Conformation of EPC class 1 generation 2 standards RFID. system with mutual authentication and privacy protection

Transcription

1 Conformaton of EPC class 1 generaton 2 standards RFID system wth mutual authentcaton and prvacy protecton Chn-Lng Chen Department of Computer Scence and Informaton Engneerng, Chaoyang Unversty of Technology, Tachung, Tawan 413, ROC. E_mal:clc@mal.cyut.edu.tw Yong-Yuan Deng Department of Computer Scence and Informaton Engneerng, Chaoyang Unversty of Technology, Tachung, Tawan 413, ROC. E_mal:s @mal.cyut.edu.tw Abstract Rado Frequency Identfcaton (RFID) technology has recently aroused great nterest due to ts convenence and economc effcency. Through RFID become popular worldwde, t s susceptble to varous attacks and securty problems. Snce RFID systems use wreless transmsson, user prvacy may be compromsed by malcous people nterceptng the nformaton contaned n the RFID tags. Many of 0

2 the methods prevously proposed to prevent such attacks do not adequately protect prvacy or reduce database loadng. In ths paper, we propose a new authentcaton and encrypton method that conforms to the EPC Class 1 Generaton 2 standards to ensure RFID securty between tags and readers. Our scheme not only reduces database loadng, but also ensures user prvacy. Fnally, we survey our scheme from several securty vewponts, and prove ts feasblty for use n several applcatons. Keywords: RFID; EPC; Securty; Prvacy; Mutual authentcaton 1. Introducton 1.1 Background Rado frequency dentfcaton (RFID) systems use a small devce (RFID tag) to receve and send remote commands. RFID systems contan tags, readers, hosts and antennae (Garfnkel et al., 2005). There s a small low-cost tag n each RFID object that provdes every product a unque dentty the Electronc Product Code (EPC). Once an RFID reader sends a request sgnal, the RFID tag responds to the reader s readng and wrtng request. Prevously, bar-code systems were wdely utlzed; however these have been largely replaced by RFID systems. RFID systems have many advantages over bar-code systems and can dentfy objects along several lnes of sght smultaneously; by comparson bar-code systems only dentfy objects at a close proxmty. Moreover, each RFID tag can be assgned a unque dentfcaton; whereas bar-code systems 1

3 do not allow for ths. Thus, RFID systems perform well n stocks and sales management and are convenent. By reducng the cost of RFID tags, they can be mplemented n a wde feld of applcatons such as: entrance control, pet dentfcaton, hghway toll collecton, ndustral control, property management, and home automaton (Angeles, 2005; Karkkanen, 2003; Srvastava, 2004; Wang et al., 2006). As there s no standard operatng mechansm, each company has developed ts own; consstency n RFID systems s not desrable. There exsts a potental securty rsk n RFID systems. Ths rsk would become apparent f, for example RFID systems were appled to medcnal management systems. After a patent receves medcne, an RFID tag would be appled to the medcne s packng. If an attacker wth a reader scans the tag, he/she would know the dentty of the medcne the patent s takng; and even that of the patent s dsease. Tape Medcal Unversty Hosptal used RFID system trace and montor patent durng SARS perod. If the message has no encrypton, attacker can get prvacy nformaton easly (Wang et al., 2006). Lkewse, an attacker could dentfy the book buyng habts of someone who buys books wth RFID tags. It s clear that, the rado read/wrte characterstc of RFID system can threaten user prvacy. Once the attacker gets tag s EPC, he/she can query ONS (Object Namng Servce) from EPCglobal network (EPC, 2008) to get product detals, and t wll threaten personal prvacy. In spte ths, RFID systems brng great advantages; but they cannot protect personal prvacy, they wll not be accepted by the general publc. Therefore, how to protect the object s EPC become an mportant ssue. Thus, RFID systems must utlze 2

4 mutual authentcaton. Furthermore, prevous RFID systems lack specfc operatonal standards. The prvacy protecton schemes most often proposed by scholars are hash functon, symmetrc encrypton and asymmetrc encrypton. Due to the logc gates of the current tags are about , they are lmted by computng resources and cost. However, these methods are not practcal for use lmted resource tags. If there are not the common standards, the crculaton of the product wll be obstructed, and have not the common nterface standards. Ths cost wll ncrease. Therefore EPCglobal (EPC, 2008) has drawn up the EPC Class 1 Generaton 2 standard for tag operatonal ablty; ths provdes an ndustral standard for RFID system desgn n the future. On the bass of the Authentcaton Processng Framework (Ayoade, 2006), we therefore desgn a secure RFID access control system whch conforms to the EPC Class 1 Generaton 2 standard. Tags can dentfy legal readers, and readers are able to dentfy regstered tags. Legal tags and readers can communcate wth each other only so long as they have regstered and constructed a secure platform. Ths methodology protects user prvacy suffcently. 2. Related works and requrement ssues 2.1 Related works RFID systems are susceptble to unauthorzed attackers who may volate user prvacy. In order to prevent RFID tags from leakng messages, scholars have proposed the followng schemes: (1) Tag kllng scheme (Ayoade, 2006; Juels et al., 2003; Sarma et al., 2002): 3

5 The most drect scheme for protectng user prvacy s to dsable the tag, makng t unreadable, before the user takes possesson of t. Ths standard operatonal mode has been proposed by AutoID Center (Ayoade, 2006; Juels et al., 2003). Usng a specal command, the tag s content cannot be read. The dsadvantage of ths scheme s that the tag can only be used once. We fnd the tag kllng scheme to be mpractcal. (2) Faraday cage scheme (Ayoade, 2006; Juels et al., 2003): In ths scheme a metal mesh contaner covers the RFID tag, blocks the reader s request sgnal, and prevents the RFID tag from beng read by a reader. Ths system s analogous to a thef puttng merchandse nto a metal bag n the mall, thus preventng ths merchandse from beng detected by the sensor when he leaves the counter. Although ths method prevents attackers from unauthorzed readng of tags, t s very nconvenent and dffcult to mplement wth large objects. Its other prmary defect s that faraday cages prevent RFID tags from beng accessed by legal readers. (3) Actve jammng scheme (Ayoade, 2006; Juels et al., 2003): A rado frequency broadcast devce dsrupts the sgnal used by attackers RFID readers. However, ths scheme, whle blockng attackers successfully, also prevents legal readers from accessng RFID tags. Furthermore, f the broadcast power s too hgh, t may affect other legal applcatons; and usng ths devce n some envronments s very dangerous. For example, t mght affect medcal equpment n 4

6 hosptals. (4) Blocker tag scheme (Ayoade, 2006; Juels et al., 2003): Ths scheme requres users to utlze a blocker tag. When a reader sends a read request; the blocker tag responds wth a fake message, preventng the reader from obtanng the true nformaton n the tag. Ths method can block attacks successfully, but other legal readers cannot access the RFID tag. Blocker tags dsturb all responses to tags n near proxmty. Thus, the whole RFID system s prevented from workng normally. As wth the actve jammng scheme, ths scheme s dangerous n some envronments. Ths s an ntutonal protecton method n whch the user must carry an extra devce. Ths method has a serous defect; when t blocks an attacker, t also blocks the communcaton between legal RFID readers and legal RFID tags. (5) Smart tag scheme (Juels et al., 2003): Another way to prevent attacks on RFID readers or RFID tag s to use encrypton transmsson methods. As ths allows for more flexble tag and reader management than tradtonal methods, ths smart tag method s becomng ncreasngly popular. Table 1 shows functonal comparsons of the above protecton schemes. 5

7 Table 1 Comparsons of RFID system protect methods Methods Tag kllng Faraday cage Actve jammng Blocker tag Smart tag Functons scheme scheme scheme scheme scheme Prevent llegal tag access Tag can be used many tmes No adverse effects to other readers or tags Legal reader can access tag No need of addtonal devce O O O O O X O O O O O O X X O X X X X O O X X X O Notes: O: match the functon X: not match the functon The followng schemes based on the smart tag have been proposed to protect communcaton between readers and tags: (1) Unversal encrypton scheme (Sato et al., 2004): In the unversal encrypton scheme (Sato et al., 2004), the reader and the database are regarded as a unfed structure. Fg. 1 llustrates communcaton scenaros utlzng unversal encrypton schemes. Ths scheme uses the symmetrc encrypton, and t does not conform EPC C1G2 standards. In ths method a reader sends a read request to a tag, whch then selects a random value RND and encrypts t wth key k, prevously coordnated wth the reader. The tag then responds wth the encrypton message 6

8 E k ( ID, RND) to the reader, where E k ( ) means tag usng symmetrc encrypton to encrypt message. Upon recevng the messages from the tag, reader uses decrypton key k to decrypt ( ID, RND). The reader responds wth the confrmaton message response. Usng encrypton and random value mechansms securty s mproved. However, one securty problem remans: only one fxed key can be used. Once an attacker obtans ths key, he/she can decrypt every message on every tag n the whole system and threaten RFID system securty. Tag ID, k 1.request 3. Send E k ( ID, RND) 5.response Reader / Database ID, k 2.1.Generate RND 2.2. Compute Ek ( ID, RND) 4. Compute ( ID, RND) = Dk ( Ek ( ID, RND)) Fg. 1. Scenaros utlzng unversal encrypton scheme. (2) Karthkeyan-Nesterenko s scheme (Karthkeyan and Nesterenko, 2005): Fg. 2 llustrates communcaton scenaros usng Karthkeyan-Nesterenko s scheme. The reader coordnates a value K wth the tag durng the regstraton stage, and the tag and the reader store two P*P matrces M 1 and M 2. Ths scheme uses AND operaton, conforms to EPC Class 1 Generaton 2 standards, but cannot prevent llegal tag access (Chen and Chen, 2007). If the attacker replaces the current Z wth a prevous Z ', the attacker can replay Y ' n the next sesson to trck the tag nto wrongly acceptng the request and can access the tag accordngly. Furthermore, the value X, whch s stored n tag, s fxed. Snce there s no random value nvolved n ths scheme, t cannot avod locaton 7

9 traces. Ths scheme also has hgh database loadng requrement. In order to determne the correct M 1, the reader must search 1 = XM1 K for all K and 1 1 M n the database. Tag -1 K, M 1, M 2 2. Compute X = KM Verfy YM 2? K = Compute Knew = ZM 2 1.request 3.X 5.Y, Z Reader / Database K, M -1 1, M Verfy K? 1 = XM 4 Compute Y = KM Compute K new = X newm Compute Z = KnewM 2 Fg. 2. The scenaros usng Karthkeyan-Nesterenko s scheme. (3) Good Reader scheme (Gao et al., 2004): X. Gao et al. (Gao et al., 2004) proposed a scheme whch s appled to supply chan management. Ther scheme separates databases from readers. Fg. 3 llustrates the communcaton scenaros used by the Good Reader scheme. Tags use readerid and random value to verfy f the reader s legal. If the readerid s legal, the tag sends the calculated hashng value hash (tagid) to the reader, whch s then forwarded by the reader to the database. After recevng hash (tagid), the database receves tagid from the nsder table, and reples wth tagid to the reader. Once recevng the tag s ID, the database updates readerid. The tag wll use a new readerid n the next read request. Ths scheme has a securty problem. If an attacker modfes the message new readerid old readerid and the reader responses to the tag, the tag wll update and label the readerid as an error whch s then unreadable. Databases must perform hash operatons n onlne mode 8

10 to receve a tagid, and database loadng s too costly. Also, tags requre hash operaton, whch do not conform to EPC Class 1 Generaton 2 standards. Tag tagid, readerid 1.request 3.1k 5.2a( k) 7.1hash( tagid) B.new readerid old readerid Reader readerid 3.2k 5.1a( k) 7.2hash( tagid) 9.tagID A.new readerid Database tagid, readerid 2.Generate k 4. Compute a( k) = hash( readerid, k) 8.1. Search ( tagid, hash( tagid)) par 6. Verfy a( k)? hash( readerid, k) = 8.2.Get tagid from table C. Compute new readerid = ( new readerid old readerid) old readerid Fg. 3. The scenaros usng the Good Reader scheme. (4) Ownershp Transfer scheme (Osaka et al., 2006): Another applcaton s used n ownershp transfer. Fg. 4 llustrates the communcaton scenaros usng the Ownershp Transfer scheme. The reader s request ncludes a random value r, and tags respond wth a = H ( Ek ( ID ) r ) to the reader, where E k ( ) means encryptng message wth symmetrc key k, H ( ) means the hash functon. After the database verfes the hash calculated message, t generates new encrypted nformaton e = E ( ID) E '( ID), then responds by sendng the ID s nformaton nfo( ID ) k k and e to the reader. Subsequently, the reader transfers e to the tag, and then the tag updates '( ID) E k by E '( ID) = e E ( ID). k k Ths scheme presents several securty problems. Frst, t cannot prevent locaton tracng because the random value r s fxed once transmsson begns. Second, the tag sends messages wthout authentcatng the reader frst. Thrd, the attacker can modfy the tag s message, causng tag updates to 9

11 consst of erroneous encrypted ID. Addtonally, the tag requres hash calculaton, whch does not conform to EPC Class 1 Generaton 2 standards. Fnally, the entre database must be searched to compare the tag s response a? H ( Ek ( ID) r) ; resultng n database loadng beng too hgh. = Tag E k (ID) 1.request, r 3.1a 5.2e Reader 3.2a, r 5.1nfo(ID), e Database E k (ID), k 2. Compute a = H ( Ek ( ID) r) 6. Compute Ek '( ID) = e Ek ( ID) 4.1. Verfy a? H ( Ek ( ID) r) = 4.2. Compute Dk ( Ek ( ID)) = ID 4.3Compute e = E k ( ID ) E k ' ( ID ) Fg. 4. Scenaros usng the Ownershp Transfer scheme. 2.2 The requrement ssues (1) Aganst attacks: A well desgned RFID system should avod llegal access, protect user prvacy, and prevent attacks. The followng ssues are often dscussed n the lterature. (a) Counterfet reader attacks tag (Dmtrou, 2005; Osaka et al., 2006; Vajda and Butty an, 2003): Counterfet reader attacks consst of attackers llegally accessng tags. The attacker attempts to retreve senstve nformaton from the tag usng llegal readers. (b) Counterfet tags (Dmtrou, 2005; Ohkubo et al., 2003; Vajda and Butty an, 2003): Ths securty threat occurs when the attacker attacks legal readers. The attacker possesses an llegal tag, and when a legal reader queres the tag, the llegal tag responds wth a fake message. The reader 10

12 cannot dentfy the receved messages, and the whole RFID system crashes. (c) Man-n-the-mddle attack (Chen and Chen, 2007; Dmtrou, 2005; Vajda and Butty an, 2003): The communcaton between tag and reader s attacked. An attacker mpersonates a transmsson; and when the reader wants to query a tag, the attacker ntercepts the messages from the reader and transfers them to the tag. When a tag attempts to responds to the message, the attacker ntercepts the message agan, and then transfers t to the reader. An attacker can hold and modfy all messages transmtted between tags and readers. (d) DoS attack (Dmtrou, 2005; Ohkubo et al., 2003): An attacker holds an llegal RFID tag, then sends fake message to a RFID reader, or an attacker holds an llegal RFID reader, and then sends a query request to a RFID tag, attemptng to make legal readers and legal tags unable to communcate wth each other. (2) Prvacy protecton: (a) User habt prvacy (Dmtrou, 2005; Kondala and Km, 2006): A securty problem arses from attackers obtanng messages from users RFID tags. Snce the EPC code n the tag s not encrypted, when an attacker obtans a tag s code, that tag responds to the reader, and that attacker can query the database. Therefore, user prvacy s threatened. (b) User locaton prvacy (Dmtrou, 2005; Kondala and Km, 2006): It s possble for an attacker to determne a user s locaton. Ths s because an attacker can obtan nformaton from tags. Although the tag encrypts the message sent to the llegal reader, attackers stll can 11

13 determne the user s locaton by mult-reader to query an RFID tag at dfferent locaton. (3) Mutual authentcaton between tag and reader (Chen and Chen, 2007): Mutual authentcaton s a good mechansm to prevent llegal access. Usng authentcaton processng framework, both reader and tag are needed to regster wth the database. Legal readers can verfy whether a tag s legal, and legal tags can verfy whether readers are legal. (4) EPC Class 1 Generaton 2 standards (Chen and Chen, 2007): EPC Class 1 Generaton 2 standards have been establshed by EPC globally as an RFID system standard. If an RFID protocol cannot conform to EPC Class 1 Generaton 2 global standards, t wll not be undesreable n demand. Therefore, a secure RFID protocol that conforms to EPC Class 1 Generaton 2 standards s necessary. (5) Reduce database loadng (Dmtrou, 2005; Vajda and Butty an, 2003): In non-encrypted RFID systems, readers can obtan tag EPCs easly. However, n encrypted RFID systems, readers do not have mmedate access to EPCs. Readers usually must search the entre database to access the EPC. Ths can take a long tme. Reducng database loadng s an mportant ssue n desgnng RFID systems. 3. Our scheme Many extant schemes have securty problems (Gao et al., 2004; Karthkeyan and Nesterenko, 2005; Osaka et al., 2006; Sato et al., 2004); we therefore propose a novel scheme to counter these problems. On 12

14 the bass of (Ayoade, 2006), n our proposed scheme, readers and tags regster wth the database such that llegal access can be avoded. Ths scheme acheves mutual authentcaton, and also protects user prvacy. 3.1 Notaton The followng notaton s used n our scheme. ( N, K ) : N s a nonce word, K s a key, f tags have regstered wth the database, they obtan the ( N, K ). CRC ( ) : a Cyclc Redundancy Check (CRC) functon. EPC T : the th Electronc Product Code whch conforms Class 1 Generaton 2 (C1G2) standards to dentfy the unque global product. ID R : the th reader s dentfcaton. RND : a random value whch s generated by a reader. : exclusve-or operaton. M req : the reader s request message. M resp : the reader s response message. 3.2 Regstraton phase We dvde the regstraton phase nto two parts. Tags and readers must regster wth the database separately, and then they can communcate wth each other. In our scheme, the tags and readers must 13

15 make a regstraton wth the database before deployng. In such desgn, we suppose the regstraton s under a secure envronment. The followng process s mplemented. Step 1: Each RFID tag has a unque EPC. When a tag s regstered to a database, the database wll ssue n parameters N N, N 1, 2, L n and n keys, 2, n K 1 K L, K for each regstered tag, respectvely. For example, the th tag s regstered to the database, and the EPC T s stored n the database. Then the database responds wth N and K, respectvely. One N corresponds to only one K, and each regstered reader can read the regstered tags. When tags are regstered wth a database, these tags can only be read by the regstered readers. Each legal tag can be accessed by regstered readers. Scenaros utlzng tag regstraton to databases are shown n Fg. 5. EPC T1,N 1,K 1. N n,k n EPC T,N,K. N n,k n Tags EPC T1 N 1,K 1. EPC T N,K EPC T1,N 1,K 1 EPC T2,N 2,K 2 EPC T,N,K EPC Tn,N n,k n Database Fg. 5. Scenaros utlzng tags regstered to a database Step 2: Each RFID reader has a unque dentfcaton ID R. After regsterng wth a database, the reader, whch stored the correspondng N ), can only access the assgned tags. Due to the fact that (, K 14

16 llegal readers have not regstered wth a database, access s dened to them. Each legal reader can access regstered tags. Scenaros depctng readers regstered wth databases are llustrated n Fg. 6. ID R1,N 1,K 1. N n,k n ID R,N,K. N n,k n Readers N 1,K 1 ID R N,K ID R1. ID R1,EPC T1,N 1,K 1 ID R2,EPC T2,N 2,K 2 ID R,EPC T,N,K ID Rn,EPC Tn,N n,k n Database Fg. 6. Scenaros showng readers regster to database 3.3 Communcaton phase Through the regstraton phase, tags and readers can communcate mutually. We also utlze random number generators, exclusve-or operatons and the lghtweght CRC operaton whch conforms to the EPC Class 1 Generaton 2 standards durng the communcaton phase. The detaled scenaros of ths novel scheme are descrbed n Fg

17 Tag 3. RND new, X, Y EPC T,N,K 2.1. Verfy CRC( N ' RND)? CRC( N RND) 2.2.Generate RND new 2.3. Compute X = ( K ' EPCT RND new ) 2.4. Compute Y = CRC( RNDnew N ' X ) ( ) RND 1. M req, CRC N RND, Reader 5.M ID R,N,K resp 4.1. Verfy Y? CRC( RNDnew N X) 4.2. Compute EPC = K RND X Fg. 7. Scenaros depctng our scheme n communcaton phase. T new Step 1: When reader wants to access a tag, t sends a request message M, ( N RND) req CRC and RND to tag. Step 2: Upon recevng the ( N RND) CRC CRC ( N ' RND) CRC and RND, the tag uses the stored N ' to compute. Thus, the tag can authentcate the reader va the followng equaton: ( N RND)? CRC( N RND) ' (1) If t does not hold, ths read request s assumed to be sent from an attacker or from a forbdden lst, and the tag wll not perform any further calculatons or responses. If t holds, a tag wll generate a new random value RND new. Then, the tag computes: X Y = ( K ' EPCT RND new ) (2) ( RND N X ) = CRC ' (3) new Step 3: Tag sends ( RND new, X, Y ) to a reader. Step 4: Upon recevng the tag s response message, a reader uses the CRC functon to calculate CRC ( RND N X ) new, whch N obtaned from the database; RND new and X obtaned 16

18 from the tag. It then determnes f Y CRC( RND N X ) =. If ths does not hold, ths new response may have been sent by an attacker, and the reader wll not perform any further calculatons or responses. If t holds, RND new, X and Y have not been modfed. The reader uses the coordnated K (whch corresponds to N ); and ( RND new, X ) to obtan the EPC T as follows: EPC T = K RND X (4) new Step 5: When a reader obtans a tag s EPC T, and the legal of tag has been confrmed. The reader sends a response M resp to the tag. 4. Analyses and comparsons In ths secton we survey and analyze the securty requrements purposed n secton 1.3, and compare our results to related research. 4.1 Aganst attacks (a) Counterfet reader attack tag analyss The purposed scheme can prevent llegal tag access va the verfcaton n Step 2 of the communcaton phase: CRC ( N ' RND)? CRC( N RND) 17

19 A tag wll use the CRC functon to calculate CRC( N RND) ', where N ' s stored n the tag, and RND s obtaned from the reader. Thus, any llegal access can be averted. (b) Counterfet tag attack reader analyss The purposed scheme also can prevent attackers from usng llegal tags to attack readers through the verfcaton n Step 4 of the communcaton phase: CRC ( RND N ' X )? CRC( RND N X ) new new The reader calculates CRC( RND N X ), and compares t to CRC( RND N X ) new new ' receved from the tag to verfy whether they are equal. If t holds, they perform further process. If they are not equal, the counterfet tag attack upon the reader s detected. (c) Man-n-the-mddle attack analyss Ths attack method attacks the communcaton between tags and readers. However, ths attack cannot succeed aganst our purposed scheme. Through ( N RND) CRC n Step 1 of the communcaton phase and X = K ' EPC RND ), Y = CRC( RND N ' X ) n Step 3 of the communcaton ( T new new phase, we can verfy the receved messages between tag and reader are vald va the CRC functon, the exclusve-or operaton, and secret parameters N and K. Furthermore, we use the random values RND and RND new durng transmsson process. When a reader fnshes a query, the random value for each transacton s always changed. Therefore, t s dffcult for the attacker to obtan the messages. Even f an attacker obtans a key K, the attacker stll cannot crash the whole system, and our scheme can decrease system damage. 18

20 (d) DoS attack analyss After recevng the query request that was sent from reader, the tag makes verfcaton through Step 2 of the communcaton phase: CRC ( N ' RND)? CRC( N RND) Snce the attacker cannot send the correct N, the verfcaton wll fal. The tag wll not perform more operatons. On the other hand, f the attacker responds by usng llegal tags, through the verfcaton n Step 4 of the communcaton phase: CRC ( RND N ' X )? CRC( RND N X ) new new The reader wll not receve the correct parameter whch ncludes the correct N. Therefore, the reader wll not perform more operaton. The DoS attack can be avoded n our proposed scheme. 4.2 Prvacy protecton (a) User prvacy analyss Our scheme can clearly protect user prvacy, preventng an attacker from obtanng a tag s EPC by usng the verfcaton n Step 2 of the communcaton phase: CRC ( N ' RND)? CRC( N RND) Snce the attacker cannot know the N value, the attacker cannot mpersonate a legal reader by sendng ( N RND) CRC correctly. Therefore, the tag wll not make any response to the llegal reader. 19

21 Moreover, through the protecton messages X = K ' EPC RND ) and ( T new Y = CRC( RNDnew N ' X ) used n Step 3 of the communcaton phase; t s clear that even f an attacker wants to ntercept the messages between tags and readers, he only can only obtan the above protected message, and cannot know the real EPC T. Thus, user prvacy can be ensured. (b) User locaton prvacy analyss Even though the attacker may not obtan plan text from a tag, the attacker can stll trace a user s locaton. However, he wll fal n our purposed scheme. We use the CRC functon and exclusve-or operaton to retreve the message ( N RND) CRC n Step 1 of the communcaton phase. When a tag and a reader fnsh a transacton, the reader changes the random value RND for the next transacton. Therefore, even f the attacker ntercepts the message that tag sends to a legal reader, the reader wll use dfferent random value RND for next transmsson. The attacker wll not know the dentty of the tag, thus the attacker cannot determne the user s locaton. 4.3 Mutual authentcaton between tag and reader analyss The proposed scheme can satsfy the mutual authentcaton mechansm between tag and reader. Through the verfcaton n Step 2 of the communcaton phase: CRC ( N ' RND)? CRC( N RND) A tag can confrm whether t can be read by legal reader. If a reader has not regstered wth the database, t cannot read the tag. 20

22 Moreover, by the verfcaton n Step 4 of the communcaton phase: CRC ( RND N ' X )? CRC( RND N X ) new new The reader can confrm by the response f the tag s legal. Thus, the tag verfes the reader, and the reader also verfes the tag. The proposed scheme acheves mutual authentcaton between tags and readers. 4.4 EPC Class 1 Generaton 2 standards analyss The current tags are lmted by computng resources and cost. Our scheme only performs the operatons of CRC functons, exclusve-or operatons, and generates random numbers. The other complex operatons, lke hash functon, symmetrc encrypton, and asymmetrc encrypton cannot conform to EPC Class 1 Generaton 2 standards. Our scheme can conform to EPC Class 1 Generaton 2 standards. 4.5 Database loadng reducton analyss In the proposed scheme, we use the nonce N parameter to search the small amount of data whch s stored n the reader nstead of searchng the whole database. Smultaneously, the reader uses N, retreved from ts memory, and uses the correspondng K to decrypt the tag s EPC wthout searchng the entre database. Ths reduces the database loadng more than (Dmtrou, 2005; Garfnkel et al., 2005; Gao et al., 2004). 21

23 4.6 Comparsons Summarzng the above, we compare our proposed scheme wth the related schemes usng smart tag mechansms as Table 2. Table 2 Functonal comparsons of smart tag mechansms Methods Good Reader Ownershp Transfer Unversal encrypton Karthkeyan Nesterenko s Our scheme Functons scheme scheme scheme scheme Entre securty Md Md Md Md Hgh Database loadng Md Hgh Low Hgh Low Locaton traceable No Yes No Yes No Avod DoS attack No No Yes No Yes Encrypton method Hash Hash Key AND CRC Authorty management Yes No No No Yes Mutual authentcaton No No No No Yes Conform EPC C1G2 No No No Yes Yes Table 3 compares the proposed scheme and other related schemes usng smart tag mechansms. 22

24 Table 3 Step comparsons of smart tag mechansms Methods Good Reader Ownershp Transfer Unversal encrypton Karthkeyan Nesterenko s Our scheme Steps scheme scheme scheme scheme Between tag and reader (wth database) In tag In reader (wth database) Total Conclusons RFID technology can be appled to new nches n manufacturng, supply chan management, and retal sellng. However, RFID securty problems must frst be overcome. Prevously proposed schemes leave many securty problems unresolved. On the other hand, these schemes do not decrease the searchng burden of the database. We propose a mutual authentcaton protocol whch conforms the EPCGlobal C1G2 standards to solve the problems of the current tags lackng of computng resource. In ths paper, once the tags and the readers have regstered wth the database n off-lne mode, they can process further transmssons va mutual authentcaton. The proposed scheme can be appled to varous applcatons drectly. For example, f the applcaton needs the mutual authentcaton to enhance the communcaton securty, and the computng resource of 23

25 the tag s lmted. Our scheme can serve the requrement. We prove ths new scheme can solve the transmsson securty problems between tags and readers. Prevous schemes requre that the entre database be searched when readers and tags authentcate each other for a transacton. However, readers only requre lmted comparsons n our scheme, reducng the burden on the database greatly. In spte of the supply chan or arport IT system also can nvolve our scheme to redeem the securty leak. One possble future applcaton for our scheme s to arport securty management. For example, each electronc boardng pass can use an RFID tag, and each arlne s servce area and boardng gate can have RFID readers. When Bob buys a plane tcket from arlne A, the arlne wll wrte relevant nformaton n Bob s electronc boardng pass. If Bob s flght number boards at gate 1, but Bob goes to gate 2, when the reader of gate 2 checks the RFID tag n Bob s electronc boardng pass, and fnds that Bob should board at gate 1, the system wll send a message tellng Bob the correct gate. When an attacker wants to get nformaton n Bob s electronc boardng pass, he/she wll not success. Because the attacker cannot send the correct N, RFID tag wll not do any responses. Thus, the attacker can not stll trace Bob s locaton. In our scheme, when Bob s electronc boardng pass and a legal reader fnsh a transacton, the reader and the tag wll update the random value RND and RND new respectvely for the next transacton. The attacker wll not know the dentty of Bob s electronc boardng pass, thus the attacker cannot determne Bob s locaton. 24

26 Acknowledgements The referees nsghtful comments helped to mprove the paper sgnfcantly. References: Angeles, R., RFID Technology: supply-chan applcatons and mplementatons ssues, Informaton Systems Management, Vol. 22, No. 1, pp Ayoade, J., Securty mplcatons n RFID and authentcaton processng framework, Computers & Securty, 25 (3), Chen, H.Y. and Chen, C.H., Mutual authentcaton protocol for RFID conformng to EPC Class 1 Generaton 2 standards, Computer Standards and Interfaces, 29 (2), Dmtrou, T., A Lghtweght RFID Protocol to protect aganst Traceablty and Clonng attacks, IEEE Internatonal Conference on Securty and Prvacy for Emergng Areas n Communcaton Networks, SecureComm. Garfnkel, S.L., Juels, A. and Pappu, R., RFID Prvacy: An Overvew of Problems and Proposed Solutons, IEEE Securty & Prvacy, the Claremont Resort, Berkeley/Oakland, Calforna, Gao, X., Xang, Z., Wang, H., Shen, J., Huang, J., and Song, S., An Approach to Securty and Prvacy of RFID System for Supply Chan, IEEE Internatonal Conference on E-Commerce Technology for Dynamc E-Busness, Juels, A., Rvest, R.L. and Szydlo, M., The blocker tag: selectve blockng of RFID tags for consumer prvacy, 8th ACM Conference on Computer and Communcatons Securty, ACM Press, 25

27 New York, Karkkanen, M., Increasng effcency n the supply chan for short shelf lfe goods usng RFID taggng, Internatonal Journal of Retal & Dstrbuton Management, Vol. 31, No. 10, pp Karthkeyan, S. and Nesterenko, M., RFID securty wthout extensve cryptography, Proceedngs of the 3rd ACM Workshop on Securty of Ad Hoc and Sensor Networks, Kondala, D.M. and Km, K., Moble RFID Securty Issues, The 2006 Symposum on Cryptography and Informaton Securty (SCIS 2006), Hroshma, Japan, Avalable onlne Ohkubo, M., Suzuk, K. and Knoshta, S., Cryptographc Approach to Prvacy-frendly Tags, n RFID Prvacy Workshop, Bartos Theatre, MIT Meda Lab, MIT. Osaka, K., Takag, T., Yamazak, K. and Takahash, O., An Effcent and Secure RFID Securty Method wth Ownershp Transfer, IEEE Internatonal Conference on Computatonal Intellgence and Securty, Sato, J., Ryou, J.C. and Sakura, K., Enhancng Prvacy of Unversal Re-encrypton Scheme for RFID Tags, EUC 2004, LNCS 3207, Sarma, S.E., Wes, S.A., and Engels, D.W., Rado-frequency dentfcaton systems. In Burton S. Kalsk Jr., Cetn Kaya Koc, and Chrstof Paar, edtors, CHES '02, Sprnger-Verlag, LNCS 2523, Srvastava, B., Rado frequency ID technology: The next revoluton n SCM, Busness Horzons, 26

28 Vol. 47, No. 6, pp Vajda, I. and Butty an, L., Lghtweght authentcaton protocols for low-cost RFID tags, 2nd Workshop on Securty n Ubqutous Computng, Seattle, Washngton. Avalable onlne Wang, S.W., Chen, W.H., Ong, C.S., Lu, L., and Chuang, Y.W., RFID applcatons n hosptals: a case study on a demonstraton RFID project n a Tawan hosptal, Proceedngs of the 39th Hawa Internatonal Conference on System Scences, Vol. 8, pages 10. EPC (Electronc Product Code) Class1 Generaton2 standard by EPCglobal, Descrpton at Access avalable on 15 March mcloak: Personal / corporate management of wreless devces and technology, Product descrpton at 27