encrypted (word) messages, encryption operations and word registers on the tag to .... can be done with the standard elliptic curve digital signature algorithm ...
A Minimal Protocol with Public Key Cryptography for Identification and Privacy in RFID Tags Lawrence Leinweber, Francis G. Wolff, Christos Papachristou, and Francis L. Merat Abstract— We propose a protocol that minimizes the cryptographic effort on an RFID tag without requiring a backend database record for each tag. The protocol allows a tag to identity itself only to its owner. When a product is sold, the tag ownership is changed in a secure way. Security is based on public key cryptography, which is becoming economically practical for RFID tags. With this protocol, tag owners need not share secrets with each other or any central database and therefore privacy will be provided by technology, which is inherently more robust than public policy.
I. INTRODUCTION
T
HE advance of semiconductor technology is a double-edged sword of new benefits and new risks. The promise of RFID systems for product identification is greater efficiency, especially at the point of sale. But this ability to read product tags more easily can be abused. If the benefits of RFID technology cannot be separated from the risks, consumer confidence will suffer and public policy will work to intervene against the implementation of RFID systems [1]. Many designs have been proposed that make tags simple by moving as much computational effort as possible to the data processing infrastructure. But this approach requires a database system in which the records of every tag are available during every read operation [2]. We propose a protocol in which identification is provided while privacy is maintained. The protocol requires a minimal amount of public key cryptography on the tags so that no pertag back-end database records are required. The protocol is appropriate for RFID tags and other small, ubiquitous systems where the cost of individual devices is small and volume is very high.
II. CONTRIBUTIONS We discuss the requirements of a protocol for identification and privacy in a system of small devices, especially RFID tags. The protocol requires a minimum amount of tag communication, encryption and storage. Back-end database support for each tag is not required. We describe a protocol that requires the smallest number of encrypted (word) messages, encryption operations and word registers on the tag to provide identification and maintain privacy without depending on a database. III. RFID AND THE PRIVACY PROBLEM In the 1970’s, barcode technology was developed to make
product identification more efficient. RFID is a technology that has evolved with falling semiconductor prices and power requirements. When tag prices reach a sufficiently low level, perhaps $0.05, RFID systems will become viable replacements for barcodes. Important contributions to the application of product identification with RFID systems were made at the Auto-ID Lab, including the development of the EPC. In 2003, the Lab was spun-off into the industry organization EPCglobal. Optically read barcodes require a line of sight and cannot be read through most packaging. Barcode systems operate at the frequencies of visible light, ~1015 Hz. A typical low-cost RFID system operates at ~107 Hz, which is less directional and passes through most packaging material [3]. Unfortunately, RFID introduces privacy risks for consumers and intelligence risks for businesses [4]. The risks to consumers and businesses are inherent problems of RFID technology. The ability of tag and reader to communicate through materials, without a line of sight brings benefits and risks that cannot be separated easily If radio waves can pass through some materials, they can also be blocked and interfered with. A novel solution is the blocker tag, designed to transmit an interfering signal especially to confound the singulation process [5]. But if a reader does not follow the singulation protocol, the blocker tag’s strategy may be defeated. The processing capabilities of RFID tags can be exploited to implement a simple command which effectively destroys the tag [6]. The kill command password must be a carefully guarded secret, though typically the same password is embedded in many tags. Killing is a one-shot operation, at point of sale. It offers no security against business intelligence risks upstream in the supply chain, and no RFID benefit after the sale. More sophisticated software solutions include novel methods of implementing password protection on tags with very little computing power. One scheme uses a set of pairs of pseudonyms (IDs) and keys (passwords) [7]. Hash-locking is a scheme that uses a one-way hash function to produce a metaID that obscures the tag’s real ID while providing an index to find the tag’s ID in a database [8]. The metaIDs are vulnerable to tracking, unless they are randomized, defeating their usefulness as database indices. Protocols based on pseudonyms and hash-locking depend on shared secrets between tags and databases. Information about every tag must be maintained indefinitely. In order to prevent tracking, exhaustive searches of tag records are required, so
these schemes do not scale well. The burden cannot be alleviated by delegation unless the delegate is given a copy of the tag secrets [9]. The problem of privacy in RFID is similar to that of a laptop computer in a Wi-Fi network, except that the resources available to an RFID tag are orders of magnitude smaller. A second disadvantage of product ID tags, compared to larger networked systems, is that tags are isolated network nodes. In a cryptographically secured communication, a plaintext message along with an encryption key are input to an encryption algorithm that produces a ciphertext which is sent on the channel to the rightful receiver and possibly an eavesdropper, who also has the decryption algorithm. Much of the difficulty with cryptographic security stems from the reuse of key information. The ideal solution, the one-time pad, has as much random key data as plaintext so that every part of the ciphertext is encrypted independently. RFID systems that provide security by storing hash codes on tags and relying on the back-end database system to decode them suffer the same problem as one-time pads. The database becomes prohibitively large and difficult to secure. Other cryptographic systems use symmetric keys, where the encryption and decryption keys are directly related. Asymmetric cryptographic systems, in which a public key can be provided without compromising the private key, are less attractive since they require more resources to implement. RSA cryptography is the original practical algorithm for asymmetric key cryptography. It is based on multiplication and specifically on the difficulty of factoring large prime numbers [10]. Elliptic curve cryptography (ECC) is an asymmetric key system based on elliptic curves in finite fields. ECC systems are more efficient than RSA in terms of key length and circuit area [11]. Hereinafter, we will use the customary ECC notation with the multiplier, in lower-case, to the left of the generator, in upper-case: a⋅G, b⋅G and a⋅b⋅G, as this is less cumbersome. In ECC, if one knows a, one can produce a-1 and can therefore deduce x⋅G from a⋅x⋅G because x⋅G = a-1⋅a⋅x⋅G. IV. REQUIREMENTS OF A MINIMAL PROTOCOL A. Minimum Cost Tags Any solution based on sound principles of security requires cryptography and random number generation onboard the tags, and the lion’s share of this cost will be encryption hardware. Since the quantity of tags will dwarf the number of readers and other infrastructure, tag cost has to be minimized. The goal is to get functionality off tags while maintaining privacy by transmitting tag IDs only in encrypted, nonced messages. B. Minimal Back-End Support A system that depends for its security on a database record for each tag would require a large, fast and secure database back-end. The tags required for a large retailer could number in the billions. The database would have to be accessed from any of perhaps hundreds of thousands of readers. The information has to be accessed at the point of sale at an acceptable rate,
probably in the tenths of a second. The simpler alternative, pursued here, is to put public key cryptography on the tag [12]. Elliptic curve processors for 131 bit keys have been designed with approximately 15,000 gates and one second delay running a 175 kHz clock [13]. This low clock speed implies a low power requirement. In 2002, in response to the ongoing Certicom ECC Challenge, a 109 bit elliptic curve key was broken using 10,000 computer-years [14]. The 131 bit challenge is unsolved to date. C. Concept of Ownership The central feature of this approach to privacy is the concept of ownership. A product identification tag has an owner that is the same as the owner of the product to which the tag is affixed. An owner may be an individual, corporation, partnership, or escrow agent. A tag owner may also be a surrogate, such as a credit card company, appointed by a legal owner who does not care to assert his ownership rights. For completeness, define an owner of newly made tags, who freely gives up ownership and define an owner of killed tags that never gives up ownership and prevents tags from transmitting. The owner is a variable in tag algorithms. Specifically, the tag owner’s public key, a⋅G, is stored in rewritable memory in the tag. When the tag changes owners, the value stored on the tag is changed. The owner retains the private key, a. Protocols have been proposed which use transfer of ownership. Reference [15] discusses changing ownership between two parties using symmetric key cryptography but requires database records for every tag. D. Minimal Operations Given that public key cryptography and owner identification is on the tag, we would like to establish the minimum requirements for using the tag to identify itself while maintaining privacy. One operation is required to communicate the tag ID to the owner and one operation is required to communicate a new owner to the tag. The message for the read operation must be encrypted so that only the owner can read the tag ID. The operation to change to a new owner must occur only with the agreement of the interested parties. Since the only party suffering a loss by the transaction is the old owner, the tag merely needs proof that the change is approved by the old owner. That is, the tag must authenticate the old owner as the source of the change-owner operation. Since we require that the owner need not maintain a shared secret with the tag, there is no way for the owner to unilaterally send a message to the tag that the tag can prove came from the owner; however, the tag can authenticate the owner by requiring the owner to prove he can decrypt the message from the read operation. Therefore, the change-owner operation can be implemented as a reply to the read operation. E. Minimum Message Words and Encryptions For the read operation, the tag must send an encrypted message based on the public key, a⋅G, stored on the tag. This
value is not by itself a secret since it is used by the owner for many tags and we require that the security of one tag is not dependent on the security of others. Rather a⋅G is the basis of a shared secret, specifically the first part of a Diffie-Hellman key exchange, i.e., ElGamal encryption. The tag can generate a nonce, b, to produce b⋅G, which it can send to the owner, establishing a secret, a⋅b⋅G, shared with the owner. Then the tag can send ID ⊕ a⋅b⋅G, where ⊕ is the XOR operation. This requires two encryption operations and two message words. There is nothing in this read operation protocol to prevent a fraudulent tag or reader from giving false identification to the owner. The goals are to provide identification of the product and to maintain privacy so that a fraudulent reader cannot identify the product through the RFID tag alone. Of course, the reader might already have identified the product by other means. So the ID must not be revealed to the reader by the read operation; nevertheless, the ID may not be secret. For the change-owner operation, the owner needs to send a message containing the new owner’s public key, anew⋅G. This can be done with the standard elliptic curve digital signature algorithm (ECDSA) [16]. It requires large multiply operations, similar to RSA, and so is not economical in the RFID tag environment. The old owner needs to send proof that he knows his private key, a, which he can demonstrate by using the shared secret a⋅b⋅G from the previous read operation. Unfortunately, he cannot do this based on the simple read operation described above since ID may already be known to the reader, who can easily recover a⋅b⋅G from ID ⊕ a⋅b⋅G. Alternatively, the read operation could be designed to produce the code words a⋅b⋅G and ID ⊕ b⋅G, so that the owner would compute a-1⋅a⋅b⋅G = b⋅G to recover ID. Then the shared secret would have to be b⋅G which is no help if the reader knows ID. There is no simpler protocol than the Diffie-Hellman key exchange to get the ID to the owner, yet that provides only one secret, which is used up masking the ID. The solution is to use the secret from the asymmetric key cryptosystem as the key of a symmetric key cryptosystem which is used twice: to encrypt the ID and then to authenticate the owner for the change-owner operation. Thus at least 3 encryption operations are required. Unfortunately, a second cryptosystem would be an additional expense on the tag, so it is more economical to make the best of the asymmetric cryptosystem already on the tag. This system cannot generate a series of encrypted messages from one key, so three encryption operations is insufficient for the combination read and change-owner operations. A minimum of four encryption operations is required. The change-owner message from the owner to the tag cannot be formed in a single word message. The new owner’s public key, anew⋅G, must be conveyed to the tag in some form along with a shared secret, s, to prove that it came from the owner. The message cannot be simply s ⊕ anew⋅G, since anew⋅G may be known to the reader, which could replace it with another owner’s public key. Therefore anew⋅G must be encrypted into the message. The only way for this to be done in a way that
allows it to be recovered is to use it as the generator, using a message of the form s-1⋅(anew⋅G), which the tag can decrypt: s⋅s-1⋅anew⋅G = anew⋅G. However, the tag lacks the facilities to verify that anew⋅G is an element of the group. A malicious reader might be able to send a degenerate codeword, causing the tag to set its owner’s public key to a cryptographically weak value. So it is impossible to send the change-owner message in a single word. At least two words are required. V. DESCRIPTION OF A MINIMAL PROTOCOL A. Operations A protocol can be implemented to provide identification and privacy under these conditions which requires the minimum number of encryption operations (4), the minimum number of message words for reading (2), and the minimum number of message words for reading and changing owner (4). Initially, a tag contains the generator, G, its ID and the public key of its owner, a⋅G. In preparation for a read command, the tag generates a nonce, b, and performs three encryptions, b⋅G, b⋅(a⋅G), and (b⋅a⋅G)⋅G, and one “exclusive or” to form two message words, the nonced generator, b⋅G, and the encrypted ID, ID ⊕ (b⋅a⋅G)⋅G. Upon receiving a read command from the reader, the tag transmits these two words. When the owner receives them, he uses his private key, a, and performs two encryptions, a⋅(b⋅G) and (a⋅b⋅G)⋅G, and one “exclusive or” to recover the tag ID. We assume the tag ID contains sufficient redundancy to validate the ID. The change-owner operation is a continuation of the read operation. The owner who wishes to change the ownership of the tag to a new owner with public key, anew⋅G, performs one “exclusive or” and one encryption to form the signature word (anew⋅G ⊕ a⋅b⋅G)⋅a⋅G. The owner sends the new owner’s public key, anew⋅G, and the signature word. When the tag receives these words, it attempts to validate the signature by performing the “exclusive or” operation on the anew⋅G it just received and the b⋅a⋅G secret it retained from the read operation, to get anew⋅G ⊕ b⋅a⋅G. Then this is encrypted with owner’s public key, a⋅G, stored in the tag. If the result matches the received signature word, the tag’s owner’s public key is updated to be the public key of the new owner, anew⋅G. Together with the three encryptions performed for the read operation, this requires a total of four encryption operations for read and change-owner. A tag can verify a change-owner operation by answering another read operation, in which the ID could be read only by the new owner. B. Tag Memory Requirements The tag would require four word registers to implement this protocol. Other registers are needed within the cryptographic processor. An additional register, presumably of one-time programmable memory, would hold the ID. The generator, G, is hard-wired into the cryptographic processor. Of the four registers needed to implement the protocol, one holds the tag’s owner’s public key and so must be of non-
volatile memory. Two registers are used as scratch registers that hold the two message words as they are constructed during the read operation and verified during the change-owner operation. We allow the shared secret, a⋅b⋅G, to be overwritten during the verification. The fourth register must be maintained between the read and change-owner operations. C. Benefits of the Protocol The authority to read a tag remains with the owner in order to minimize tag cost and prevent tags from compromising the owner’s privacy. The proposed system prevents many security problems including targeting, tracking, spoofing and replay attacks. An owner could verify a tag to another party in any particular instance without compromising the tag’s identity in general. The protocol does not depend on a central database affording true privacy to the owner without destroying tags. D. Defenses Against Various Attacks The tag ID cannot be decrypted from the read operation message words, b⋅G and ID ⊕ (b⋅a⋅G)⋅G, without the owner’s private key, a, the tag’s private key, b, or the shared secret, a⋅b⋅G. Since an intruder cannot obtain these without the cooperation of the tag or owner, the ID is secure. Even if b is compromised, this is only a nonce, a session key, and is no help decrypting another tag. Targeting and tracking of the tag is prevented because the tag ID is secure and because the message words from the tag change with each session. The tag must not be spoofed by a malicious reader into believing incorrectly that the tag is authorized by the owner to change the tag’s owner’s public key. This would occur if the change-owner operation message words, the new owner’s public key, anew⋅G, and the signature, (anew⋅G ⊕ a⋅b⋅G)⋅a⋅G, had a false value for the new public key, Y, with false signature, (Y ⊕ a⋅b⋅G)⋅a⋅G. But this can only be constructed if a⋅b⋅G is known, which requires knowledge of a, b, or a⋅b⋅G and therefore the cooperation of tag or owner. A malicious reader cannot simply perform a replay attack on the tag by replaying a change-owner message to a tag since it is protected by the changing session key, b. Finally an owner must not be spoofed into revealing information about his private key, a. A read operation cannot by itself reveal this, since it requires no information from the owner. A reader should send to the owner the read operation message words b⋅G and ID ⊕ (b⋅a⋅G)⋅G. Instead a malicious reader could send an element of a degenerate group, Z, and ID ⊕ (c⋅Z)⋅G, where c is small, hoping that c⋅Z ≡ a⋅Z in the degenerate group. To prevent this, the owner should either: 1) authenticate the reader and tag by other means, or, 2) test if Z is an element of a very small group, or, 3) investigate repeatedly failed read operations, or, 4) change the private key, a, periodically. E. Drawbacks of the Protocol The tags themselves are not authenticated so a reader can fool an owner about the existence of a tag or a fake tag can fool a reader and owner. The cure for this would be a secret on
every tag, but this would require extra information on the tag and in the product database. Nevertheless, proving a tag does not prove the product is intact or even present. So our goal is to efficiently identify the attached product, but leave to other means determining the condition of the product. Infrastructure for tag keys is required for all tag owners. For large retailers this is an incremental change, which will occur as RFID performance exceeds its cost. For small retailers and consumers, the infrastructure may not be worth the effort, but credit card companies can act as surrogates, according to the wishes of the legal owners. With the proposed protocol, all stakeholders can exercise their ownership rights as they see fit. VI. CONCLUSION Given tags with public key cryptography capabilities, the proposed protocol can be used to solve the privacy problem with low-cost RFID systems. A tag reveals its identity only to its owner, while tag ownership can be transferred securely. Owners need not share secrets nor depend on large databases. With this protocol, privacy in low-cost RFID systems will improve as semiconductor fabrication technology improves. REFERENCES [1] [2]
[3]
[4]
[5]
[6]
[7] [8]
[9] [10] [11] [12] [13]
[14] [15] [16]
S. Garfinkel and B. Rosenberg, Editors, RFID: Applications, Security and Privacy, Addison-Wesley, 2005. G. Avoine and P. Oechslin, “A Scalable and Provably Secure HashBased RFID Protocol,” Pervasive Computing and Communications Workshops, 2005. K. Finkenzeller, RFID Handbook: Fundamentals and Applications in Contactless Smart Cards and Identification, 2nd Edition. Munich: John Wiley & Sons Ltd., 2003. T. Karygiannis, B. Eydt, G. Barber, L.Bunn, and T. Phillips, “Guidelines for Securing Radio Frequency Identification (RFID) Systems,” NIST Special Publication 800-98, 2007. A. Juels, R.L. Rivest, and M. Szydlo, “The Blocker Tag: Selective Blocking of RFID Tags for Consumer Products,” Eighth ACM Conference on Computer and Communications Security, 2003. EPCglobal, “EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communications at 860 MHz - 960 MHz Version 1.0.9,” January 2005. A. Juels, “Minimalist Cryptography for Low-Cost RFID Tags,” Fourth Conference on Security in Communication Networks, 2004. S. Weis, S. Sarma, R. Rivest, and D.W. Engels, “Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems,” Security in Pervasive Computing, LNCS, Vol. 2802, 2004. S. Fouladgar and H. Afifi, “A Simple Delegation Scheme for RFID Systems (SiDeS), IEEE International Conference on RFID, 2007. T.H. Cormen, C.E. Leiserson, R.L. Rivest, C. Stein, “The RSA PublicKey Cryptosystem,” in Introduction to Algorithms, 2nd Edition, 2001. U.S. National Security Agency, “The Case for Elliptic Curve Cryptography,” http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm S.E. Sarma, S.A. Weis, and D.W. Engles, “RFID Systems and Security and Privacy Implications,” CHES 2002, LNCS, Vol. 2523, 2003. L. Batina, J. Guajardo, T. Kerins, N. Mentens, P. Tuyls, and I. Verbauwhede, “An Elliptic Curve Processor Suitable for RFID-Tags,” International Association for Cryptologic Research ePrint Archive, 2006. Press Release, Certicom Corp., 2002. J. Saito, K. Imamoto, and K. Sakurai, “Reassignment Scheme of an RFID Tag’s Key for Owner Transfer, EUC Workshops, LNCS, Vol.3823, 2005. I. Blake, G. Seroussi, and N. Smart, Elliptic Curves in Cryptography, Cambridge University Press, 1999.
