detect and terminate the communication,

21

Security Analysis [3/4]

Tag's Access Password Never Exposed:

Does not use random numbers sent in an un-encrypted form as pads Generated pads are known only to tag and manufacturer Does not deliver the tag's APwd to any of the stakeholder's reader. The reader relays only the cover-coded APwd RFID system level check",

Secure against Insider Attacks:

A compromised reader is continuously trying to interrogate only one particular tag

22

Security Analysis [4/4]

Secure against Replay Attacks:

We use two random numbers each, generated by both the tag and the manufacturer. As unique random numbers generate unique pads We adhered to the 32-bit passwords Our scheme can still be applicable, and more strengthened, when the length of the APwd and KPwd is extended

Password Scalability:

23

Implementation Analysis [1/2]

Overhead Analysis

Secure channel between tag and manufacturer

PKI-based certificate, encryption and signature schemes may be expensive

Reader communicate with manufacturer to authenticate every tag The manufacturer can setup a secure server at every stakeholder's supply chain processing facility Only, the manufacturer can remotely access, monitor, and manage this server and also update the server with tags' Access & Kill passwords We can also assume that the manufacturer's EPC-IS is a highly resource rich entity, which is designed to take heavy computational and storage load. Secure channel with only Keyed-Message Authentication Code (MAC)

To reduce this overhead,

24

Implementation Analysis [2/2]

Light-Weight Tag-Reader Mutual Authentication:

Our scheme does not use any special cryptographic functions. Tag already has capability

XOR operations, Generate random numbers, Temporarily store random numbers Fetch the APwd and KPwd

Our scheme just needs an additional

Five 16-bit temporary storage memory slots four random numbers from the manufacturer and one for PadGen(.) function. Class-1 Gen-2 tags can have a 512-bit memory capacity or more (depending on the manufacturer)

25

Conclusion

Our scheme

Not fully secure Simple, cost-effective, light-weight to be implemented on tag Practically secure, Highly suitable to the RFID-based supply chain processing scenario Adhere to EPCglobal standard Cloned fake tags Malicious readers Disgruntled employees or compromised readers Tags APwd leakage Man-in-the-middle attacks

Our scheme provides considerable challenges to thwart

26

Thank you!