NSA Offers Block Ciphers to Help Secure RFID Transmissions

By Claire Swedberg

The SIMON and SPECK block cipher families are free to use and enable the encryption of transmitted RFID data in any frequency.

The National Security Agency (NSA) is offering two families of encryption algorithms, known as block ciphers, intended to provide a level of security for such processes as authentication or anti-counterfeiting via RFID technology. The block ciphers, dubbed SIMON and SPECK, are intended to be a lightweight, low-power-using alternative to existing encryption systems available for RFID tag reads.

The name SIMON alludes to the nursery rhyme "Simple Simon," while the name SPECK was inspired by the block cipher's small size. NSA is making the ciphers (which are designed for wired or wireless electronic devices, including RFID readers) publicly available at no cost, as part of an effort to ensure security in the Internet of Things (IOT), in which devices are sharing data with others on the Internet. The agency's algorithms were reviewed by U.S. standards group InterNational Committee for Information Technology Standards (INCITS), which then submitted them to the International Organization for Standardization (ISO) for inclusion in the ISO 29192-2 standard, which currently specifies two other lightweight block ciphers: CLEFIA, a proprietary 128-bit block cipher developed by Sony, and PRESENT, a 64-bit block cipher developed by a research team affiliated with France's Orange Lab, Germany's Ruhr University Bochum and the Technical University of Denmark.

NSA researchers developed SIMON and SPECK as an improvement on block cipher algorithms already in use that were, in most cases, designed for desktop computers or very specialized systems, explains Louis Wingers, a cryptographic designer for the NSA's Trusted Systems Research Group, who helped design both SPECK and SIMON.

The encryption algorithm most commonly used for RFID applications is the Advanced Encryption Standard (AES), which was standardized by the National Institute of Standards and Technology (NIST) in 2001. AES is included in the ISO 18033-3 standard, which specifies encryption techniques designed to protect the confidentiality of stored or transmitted data. At the time that it was standardized, the AES cipher was intended for desktop computers, which typically had a 32-bit microprocessor and no power issues since such a device is plugged into an outlet. With processors getting smaller and faster, and with more devices (including RFID readers and other IOT-based sensors) becoming mobile, the AES system has become clunky, Wingers explains. For instance, it uses 2,400 gate equivalents (GEs)—a GE is a unit for measuring space used on a chip—when users (RFID technology developers, for instance) were seeking something that consumed a smaller area, such as 2,000 GEs. The lightweight SIMON and SPECK block ciphers employ approximately 1,200 GEs, Wingers says.

SIMON and SPECK are not the only lightweight block ciphers, Wingers notes, but some others tend to be specialized for a specific application, meaning they aren't optimized for use across a variety of solutions. The CLEFIA and PRESENT algorithms can be used for any application, as can SIMON and SPECK. However, he says, SPECK and SIMON are designed to perform better on memory- and processor-constrained devices with smaller hardware. They also offer a greater number of block and key sizes, he adds, and work well in software.

Wingers likens SIMON and SPECK to generalist animals, such as crows and coyotes, that can function in most environments, as opposed to a koala that eats only one type of food (eucalyptus leaves) and is thus highly specialized. Encryption needs to be very low-cost, Wingers points out, and making the ciphers standardized and available at no cost makes it possible for the RFID hardware manufacturers to build the encryption into their own products.

Encryption can be created and decoded in two different ways: in the hardware itself, such as the RFID reader, or in the software that manages the RFID read data. SIMON and SPECK are designed for both scenarios. SIMON is intended for use in the hardware (such as tags and readers), while SPECK is software-based and is designed to be operated on a server, for instance. However, Wingers says, both block ciphers operate well in either environment. Within each family are 10 different ciphers based on sizes of blocks and encryption keys. One consists of 96 bits, in order to meet Electronic Product Code (EPC) tag requirements.

Block ciphers work like this: First, the reader finds the key shared with the tag and generates a random string (the challenge), which is sent to the tag. The tag encrypts the random string using the key stored in its memory and then forwards the result to the reader in blocks of data. The reader knows what the key is and can encrypt the random string with the key corresponding to the particular ID number. If the two encrypted values (the one generated by the tag, and the other by the reader) match, then the interrogator assumes the tag is authentic. In this way, the data is no longer vulnerable to individuals who might try to eavesdrop on a transmission. This process can be managed by the reader itself, rather than by the software on a back-end server.

The block ciphers target several common RFID use cases. For instance, with a system in which RFID or Near Field Communication (NFC) tags are used for making payments, a tag utilizing SPECK or SIMON encryption algorithms could reduce the chance that unauthorized individuals could listen in on a transmission with their own reading devices, and thereby capture the ID number that could be used to access a card-holder's credit card information or identity. RFID tags could also employ the block ciphers to encrypt tags attached to high-value items, such as liquor, purses, medicines or even cash. To verify that a product is not a counterfeit, a user would interrogate the tag using an RFID reader that shares the encryption key with the tag, thereby confirming that the tag ID is properly encrypted and accurate, and that the product is, therefore, not a fake.

Wingers warns that the use of block ciphers does not guarantee that a transmission is secure; rather, they are one tool in the effort to secure transmitted RFID tag data. "Block ciphers are only part of your security equation," he says, citing protocols for tag reads that must be set up and followed as well. In addition, although the NSA is making the ciphers available, it's a user's responsibility to adopt solutions for any problem that could arise, such as the need to change the key in all of its tags and readers in the event that the key has been compromised. The NSA's own cryptanalysts, Wingers notes, have determined that the algorithms have security commensurate with their key sizes. In other words, he says, "They are secure. The public cryptanalysis supports this conclusion."

Since the NSA researchers published a paper about the SIMON and SPECK cipher algorithms at the Cryptology ePrint Archive website two years ago, Wingers says, cryptanalysts have been trying to break them. "We wanted people to try to break them," he says, "but no one has been able to break them yet."

For the NSA, Wingers says, the value is in ensuring greater security in IOT communications, now and in the future. "NSA is trying to raise the base for security in IOT," Wingers states. "We're not selling anything. You can use them if you want to."

Wingers presented the ciphers at a meeting last month, attended by members of the RAIN RFID Alliance, an organization that works to promote awareness and the universal adoption of ultrahigh-frequency (UHF) RFID technology complying with the EPC Gen2v2 UHF RFID specification. The response from attending RFID companies, he reports, was quite favorable.