Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

BRIDGE Researchers Demo Highly Secure EPC Gen 2 RFID

The group says its prototype shows it is possible to create a passive EPC Gen 2 tag that employs cryptographic keys to protect its data.
By Mary Catherine O'Connor
Jul 22, 2009Passive ultrahigh-frequency (UHF) RFID tags compliant with EPCglobal's Gen 2 protocol are used for tracking cases and pallets of goods in the supply chain; for performing quick, accurate inventory on individual products and on high-value assets; and, in some cases, for identifying individuals. But the existing protocols for securing these tags and the data encoded to them are weak. While a number of research organizations and security companies have proposed various approaches that could be utilized to improve the security of these types of RFID tags, none have yet been adopted. But the Tag Security Research Group hopes that will soon change, and after carrying out on an experiment involving a prototypical tag, its members wrote a white paper explaining their vision for more secure EPC Gen 2 tags.

The Tag Security Research Group is part of the BRIDGE project (Building Radio frequency IDentification solutions for the Global Environment). The three-year, €13 million ($18.5 million) project is funded, in part, by the European Union, and is dedicated to the research, development, training and demonstration of the effective use of RFID systems—specifically, those employing the EPCglobal standards framework (see EU Pledges $9.5M to Study, Promote RFID Business Applications).

The group’s semi-passive prototype of an encryptable EPC Gen 2 tag
Representatives from BT, SAP, Benedicta, AT4 Wireless, CAEN RFID, Confidex, UPM Raflatac and GS1 UK all participated in the research group and contributed to the project, as did representatives from four different universities—Graz University of Technology , ETH Zurich, the University of Fudan and the University of Cambridge. Funding for the group came, in part, from the EU grant, with the remaining provided by group member companies.

The tag-security white paper can be downloaded from the BRIDGE Web site (click on WP4 Security White Paper, under the Publications heading).

The aim of the Tag Security Research Group, and the white paper, is to provide suggestions, as well as a proof of concept, for a means of deploying EPC Gen 2 tags that support a robust security protocol between the tag and interrogator. The current Gen 2 air-interface protocol includes an option to use a password to protect tag data, thus preventing it from being altered by an unauthorized party. The password is static, however—meaning it never changes—and passes between the tag and reader in plain text, enabling it to be easily intercepted. What's more, the password does not prevent the tag data from being interrogated by any EPC Gen 2 reader.

Consequently, the only means of ensuring an EPC Gen 2 tag will not be read by an unauthorized party is to employ the protocol's kill command. But the problem with such a command is that it renders a tag permanently unreadable, thereby negating any value the tag holds in terms of authenticating a product warranty, return or exchange. In addition, current tag security measures do not provide adequate protection from attempts to counterfeit EPC tags, says Andrea Soppera, BT Research's supply chain innovation manager, and one of the white paper's coauthors.

Like other proposals for improving EPC tag security, the Tag Security Research Group's approach relies on the use of cryptography (see Researchers Say Sharing Is the Key to Privacy for EPC Tags and An RFID Tag Data Security Infrastructure Approach for Items). Specifically, the document's authors suggest security measures "based on a symmetric cryptographic approach, implemented in a way that the reading distance of low-cost tags is not reduced. In symmetric cryptography, identical cryptographic keys are used for both decryption and encryption." The group focuses on widely adopted standard data security methods, such as the Advanced Encryption Standard (AES).


Shane 2009-07-23 09:39:22 AM
Done 2 years ago on a passive device Researchers implemented RC5 on a fully passive device with a microcontroller 2 years ago. It was published at RFIDSec. http://www.cs.umass.edu/~ssclark/crfid/papers/chae-rfidsec07.pdf

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations