ASIACCS 2007

Protecting RFID Communications in Supply

Chains

Yingjiu Li & Xuhua Ding

School of Information Systems

Singapore Management University

ASIACCS 2007 2

Background

• RFID

• Each tag has a globally unique identification number.

• RFID tag has very weak computation power.

• RFID tag has very limited storage.

ASIACCS 2007 3

Supply Chain Management

• Supply Chain– A coordinated system of organizations moving

a product from supplier to customer.

Partner P1

Partner P2Partner P3

Partner P4

ASIACCS 2007 4

Security Requirements

• Authoritative Access– For a shipment to partner Pi, only Pi

’s reader can access.

• Authenticity– Only legitimate RIFD tags can be accepted

• Unlinkability– Infeasible to determine whether two

responses are from the same tag.

• Supply Chain Visibility– Manager’s ability to track and identify the flow.

ASIACCS 2007 5

System Model

• Consider a supply chain of N partners– P1, P2,…PN

– Each has a pair of public/private keys.– Material flow: P1 P2 P3

… PN

• No assumption on global knowledge of the entire supply chain.

• Assumption:– Attackers are unable to access the stored secrets by

physically compromising RFID readers or tags.– Attackers are able to eavesdrop the interaction

between RFID tags and legitimate readers– Attackers are able to interrogate RFID tags arbitrary

times.

ASIACCS 2007 6

The ProtocolA high level view :

P1 initializes all RFID tags with a secret key from its next Partner. Partner Pi downloads the list of ids from Pi-1, reads all the tags, updates the tags for Pi+1.

P1

C1 C2 Cn

tags

Tag Initialization

C1k2 C2k2 Cnk2

k2: the secret key chosen by P2

Database initialization

cn

c1

…ResponseSecret mask ID

ASIACCS 2007 7

RFID Read Protocol (by Partner Pi)

h(rc2ki)c2

h(rcxki) rcx

cn

h(rc1ki)c1

ResponseSecret mask

ID

r t=H(r)

=cxki

Pi

t

t ?

database Di

a a’

RFID tags

ASIACCS 2007 8

RFID Write Protocol (by Partner Pi)

a=kiki+1

b=H(acki)

=cxki

Pi

r2c2

h(rcxki)rxcx

rncn

r1c1

ResponseSecret mask

ID

database Di

RFID tag

b H(a )?

=a= cxki+1

ASIACCS 2007 9

Security

• Read Protocol– The readers are NOT

authenticated.– For a tag prepared for

Pi, only Pi and Pi-1’s reader can extract its ID.

– Only legitimate tags are processed.

• Write Protocol– For a tag prepared for

Pi, only commands from Pi and Pi-1 will be accepted.

– Reveal no information to eavesdroppers.

ASIACCS 2007 10

Balancing Security and Performance

r1

Pi

a a

a a

a a

r2

r3

ID Secret mask

Response

c1 r1 h(r1c1ki)

c2 r1 h(r1c2ki)

cx r2 h(r2cxki)

cx+1 r2 h(r2cx+1ki)

Basic Idea: Batch process with a shared nounce, instead of a fresh nounce per tag.

ASIACCS 2007 11

Unlinkability & Supply Chain Visibility

Are they the same tag??

A weaker notion than universal unlinkability.A weaker notion than universal unlinkability.

processed

by Pi ’

Supply Chain VisibilityUnlinkability

• The ability to identify all tags and the present partner • by introducing an trusted authority and key escrow

ASIACCS 2007 12

Performance

• Tag’s storage cost: <128 bits

• Tag’s computation cost: 1 hash + 1 XOR for read; 1 hash + 2 XOR for write

• Communication cost among Partners: the list of tag identifications, (not the whole database)

• Computation cost for a Partner: – only hash, XOR and comparison are needed;

– A major portion can be pre-computed;

– suitable for batch processes;

– Practical, since the bottleneck is the tag-reader communication delay;

ASIACCS 2007 13