RFID Systems and Security and Privacy Implications

1
RFID Systems and Security and Privacy Implications
Auto-ID Center Massachusetts Institute of
Technology www.autoidcenter.org

• Sanjay E. Sarma
• Stephen A. Weis
• Daniel W. Engels

2
Auto-ID Center

• International industry-sponsored research center
• MIT, Cambridge University, and University of
  Adelaide
• Design, develop, and deploy large-scale field
  trials including RFID projects

3
Overview

• Radio Frequency Identification (RFID)
• EPC System
• Security Benefits and Threats
• Future

4
Uses of Automatic-ID Systems

• Access control and security
• Tracking of products in Supply Chain
• Id of products at Point of Sale
• Most widely used is the Bar Code System

5
Potential Application of RFID

• Consider supply chain and EAN-UCC bar codes
• 5 billion bar codes scanned daily
• Each scanned once only at checkout
• Use RFID to combine supply chain management
  applications

6
Benefits of Supply Chain Management

• Automated real-time inventory monitoring
• Automated Quality Control
• Automated Check-out
• Picture your refrigerator telling you that youre
  out of milk! ?

7
Why not yet implemented

• Cost too high. Needs to be lt0.10
• Lack of standards and protocols
• Security concerns similar in smart cards and
  wireless
• Privacy issues Big Brother

8
RFID System Components

• RFID Tag
• Transponder
• Located on the object
• RFID Reader
• Transceiver
• Can read and write data to Tag
• Data Processing Subsystem

9
Transponder

• Consist of microchip that stores data and antenna
• Active transponders have on-tag battery
• Passive transponders obtain all power from the
  interrogation signal of reader
• Active and passive only communicate when
  interrogate by transceiver

10
Transceiver

• Consist of a RF module, a control unit, and a
  coupling element to interrogate tags via RF
  communication
• Also have secondary interface to communicate with
  backend systems
• Reads tags located in hostile environment and are
  obscured from view

11
Data Processing Subsystem

• Backend System
• Connected via high-speed network
• Computers for business logic
• Database storage
• Also as simple as a reader attached to a cash
  register

12
RFID

• Basic components of RFID system combine in the
  same manner
• All objects are physically tagged with
  transponders
• Type of tag used varies from application to
  application
• Passive tags are most promising

13
RFID

• Transceivers are strategically placed for given
  application
• Access Control has readers near entrance
• Sporting events have readers at the start and
  finish lines

14
Transceiver-Transponder Coupling and Communication

• Passive tags obtain power from energy in EM field
  generated by reader
• Limited resource require it to both get energy
  and communicate within narrow frequency band
  regulatory agencies

15
Inductive Coupling

• Uses magnetic field to induce current in coupling
  element
• Current charges the on-tag capacitor that
  provides operating voltage
• This works only in the near-field of signal up
  to c/(2pf) meters

16
Inductive Coupling

• Operating voltage at distance d is proportional
  to flux density at d
• Magnetic field decreases in power proportional to
  1/d3 in near field
• Flux density is max when R dv2, where R is
  radius of readers antenna coil

17
Far Field energy harvesting

• Uses readers far field signal to power tag
• Far field begins where near field ends
• Signal incident upon the tag induces voltage at
  input terminals of the tag, which is detected by
  RF front-end circuitry and is used to charge
  capacitor

18
Passive tag power

• Reader uses same signal to communicate with and
  power tag
• Any modulation of signal causes power reduction
• Modulating information spreads the signal
  referred to as side band.
• Side band and max power is regulated

19
Transponder Communication

• RFID systems generally use the Industrial-Scientif
  ic-Medical bands
• In near field, communication is achieved via load
  modulation
• In far field, backscatter is used. Backscatter
  is achieved by modulating the radar-cross section
  of tag antenna

20
Limitations of Passive Tag communication

• Very little power available to digital portion of
  the IC, limited functionality
• Length of transactions is limited
• Length of power on
• Duration within communication range
• US regulations for 915 MHz limit transaction time
  to 400 ms
• Limit of state information

21
Data Coding and Modulation

• Determines bandwidth, integrity, and tag power
  consumption
• Limited by the power modulation / demodulation
  capabilities of the tag
• Readers are generally low bandwidth, due to
  government regulations
• Passive tags can use high bandwidth

22
Coding

• Level Codes
• Non-Return-to-Zero
• Return-to-Zero
• Transition Codes
• Manchester
• Miller

23
Coding Considerations

• Code must maintain power to tag as much as
  possible
• Code must not consume too much bandwidth
• Code must permit the detection of collisions

24
Coding for Readers and Tags

• Reader to Tag uses PPM or PWM (lower bandwidth)
• Tag to Reader uses Manchester or NRZ (higher
  bandwidth)

25
Modulation

• RF communications typically modulate high
  frequency carrier signal to transmit baseband
  code
• Three classes of digital modulation are ASK, FSK,
  and PSK.
• ASK most common in 13.56 MHz load modulation
• PSK most common in 915 MHz backscatter modulation

26
Tag Anti-Collision

• Limited power consumption
• State information may be unreliable
• Collisions may be difficult to detect due to
  varying signal strengths
• Cannot be assumed to hear one another

27
Algorithm Classification

• Probabilistic
• Tags respond in randomly generate times
• Slotted Aloha scheme
• Deterministic
• Reader sorts through tags based on tag-ID
• Binary tree-walking scheme

28
Algorithm Performance Trade-offs

• Speed at which tags can be read
• Outgoing bandwidth of reader signal
• Bandwidth of return signal
• Amount of state that can be reliable stored on
  tag
• Tolerance of the algorithm to noise

29
Algorithm Performance Trade-offs

• Cost of tag
• Cost of reader
• Ability to tolerate tags with enter and leave
  during interrogation period
• Desire to count tags exactly as opposed to
  sampling
• Range at which tags can be read

30
Regulations Effect

• US regulations on 13.56 MHz bandwidth offer
  significantly less bandwidth, so Aloha is more
  common
• 915 MHz bandwidth allows higher bandwidth, so
  deterministic algorithms are generally used

31
13.56 MHz Advantages

• Frequency band available worldwide as an ISM
  frequency
• Up to 1 meter reading distance in proximity /
  vicinity read
• Robust reader-to-tag communication
• Excellent immunity to environmental noise and
  electrical interference

32
13.56 MHz Benefits

• Well-defined transponder interrogation zones
• Minimal shielding effects from adjacent objects
  and the human body
• Damping effects of water relatively small, field
  penetrates dense materials

33
915 MHz Benefits

• Long range (from a few to several meters,
  depending on regulatory jurisdiction)
• High data rates
• Fast anti-collision and tags per second read rate
  capabilities

34
The EPC System

• System that enables all objects to be connected
  to the Internet by adding an RFID tag to the
  object
• EPC
• ONS
• SAVANT
• Transponders

35
The EPC

• Electronic Product Code
• ID scheme designed to enable unique id of all
  physical objects
• Only data stored on tag, since information about
  object is stored on network
• EPC acts like a pointer

36
The ONS

• Object Name Service
• Directory service that maps EPS to IP
• Based entirely on DNS
• At the IP address, data is stored in XML and can
  be accessed via HTTP and SOAP

37
The ONS

• Reduces power and memory requirements on tag
• Transfer data communication to backend network,
  saving wireless bandwidth
• Makes system more robust
• Reduces size of microchip on tag

38
Savant

• System based on hierarchical control and data
  management
• Provides automated control functionality
• Manages large volumes of data
• Acts as a gateway for the reader network to the
  next higher level

39
Savant

• Transfers computationally intensive functionality
  from tag to powered system
• Any single point of failure has only local effect
• Enables entire system to be scalable since reader
  sub-systems are added seamlessly

40
RFID Transponder

• Most numerous parts of system
• Most cost-sensitive part
• Protocols designed for 13.56 MHz and 915 MHz
  frequencies
• Implement a password-protected Self Destruct
  command

41
RFID Security Benefits and Threats

• Airline passenger and baggage tracking made
  practical and less intrusive
• Authentication systems already in use (key-less
  car entry)
• Non-contact and non-line-of-sight
• Promiscuity of tags

42
Previous Work

• Contact-less and constrained computational
  resource similar to smart cards
• Analysis of smart card security concerns similar
  to RFID
• RFID especially susceptible to fault induction
  and power analysis attacks

43
Security Goals

• Tags cannot compromise privacy of holders
• Information should not be leaked to unauthorized
  readers
• Should not be possible to build long-term
  tracking associations
• Holders should be able to detect and disable tags
  they carry

44
Security Goals

• Publicly available tag output should be
  randomized
• Private tag contents should be protected by
  access control and encryption
• Spoofing tags or readers should be difficult

45
Low-cost RFID Issues

• Inexpensive read-only tags are promiscuous and
  allow automated monitoring privacy concern
• Neither tags nor readers are authenticated
  security concern
• Full implementation of privacy and security is
  costly cost concern

46
Possible solutions

• Erase unique serial numbers at point of sale
  tracking still possible by associating
  constellations of tags
• Public key cryptography too expensive
• Shared key if one tag is compromised, entire
  batch is effected

47
Approach to RFID Protection

• Use one-way hash function on tag meta-ID
• When reader knows meta-ID, tag is unlocked and
  readable
• After reader is finished, tag is locked
• Tag has self-destruct mechanism to use if under
  attack

48
Future Research

• Development of low cost crypto primitives hash
  functions, random number generators, etc.
• Low cost hardware implementation w/o
  computational loss
• Adaptation of symmetric encryption and public key
  algorithms from active tags into passive tags

49
Future Research

• Developing protocols that make tags resilient to
  power interruption and fault induction.
• Power loss graceful recovery of tags
• Research on smart cards and other embedded systems