Upcoming SlideShare
Loading in...5







Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

slides slides Presentation Transcript

  • RFID Systems and Security and Privacy Implications Sanjay E. Sarma Stephen A. Weis Daniel W. Engels Auto-ID Center Massachusetts Institute of Technology
  • Auto-ID Center
    • International industry-sponsored research center
    • MIT, Cambridge University, and University of Adelaide
    • Design, develop, and deploy large-scale field trials including RFID projects
  • Overview
    • Radio Frequency Identification (RFID)
    • EPC System
    • Security Benefits and Threats
    • Future
  • Uses of Automatic-ID Systems
    • Access control and security
    • Tracking of products in Supply Chain
    • Id of products at Point of Sale
    • Most widely used is the Bar Code System
  • Potential Application of RFID
    • Consider supply chain and EAN-UCC bar codes
    • 5 billion bar codes scanned daily
    • Each scanned once only at checkout
    • Use RFID to combine supply chain management applications
  • Benefits of Supply Chain Management
    • Automated real-time inventory monitoring
    • Automated Quality Control
    • Automated Check-out
    • Picture your refrigerator telling you that you’re out of milk! 
  • Why not yet implemented
    • Cost too high. Needs to be <$0.10
    • Lack of standards and protocols
    • Security concerns – similar in smart cards and wireless
    • Privacy issues – Big Brother
  • RFID System Components
    • RFID Tag
      • Transponder
      • Located on the object
    • RFID Reader
      • Transceiver
      • Can read and write data to Tag
    • Data Processing Subsystem
  • Transponder
    • Consist of microchip that stores data and antenna
    • Active transponders have on-tag battery
    • Passive transponders obtain all power from the interrogation signal of reader
    • Active and passive only communicate when interrogate by transceiver
  • Transceiver
    • Consist of a RF module, a control unit, and a coupling element to interrogate tags via RF communication
    • Also have secondary interface to communicate with backend systems
    • Reads tags located in hostile environment and are obscured from view
  • Data Processing Subsystem
    • Backend System
    • Connected via high-speed network
    • Computers for business logic
    • Database storage
    • Also as simple as a reader attached to a cash register
  • RFID
    • Basic components of RFID system combine in the same manner
    • All objects are physically tagged with transponders
    • Type of tag used varies from application to application
    • Passive tags are most promising
  • RFID
    • Transceivers are strategically placed for given application
    • Access Control has readers near entrance
    • Sporting events have readers at the start and finish lines
  • Transceiver-Transponder Coupling and Communication
    • Passive tags obtain power from energy in EM field generated by reader
    • Limited resource require it to both get energy and communicate within narrow frequency band – regulatory agencies
  • Inductive Coupling
    • Uses magnetic field to induce current in coupling element
    • Current charges the on-tag capacitor that provides operating voltage
    • This works only in the near-field of signal – up to c/(2 π f) meters
  • Inductive Coupling
    • Operating voltage at distance d is proportional to flux density at d
    • Magnetic field decreases in power proportional to 1/ d 3 in near field
    • Flux density is max when R ≈ d √2, where R is radius of reader’s antenna coil
  • Far Field energy harvesting
    • Uses reader’s far field signal to power tag
    • Far field begins where near field ends
    • Signal incident upon the tag induces voltage at input terminals of the tag, which is detected by RF front-end circuitry and is used to charge capacitor
  • Passive tag power
    • Reader uses same signal to communicate with and power tag
    • Any modulation of signal causes power reduction
    • Modulating information spreads the signal – referred to as “side band.”
    • Side band and max power is regulated
  • Transponder Communication
    • RFID systems generally use the Industrial-Scientific-Medical bands
    • In near field, communication is achieved via load modulation
    • In far field, backscatter is used. Backscatter is achieved by modulating the radar-cross section of tag antenna
  • Limitations of Passive Tag communication
    • Very little power available to digital portion of the IC, limited functionality
    • Length of transactions is limited
      • Length of power on
      • Duration within communication range
    • US regulations for 915 MHz limit transaction time to 400 ms
    • Limit of state information
  • Data Coding and Modulation
    • Determines bandwidth, integrity, and tag power consumption
    • Limited by the power modulation / demodulation capabilities of the tag
    • Readers are generally low bandwidth, due to government regulations
    • Passive tags can use high bandwidth
  • Coding
    • Level Codes
      • Non-Return-to-Zero
      • Return-to-Zero
    • Transition Codes
      • Manchester
      • Miller
  • Coding Considerations
    • Code must maintain power to tag as much as possible
    • Code must not consume too much bandwidth
    • Code must permit the detection of collisions
  • Coding for Readers and Tags
    • Reader to Tag uses PPM or PWM (lower bandwidth)
    • Tag to Reader uses Manchester or NRZ (higher bandwidth)
  • Modulation
    • RF communications typically modulate high frequency carrier signal to transmit baseband code
    • Three classes of digital modulation are ASK, FSK, and PSK.
    • ASK most common in 13.56 MHz load modulation
    • PSK most common in 915 MHz backscatter modulation
  • Tag Anti-Collision
    • Limited power consumption
    • State information may be unreliable
    • Collisions may be difficult to detect due to varying signal strengths
    • Cannot be assumed to hear one another
  • Algorithm Classification
    • Probabilistic
      • Tags respond in randomly generate times
      • Slotted Aloha scheme
    • Deterministic
      • Reader sorts through tags based on tag-ID
      • Binary tree-walking scheme
  • Algorithm Performance Trade-offs
    • Speed at which tags can be read
    • Outgoing bandwidth of reader signal
    • Bandwidth of return signal
    • Amount of state that can be reliable stored on tag
    • Tolerance of the algorithm to noise
  • Algorithm Performance Trade-offs
    • Cost of tag
    • Cost of reader
    • Ability to tolerate tags with enter and leave during interrogation period
    • Desire to count tags exactly as opposed to sampling
    • Range at which tags can be read
  • Regulations Effect
    • US regulations on 13.56 MHz bandwidth offer significantly less bandwidth, so Aloha is more common
    • 915 MHz bandwidth allows higher bandwidth, so deterministic algorithms are generally used
  • 13.56 MHz Advantages
    • Frequency band available worldwide as an ISM frequency
    • Up to 1 meter reading distance in proximity / vicinity read
    • Robust reader-to-tag communication
    • Excellent immunity to environmental noise and electrical interference
  • 13.56 MHz Benefits
    • Well-defined transponder interrogation zones
    • Minimal shielding effects from adjacent objects and the human body
    • Damping effects of water relatively small, field penetrates dense materials
  • 915 MHz Benefits
    • Long range (from a few to several meters, depending on regulatory jurisdiction)
    • High data rates
    • Fast anti-collision and tags per second read rate capabilities
  • The EPC System
    • System that enables all objects to be connected to the Internet by adding an RFID tag to the object
    • EPC
    • ONS
    • SAVANT
    • Transponders
  • The EPC
    • Electronic Product Code
    • ID scheme designed to enable unique id of all physical objects
    • Only data stored on tag, since information about object is stored on network
    • EPC acts like a pointer
  • The ONS
    • Object Name Service
    • Directory service that maps EPS to IP
    • Based entirely on DNS
    • At the IP address, data is stored in XML and can be accessed via HTTP and SOAP
  • The ONS
    • Reduces power and memory requirements on tag
    • Transfer data communication to backend network, saving wireless bandwidth
    • Makes system more robust
    • Reduces size of microchip on tag
  • Savant
    • System based on hierarchical control and data management
    • Provides automated control functionality
    • Manages large volumes of data
    • Acts as a gateway for the reader network to the next higher level
  • Savant
    • Transfers computationally intensive functionality from tag to powered system
    • Any single point of failure has only local effect
    • Enables entire system to be scalable since reader sub-systems are added seamlessly
  • RFID Transponder
    • Most numerous parts of system
    • Most cost-sensitive part
    • Protocols designed for 13.56 MHz and 915 MHz frequencies
    • Implement a password-protected Self Destruct command
  • RFID Security Benefits and Threats
    • Airline passenger and baggage tracking made practical and less intrusive
    • Authentication systems already in use (key-less car entry)
    • Non-contact and non-line-of-sight
    • Promiscuity of tags
  • Previous Work
    • Contact-less and constrained computational resource similar to smart cards
    • Analysis of smart card security concerns similar to RFID
    • RFID especially susceptible to fault induction and power analysis attacks
  • Security Goals
    • Tags cannot compromise privacy of holders
    • Information should not be leaked to unauthorized readers
    • Should not be possible to build long-term tracking associations
    • Holders should be able to detect and disable tags they carry
  • Security Goals
    • Publicly available tag output should be randomized
    • Private tag contents should be protected by access control and encryption
    • Spoofing tags or readers should be difficult
  • Low-cost RFID Issues
    • Inexpensive read-only tags are promiscuous and allow automated monitoring – privacy concern
    • Neither tags nor readers are authenticated – security concern
    • Full implementation of privacy and security is costly – cost concern
  • Possible solutions
    • Erase unique serial numbers at point of sale – tracking still possible by associating “constellations” of tags
    • Public key cryptography – too expensive
    • Shared key – if one tag is compromised, entire batch is effected
  • Approach to RFID Protection
    • Use one-way hash function on tag – “meta-ID”
    • When reader knows meta-ID, tag is ‘unlocked’ and readable
    • After reader is finished, tag is locked
    • Tag has self-destruct mechanism to use if under attack
  • Future Research
    • Development of low cost crypto primitives – hash functions, random number generators, etc.
    • Low cost hardware implementation w/o computational loss
    • Adaptation of symmetric encryption and public key algorithms from active tags into passive tags
  • Future Research
    • Developing protocols that make tags resilient to power interruption and fault induction.
    • Power loss graceful recovery of tags
    • Research on smart cards and other embedded systems