Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Access This Premium Content

Options To Access This Article:

What Subscribers Are Saying

  • "Probably the best investment I've ever made."
    Steve Meizlish, President & CEO, MeizCorp Services, Inc.
  • "I have found that RFID Journal provides an objective viewpoint of RFID. It you are looking for a resource that provides insights as to the application and implications of deploying RFID, RFID Journal will meet your needs, It gives you a broad perspective of RFID, beyond the retail supply chain."
    Mike O'Shea, Director of Corporate AutoID/RFID Strategies & Technologies, Kimberly-Clark Corp.
  • "No other source provides the consistent value-added insight that Mark Robert and his staff do. In a world dominated by press release after press release, RFID Journal is developing as the one place to go to make the most sense out of the present and future of RFID in commerce."
    Bob Hurley, Project Leader for RFID, Bayer HealthCare's Consumer Care Division
  • "RFID Journal is the one go-to source for information on the latest in RFID technology."
    Bruce Keim, Director, Hewlett-Packard
  • "RFID Journal is the only source I need to keep up to the minute with the happenings in the RFID world."
    Blair Hawley, VP of Supply Chain, Remington Products Company

Beefing Up Security

A crypto algorithm embedded in an EPC Gen 2 tag could thwart counterfeiters and ensure only supply-chain partners have access to business information.
By Kwangjo Kim and Divyan M. Konidala
Apr 01, 2011—An RFID-enabled supply-chain management system can be used by geographically distributed stakeholders to automatically track and identify items in real time, and to share business information. Ultrahigh-frequency RFID tags based on EPCglobal's Gen 2 standard (ISO 18000-6C) are most commonly used for tagging and tracking items through the supply chain, so the Auto-ID Lab Korea conducted a thorough security assessment of the Gen 2 protocol.

An EPC Gen 2 tag can be embedded with a 32-bit access password and a 32-bit kill password. After obtaining the tag's Electronic Product Code, an interrogator issues an access command to the tag, which replies with two 16-bit challenges. The interrogator responds by obscuring the access password using the two challenges. Upon successfully verifying this response from the interrogator, the tag enters a secured state, in which the interrogator is allowed to carry out other commands, such as read, write and lock. Similarly, a kill command can permanently disable the tag.

But the access/kill command procedures achieve reader—not tag—authentication, and the two challenges from the tag are sent in an open, unobscured form. An eavesdropping adversary could capture the two challenges and reverse the operation in the interrogator's responses, exposing the access/kill password. These weaknesses leave the EPC Gen 2 tag vulnerable to cloning and counterfeiting, and unauthorized access and data corruption.

To alleviate these weaknesses, we designed a lightweight challenge-response crypto algorithm, which uses a 96-bit password. It achieves tag-interrogator mutual authentication and is designed for low-cost tags, which can generate only 16-bit challenges and responses. It also encrypts the challenge and response data sent from the tag to the interrogator. Our crypto algorithm does not require any changes to the current EPC Gen 2 air-interface protocol. We are now working on the practical design and implementation of the crypto algorithm.

We realize that some supply-chain stakeholders are reluctant to use passwords in RFID tags because it could mean management overhead. But passwords could be encrypted and then written into the tags by the tag manufacturer or supplier before shipping, so they would not need to be managed or stored in a database by the end user. We are now in the process of formalizing this approach.

We are actively participating in the GS1 EPCglobal Hardware Action Group: UHF, Air Interface, 1 and 2. We submitted the lightweight crypto algorithm for consideration, and we are also contributing other ideas and solutions for enhancing the Gen 2 standard, such as customer privacy-protection options.

Kwangjo Kim is an associate director at the Auto-ID Lab Korea at the Korea Advanced Institute of Science and Technology (KAIST) and a professor of computer science at KAIST. Divyan M. Konidala is a research assistant at the Auto-ID Lab Korea and a doctoral candidate at KAIST.
To continue reading this article, please log in or choose a purchase option.

Option 1: Become a Premium Member.

One-year subscription, unlimited access to Premium Content: $189

Gain access to all of our premium content and receive 10% off RFID Reports and RFID Events!

Option 2: Purchase access to this specific article.

This article contains 457 words and 1 page. Purchase Price: $19.99

Upgrade now, and you'll get immediate access to:

  • Case Studies

    Our in-dept case-study articles show you, step by step, how early adopters assessed the business case for an application, piloted it and rolled out the technology.

    Free Sample: How Cognizant Cut Costs by Deploying RFID to Track IT Assets

  • Best Practices

    The best way to avoid pitfalls is to know what best practices early adopters have already established. Our best practices have helped hundreds of companies do just that.

  • How-To Articles

    Don’t waste time trying to figure out how to RFID-enable a forklift, or deciding whether to use fixed or mobile readers. Our how-to articles provide practical advice and reliable answers to many implementation questions.

  • Features

    These informative articles focus on adoption issues, standards and other important trends in the RFID industry.

    Free Sample: Europe Is Rolling Out RFID

  • Magazine Articles

    All RFID Journal Premium Subscribers receive our bimonthly RFID Journal print magazine at no extra cost, and also have access to the complete online archive of magazine articles from past years.

Become a member today!

RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations