A Full Scale Authentication Protocol for RFID Conforming to EPC Class1 Gen2 Standard

Guiyue Jin, Jiyu Jin, Xueheng Tao and Baoying Li School of Information Science and Engineering

Dalian Polytechnic University Dalian, China

guiyue.jin@dlpu.edu, jiyu.jin@dlpu.edu

Abstract—The low cost RFID tags can be applied in new applications and interest more different groups of suppliers and end users, But the most important problem of low cost RFID system is that unauthorized readers can access to tag information and illegal tags can be authorized by legal readers, which should be potential to produce privacy and security problem. EPC Class1 Gen2 standard can be considered as a universal specification for low cost RFID tags, but it does not pay more attention to security. Recently some compliant to low cost RFID tags authentication protocols are proposed in the literature, but many of them do not guarantee security and privacy. Those protocols do not consider that the tags’ electronic product code usually has 96 bits, and directly use 16 bit CRC and 16-bit PRNG, so it does not guarantee the unequivocal identification of tagged items. Our protocol not only overcomes the weakness of the previous proposed protocols to guarantee the security and privacy, but also reduces database searching time and guarantees the synchronization between the readers and the tags. Furthermore, we analyze the proposed protocol in terms of security and performance, and it shows that the proposed protocol is effective and efficient.

Keywords-RFID tags; low cost RFID tags; EPC Class1 Gen2; authentication protocol

I. INTRODUCTION

Radio-frequency identification (RFID) is a small, inexpensive microchip that emits an identifier in response to a query from a nearby reader [1]. And it is a promising new technology that is envisioned to replace barcodes. However these tags bring security and privacy issues, therefore, authentication protocols for RFID systems should be designed to address these privacy and security threats.

In RFID systems, because an adversary can monitor all messages transmitted in wireless communication between a reader and a tag, an adversary can attack RFID systems using various methods. There are some common attacks such as eavesdropping, impersonation, tag information privacy, traceability, message interception and so on.

There have been many papers [2]-[4] in the literature that attempt to address security and privacy raised by the use of RFID tags. But all of the above mentioned protocols do not conform to EPC Class1 Gen2 Standard RFID tags. And there are some other protocols [5],[6],[7],[8],[9]and [11]compliant to EPC Class1 Gen2 RFID tags, but these protocols cannot

guarantee the unequivocal identification of tagged items, and cannot overcome security and privacy problems.

The rest of this paper is organized as follows. Section 2 proposed the new protocol compliant to EPC class-1 generation-2 RFID tags. Section 3 analyzes the proposed protocol in terms of security and performance. Section 4 concludes the proposed protocol.

II. PROPOSED PROTOCOL

In the proposed protocol, “A�B” indicates a data flow from entity A to entity B, while “A:” indicates an operation performed locally by A. Before describing the protocol in detail, the definition of notations used in the description of our protocol is given in the following table.

TABLE I. NOTATIONS

EPC Electronic Product Code (96 bits) || Concatenation operator

Nnamei Nickname of the tag at the i-th session Ki Secret key of the tag at

the i-th session

PNnamei Nickname of the tag at the previous session PKi Secret key of the tag at

the previous session

� XOR operator CRC( ) 16-bit Cyclic

redundancy check function

H() Oneway hash function PRNG( ) 16-bit Random number generator

GrpID Group ID (16 bits) hk Secret key of the reader

R RFID Reader RI Reader Identifier T RFID Tag S Backend Server

Apwd Access Password (32 bits) Kpwd Kill Password (32 bits)

ApwdL 16 LSBs of Apwd ApwdM 16 MSBs of Apwd KpwdL 16 LSBs of Kpwd KpwdM 16 MSBs of Kpwd

LSB: Least Significant Bits MSB: Most Significant Bits

The proposed protocol uses some string functions. A detailed description of the functions is provided in the follows.

The first function is f( ), which generates a 96-bit random number.

1 2 3 4 5 6f()=r ||r ||r ||r ||r ||r , (1) where r1, r2, r3, r4, r5 and r6 is nonce number.

The function F(x) makes an exclusive-or operation between x and random nonce numbers r1, r2, r3, r4, r5 and r6and concatenate them.

2012 IEEE Asia-Pacific Services Computing Conference

978-0-7695-4897-5/12 $26.00 © 2012 IEEE

DOI 10.1109/APSCC.2012.18

286

1 2 3

4 5 6

F(x)= x r || r || x r || x r || x r || x r

x� � �

� � �

�

3

3

2

4

6

(2)

The function fcrc() is to concatenate the value of CRC of the random nonce number r1, r2, r3, r4, r5 and r6.

1 2 3

4 5 6

fcrc()=CRC(r )||CRC(r )||CRC(r )|| CRC(r )||CRC(r )||CRC(r ),

(3)

The function GString (str, start, length) is generated to return a string containing a specified number of characters from a string. ‘Str’ is string expression from which characters are returns. ‘Start’ is starting position of the characters to return. ‘Length’ is Numbers of characters to return.

The function F-1(x, y, n) is like the below formula. It is generated to decrypt the random number encrypted by XOR.

-1nrr =F (x,y,n)=GString(x,16 (n-1)+1,16) y,� (4)

-11 2 3 4 5 6f ( )=rr ||rr ||rr ||rr ||rr ||rr , (5)

where rr1, rr2, rr3, rr4, rr5 and rr6 is reversed nonce number. The function fcrc-1( ) is to concatenate the value of CRC

of the reversed nonce number.

-11 2

4 5 6

fcrc ( )=CRC(rr )||CRC(rr )||CRC(rr )|| CRC(rr )||CRC(rr )||CRC(rr ),

(6)

where rr , rr , rr , rr , rr and rr is reversed nonce number. 1 2 3 4 5 6The function fName( ) is to generate six new random

nonce and concatenate them.

1 2

4 5 6

fName()=PRNG(rr )||PRNG(rr )||PRNG(rr )|| PRNG(rr )||PRNG(rr )||PRNG(rr ),

(7)

where rr , rr , rr , rr , rr and rr is the reversed nonce number. 1 2 3 4 5 6The function fK( ) is to generate six new random nonce

and concatenate them.

1

3

5

fK()=PRNG(PRNG(rr ))||PRNG(PRNG(rr ))|| PRNG(PRNG(rr ))||PRNG(PRNG(rr ))|| PRNG(PRNG(rr ))||PRNG(PRNG(rr )),

(8)

where rr , rr , rr , rr , rr and rr is the reversed nonce number. 1 2 3 4 5 6The protocol consists of initialization phase and

authentication process phase. The system is initialized as follows: First, each tag is assigned with two identifiers. One is

EPC, a real identifier which is a permanent identifier of the tag; the other is an initial Nickname, i.e. Nickname0, which is changed for every session. Each tag is also associated with a secret key K, which is shared with backend server and it is temporary secret for every session. And each tag is

assigned with two passwords, one is an Apwd(Access password), the other is a Kpwd(Kill password).

Second, RFID reader is assigned identifier RI and a secret key hk. The secret key hk will be updated regular by the backend server.

Finally, the Backend server database need to be built to store all the information related to authentication process. Before the reader and the tag are deployed, they must make registrations with the database. For each reader, it stores a tuple [GrpID, RI, hk, Apwd, Kpwd].The secret key hk will be updated regular with the reader. For each tag, it stores a tuple [GrpID, EPC, Nickname0, K0, PNickname0, PK0]. In initialization phase, Nickname0 is equal to PNickname0, and K0 is also equal to PK0.

In the proposed protocol, there are three steps in tag-reader mutual authentication procedure. Reader authentication process, tag authentication process and information update.

0

0

hk 0

0

hk

R T : Query requestT: generate a random nonce r T R: rR: hv H (RI||r )R S: r ,RI,hvS: searches the reade hv' H (RI|

�

�

�

�

� 0

R

R L R L

R R 0

|r ) if hv'==hv then { generate a random nonce r pw Apwd r Kpwd apw CRC(r ||r )

� � �� M M

R R

R L R L'R R 0 M M

'R R

Apwd Kpwd } else haltS R T : pw ,apw T: r Apwd pw Kpwd

apw CRC(r ||r ) Apwd Kpwd

verify apw apw

� �

� �� � �

� � �

� if the reader is authenticated, perform next step

Figure 1. Reader authentication process

Figure 1 illustrates the reader authentication process. The reader sends a query to the tag. Upon reception of this query, the tag picks a random number r0 and sends it to the reader. The reader computes hk 0hv H (RI||r )� and sends r0, RI and hv to the backend server. The backend server searches the reader according to index RI, and computes the function

hk 0hv' H (RI||r )� and checks whether . If the equation holds, the backend server searches the database according to the index grpID and saves the results for tag authentication process. Then it picks a random nonce rR and computes pwR�ApwdL rR KpwdL and apwR�CRC(rR||r0)

hv'==hv

��� ApwdM� KpwdM. And it sends pwR

and apwR to the reader, which forwards these values to the tag. On reception of pwR and apwR, the tag computes

287

rR�ApwdL pwR KpwdL and apwR’�CRC(rR||r0)ApwdM KpwdM and checks whether the received

password is correct. If the reader is authorized, the proposed protocol performs next step.

��

TC

f

,T,T

(r ,earch a m a mat (if the

n {r

}

�

T T

T

ramec( ),

), r '

� �

� �

tched tag i

me'=nam

EP= C the ta

�

ontin

�

T:

S:

C R

i T

CRC i CRC

TC

TC-1 -1

R

r ( ), F(r ) TR Nn r ,

r fcr C EPC K r T R: r R,CR S: r R,C

F r ,n f ( ) , Nname'

� � � �

�

�

� 'T

i

i i i i

TR r s a ag from a special group if ched t s found Nna PNname n N e PNname , K PK )

� �

� �' -1CRC

'i CRC

th fcrc ( ) ,

C' C K r if C' then the tag is authentic then g is authenticated,

� � �

c ue the process

e

Figure 2. Tag authentication process.

After the reader has been authenticated, the protocol continues the tag authentication process as depicted in Figure 2. First of all, the tag generates six random nonce r1, r2, r3, r4,r5 and r6. A 96-bit random number rT is generated by the function f( ), and generates a value rTC using the function F(rR), which is used for sending the random number encrypted. And computes TR�Nnamei � rT, the value TR is used for transferring the tag’s nickname. The tag also generates the value rCRC using the function fcrc( ) and computes C�EPC�Ki�rCRC which is used for transferring the EPC and secret key value. Finally, the tag sends the value rTC, TR and C to the reader, which forwards these values to the backend server. On reception of the values, the backend server convert rTC to six random nonce number using function F-1( rTC, rR, n,) and then generates the 96 bits random nonce number r’

T using the function f-1( ), and the backend server computes Nname’�TR� r’

T, then the backend server search the matched tag from a special tags group. If it finds a matched tag (If it finds a matched tag according to the index Nname’=PNnamei, then the backend server does Namei�PNamei, Ki�PKi), in order to verify the tag authentication further, the backend server generates the value rCRC using the function fcrc-1( ) and computes C’�EPC �Ki�rCRC, if C' , the tag is authenticated. And the protocol continues the process.

=C

After the backend server successfully authenticates the tag in the previous step, it should update the information for next session authentication. Figure 3 illustrates the information update. First of all, the backend server assigns

the Ki to PKi+1 and assigns Nnamei to PNnamei+1. And then it updates the nickname of the tag Nnamei+1=fName() and updates the secret key of the tag Ki+1=fK(). It also computes ns�EPC�Ki+1�Nnamei+1 for sending the value to the tag. Finally, the backend server sends the tag information and the value ns to the reader, which forwards ns to the tag and commits the update.

On reception of the value ns, the tag updates the nickname of the tag using the function Nnamei+1=fName( ) and updates the secret key of the tag using the function Ki+1=fK(). And it computes ns’�EPC�Ki+1�Nnamei+1. If

ns’ is equal to ns, the tag commits the update, otherwise, rollbacks the update. ns'

Finally, it must be considered that no response is received from the reader. In the proposed protocol, a threshold time set to solve this problem. When the tag makes response to the query, it starts the timer. When the period is over threshold time and no response is received from the reader, the tag halts the current session.

i+1 i i+1 i

i+1 i+1

i+1 i+1

S: PK K , PNname Nname Nname fName() , K fK(), ns EPC K Nname ,commit

S R: "tag info", nsR T: "END", nsT: if reception

� �� �

� � ���

i+1 i+1

i+1 i+1

is within the threshold time { Nname fName() , K fK(), ns' EPC K Nname , if ns' ns then commit else rollbac

� �� � ��

k } else halt the session

Figure 3. Information update.

In the proposed protocol, all the readers and tags are managed by the backend server. Before the tags are registered to backend server’s database, the backend server divides tags into several groups according to many rules, such as price of objects attached by tags, owners of objects attached by tags and so on. And each group is given a special group identifier. The tags belong to a special group have the same access password and kill password. When a tag is registered to backend server’s database, it registers the tag information with group identifier information to the backend server’s database (GrpID, EPC, Ki, Nnamei, PKi, PNnamei). And the readers must register to backend server’s database, when a reader is registered to a backend server’s database, it must register its information with group identifier to the database. This architecture is very efficient to manage the readers and the tags in this authentication protocol. When a reader want to query a tag the reader must authenticate itself using hash function to backend server in order to get passwords. Only the legal reader can get the passwords which is belong to a special group. i.e., the legal reader belongs to a specific group can get the specific group’s passwords. At the same time, when the backend server

288

authorizes the tag, it only need search a matched tag in a special group which has less tag numbers.

III. ANALYSIS

From the proposed protocol described, it is clear that the tag and the reader can successfully authenticate each other. The proposed protocol is analyzed in terms of the security and performance

A. Security and Privacy The proposed protocol has the following privacy and

security properties. It can protect the information privacy. The detailed

information of the tag is stored in the backend server’s database. When a reader sends a query to the tag, the tag sends a random nonce r0 to the reader. The reader computes hash function hv�Hhk(RI||r0) and sends hv to the backend server to be authorized and obtain the password. An adversary who wants to get the tag information, although the random nonce r0 is available, cannot get the RI and hk even if the attacker collects the hash value hv because of one-wayness property of hash function. So an attacker cannot pass authentication by the backend server and also cannot get the sensitive tag data.

It can prevent traceability. In order to guarantee location privacy through refreshed value, the protocol uses the new random nonce r0, rR and rT in each session to compute the communication messages. So response message of the tag is impossible to be linked to any particular tag. In other words, the eavesdropper cannot link tag responses to previous responses from the same tag, and cannot distinguish one tag’s response from other’s response. Therefore, even if the attacker eavesdrops, the attacker cannot know the user’s location.

The replay attack belongs to impersonation attack. In this protocol, replay attack can be prevented. Because for every query from the reader, the tag sends a new random nonce r0to the reader and the tag checks the response from the reader with random nonce r0, so the attack sends the previous messages to the backend sever and get the passwords, but the passwords cannot be authorized by the tag, due to the difference of the random nonce. And the attack sends the previous communication messages to the backend server, the backend server also cannot authorized the tag, because the backend server generates new random nonce rR for new session. Using this new random nonce cannot decrypt the previous messages correctly, so the tag authentication is impossible. From the analysis, it can be drawn that the proposed protocol can prevent replay attack.

Message interception can cause the de-synchronization. In our protocol, this attack can be prevented because the backend server maintains the current and previous authentication information. Synchronization can be obtained if the authentication process is over successfully. Once the backend server sends the tag information to the reader and updates the nickname of the tag Nnamei and key of the tag Ki,but if the tag does not update the nickname and key of the

tag because the attacker intercepts the authentication. It can be solved in next session, although the tag sends the previous session’s tag nickname and key, the backend server searches the previous nickname PNnamei when the back server cannot find the match tag using Nnamei. And the backend server does Nnamei�PNnamei, Ki�PKi and continues the regular process, so the proposed protocol can guarantee the synchronization even if the same thing occurs in current session.

This protocol is secure against insider attacks. In order to prevent leakage of access password Apwd and kill password Kpwd by disgruntled readers, in this protocol the backend server does not deliver directly the tag’s access password and kill password to any of readers. The backend server sends cover-coded passwords to the reader, and only the tag can verify the cover-code password. And in our protocol, the secret key hk of the reader is updated regular to prevent the exhaustive key attacks.

In TABLE II, we compare the proposed protocol with the other protocols with respect to the privacy and security properties.

TABLE II. FUNCTIONAL COMPARISON OF AUTHENTICATION PROTOCOLS

Properties

Protocols

Information

privacy

Un-traceability

Non-imperson

ation

synchronization

Karthikeyan’s � � � �

Duc’s � � � �

Chien’s � � � �

Chen’s � � � -

Ours � � � �

: satisfied : not satisfied - : no consideration� �

According to [10], Duc et.al’s [5] protocol, Chien et al’s [6] protocols and Chen et.al’s [7] protocol, all of them have the same weakness. Since all of them directly use 16- bit CRC and 16- bit PRNG, a serious security failure occurs. An EPC has 96 bits, except for 8 bits of the fixed header, there are 288 possible identifiers. However, tags support onboard a 16-bit CRC, when 16-bit CRC is used, EPC values reduce to only 216 possible values. So it does not guarantee the unique identification of tagged items, which is an essential property in authentication protocols. Furthermore, this weakness causes all other security and privacy properties are not guaranteed. The proposed protocol also uses 16-bit CRC and 16- bit PRNG, but it do not use them directly. It constructs new functions in order to generate 96-bit random nonce and 96 bit CRC result. And the protocol does not send the random nonce plain text. They are all cover-code. And they cannot be leaked to the attackers.

B. Performance Analysis Let us evaluate the performance of the proposed protocol

in terms of computational cost. The tag does not implement

289

hash function or other complex computation. It only involves sim

Duc’s Chien’s Chen’s Ours

ple bitwise XOR operation, and the hardware need minimal extra cost because all required computation by the protocol CRC, XOR and PRNG are already ratified in EPC class1 gen2 specification.

In Table III, we compares the computation time. On the tag, the tag implements the PRNG function once, and implements the PRNG function 6 times and implements PRNG functions 12 times. On the contrary, other protocols implement PRNG function fewer times than ours. It is similar to other functions, such as CRC and XOR. But it is due to the different assumption of EPC size. Our proposed protocol is based on 96-bit EPC, while other protocols are based on 16-bit EPC. In order to generate 96-bit value, in the proposed protocol, 16-bit PRNG and 16-bit CRC must be implemented more times.

TABLE III. COMPUTATION TIME

Protocols

Systems PRNG 1 2 1 13CRC 2SF+1 <=2SF+1 1 7

>=SF+1XOR SF+1 <=2SF+1

SF+14 15

>=

Backend Server

reader

function

or

Hash 0 0 0 1

PRNG 2 3 1 19 CRC 3 2 2 7TAG XOR 3 2 5 15

N: he numb in database S numb be authentication success p

On the bac erv the prop ed protocol implPsaal’s

is paper, a new authentication protocol compliant toEPC Class1 Gen2 RFID tags is proposed. The pr

protocol is com nd anonymously inte

ucation Department of China (grant L2011 echnology Project of D

006,pp.381-395. [2] A.D. Henrici and P. M ed enhancement of location

privacy for radio-freq on devices using varying

. Kinoshita, “Cryptographic approach to

Mutual authentication protocol for

ops, 2010, pp.562-566.

09,pp.372-380.

t er of tagse gsF: the r of ta fore of others’ rotocol.

[5] g security of EPCglobal GEN-2 RFID tag against traceability and cloning,” the 2006 Symposium on Cryptography and Information Security, 2006.

[6] H. Y. Chien and C. H. Chen, “kend s er, os ements RNG function more times than other protocols due to the me reason as that on the tag. We can also know Duc et

[5] protocol and Chien et.al’s [6] protocol use CRC function and XOR function numerous times, because the backend server must compute all tag’s entry of the database until it finds the matched tag. But the proposed protocol implements CRC function and XOR function fewer times than Duc et.al’s[5] protocol and Chien et.al’s [6] protocol, because in the proposed protocol searching the match tag uses a special index, i.e. nickname of the tag, and in order to check the received messages, it computes only once. But two other protocols compute numerous times until the protocols find the matched tag or cannot find the matched tag after all the tags in the database are checked. From the Table III, we also know Chen et al’s [7] protocol uses the function fewer times.

IV. CONCLUSION In th

[11]

opose

putationally light-weight aract between entities. We compare our proposed protocol

with other protocols which are compliant to EPC Class1 Gen2 RFID tags with respect to the privacy and security properties. It is clear that the proposed protocol overcomes the privacy and security problems mentioned in this paper. We also evaluate the performance of the proposed protocol. The overhead of our proposed protocol is higher than that of other protocols because it is assumed that the EPC is 96 bits. Furthermore, the proposed protocol can decrease the searching burden of the database.

ACKNOWLEDGMENT

This work was supported by the Science and Technology Research Project of the Liaoning Ed

082) and Science and Talian, China (grant 2011J21DW009).

REFERENCES

[1] A. Juels, “RFID Security and Privacy: A research survey,” Journal of Selected Areas in Communications, February 2

auller, “Hash-basuency identificati

identifiers,” in the Proceedings of Persec’ 04 at IEEE PerCom,2004,pp.149-153.

[3] D. Molnar and D. Wagner, “Privacy and security in library RFID: issues, practices, and architectures,” Conferece on Computer and Communications Security, CCS’04, 2004, pp.210-219.

[4] M. Ohkubo, K. Suzki and S‘privacy-friendly’ tags,” RFID privacy Workshop, 2003, MIT,MA,USA,November 2003. D.N. Duc, J. Park, H. Lee and K. Kim, “Enhancin

RFID conforming to EPC class 1 generation 2 stardards,” Computer Standards Interfaces 29, 2007, pp.254-259. C.L. Chen and Y.Y. Deng “Conformation of EPC Class 1 Generatio[7] n2 standards RFID system with mutual authentication and privacy protection,” Engineering Applications of Artificial Intelligence, 2009,pp.1284-1291.

[8] N. W. Lo and Kuo-Hui Yeh, “A Secure Communication Protocol for EPCglobal Class 1 Generation 2 RFID Systems,” IEEE 24th International Conference on Advanced Infromation Networking and Applications Worksh

[9] S. Leng, M. Tang, X. Jiang, Z. Zhang and M. H. lee, “An Improved Mutual Authentication Scheme Complait to EPC Class-1 Generation-2 Stardard,” International Conference on Digital Object Identifier, 2011, pp.3933-3937.

[10] P. Peris-Lopez, J.C. Hernandz-Castro, J. M. Estevex-Tapiador and A. Ribagord, “Cryptanalysis of a noval authentication protocol conforming to EPC-C1G2 standard,” Computer Standards and Interfaces, Elsevier, 20G. Jin, E. Y. Jeong, H. Y. Jung and K. D. Lee, “RFID Authentication Protocol Conforming to EPC Class-1 Generation-2 Standard,” Security and Management, 2009, pp.227-23.

290