Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. RFID Systems and Security and Privacy Implications Sanjay E. Sarma Stephen A. Weis Daniel W. Engels Auto-ID Center Massachusetts Institute of Technology
  2. 2. Auto-ID Center <ul><li>International industry-sponsored research center </li></ul><ul><li>MIT, Cambridge University, and University of Adelaide </li></ul><ul><li>Design, develop, and deploy large-scale field trials including RFID projects </li></ul>
  3. 3. Overview <ul><li>Radio Frequency Identification (RFID) </li></ul><ul><li>EPC System </li></ul><ul><li>Security Benefits and Threats </li></ul><ul><li>Future </li></ul>
  4. 4. Uses of Automatic-ID Systems <ul><li>Access control and security </li></ul><ul><li>Tracking of products in Supply Chain </li></ul><ul><li>Id of products at Point of Sale </li></ul><ul><li>Most widely used is the Bar Code System </li></ul>
  5. 5. Potential Application of RFID <ul><li>Consider supply chain and EAN-UCC bar codes </li></ul><ul><li>5 billion bar codes scanned daily </li></ul><ul><li>Each scanned once only at checkout </li></ul><ul><li>Use RFID to combine supply chain management applications </li></ul>
  6. 6. Benefits of Supply Chain Management <ul><li>Automated real-time inventory monitoring </li></ul><ul><li>Automated Quality Control </li></ul><ul><li>Automated Check-out </li></ul><ul><li>Picture your refrigerator telling you that you’re out of milk!  </li></ul>
  7. 7. Why not yet implemented <ul><li>Cost too high. Needs to be <$0.10 </li></ul><ul><li>Lack of standards and protocols </li></ul><ul><li>Security concerns – similar in smart cards and wireless </li></ul><ul><li>Privacy issues – Big Brother </li></ul>
  8. 8. RFID System Components <ul><li>RFID Tag </li></ul><ul><ul><li>Transponder </li></ul></ul><ul><ul><li>Located on the object </li></ul></ul><ul><li>RFID Reader </li></ul><ul><ul><li>Transceiver </li></ul></ul><ul><ul><li>Can read and write data to Tag </li></ul></ul><ul><li>Data Processing Subsystem </li></ul>
  9. 9. Transponder <ul><li>Consist of microchip that stores data and antenna </li></ul><ul><li>Active transponders have on-tag battery </li></ul><ul><li>Passive transponders obtain all power from the interrogation signal of reader </li></ul><ul><li>Active and passive only communicate when interrogate by transceiver </li></ul>
  10. 10. Transceiver <ul><li>Consist of a RF module, a control unit, and a coupling element to interrogate tags via RF communication </li></ul><ul><li>Also have secondary interface to communicate with backend systems </li></ul><ul><li>Reads tags located in hostile environment and are obscured from view </li></ul>
  11. 11. Data Processing Subsystem <ul><li>Backend System </li></ul><ul><li>Connected via high-speed network </li></ul><ul><li>Computers for business logic </li></ul><ul><li>Database storage </li></ul><ul><li>Also as simple as a reader attached to a cash register </li></ul>
  12. 12. RFID <ul><li>Basic components of RFID system combine in the same manner </li></ul><ul><li>All objects are physically tagged with transponders </li></ul><ul><li>Type of tag used varies from application to application </li></ul><ul><li>Passive tags are most promising </li></ul>
  13. 13. RFID <ul><li>Transceivers are strategically placed for given application </li></ul><ul><li>Access Control has readers near entrance </li></ul><ul><li>Sporting events have readers at the start and finish lines </li></ul>
  14. 14. Transceiver-Transponder Coupling and Communication <ul><li>Passive tags obtain power from energy in EM field generated by reader </li></ul><ul><li>Limited resource require it to both get energy and communicate within narrow frequency band – regulatory agencies </li></ul>
  15. 15. Inductive Coupling <ul><li>Uses magnetic field to induce current in coupling element </li></ul><ul><li>Current charges the on-tag capacitor that provides operating voltage </li></ul><ul><li>This works only in the near-field of signal – up to c/(2 π f) meters </li></ul>
  16. 16. Inductive Coupling <ul><li>Operating voltage at distance d is proportional to flux density at d </li></ul><ul><li>Magnetic field decreases in power proportional to 1/ d 3 in near field </li></ul><ul><li>Flux density is max when R ≈ d √2, where R is radius of reader’s antenna coil </li></ul>
  17. 17. Far Field energy harvesting <ul><li>Uses reader’s far field signal to power tag </li></ul><ul><li>Far field begins where near field ends </li></ul><ul><li>Signal incident upon the tag induces voltage at input terminals of the tag, which is detected by RF front-end circuitry and is used to charge capacitor </li></ul>
  18. 18. Passive tag power <ul><li>Reader uses same signal to communicate with and power tag </li></ul><ul><li>Any modulation of signal causes power reduction </li></ul><ul><li>Modulating information spreads the signal – referred to as “side band.” </li></ul><ul><li>Side band and max power is regulated </li></ul>
  19. 19. Transponder Communication <ul><li>RFID systems generally use the Industrial-Scientific-Medical bands </li></ul><ul><li>In near field, communication is achieved via load modulation </li></ul><ul><li>In far field, backscatter is used. Backscatter is achieved by modulating the radar-cross section of tag antenna </li></ul>
  20. 20. Limitations of Passive Tag communication <ul><li>Very little power available to digital portion of the IC, limited functionality </li></ul><ul><li>Length of transactions is limited </li></ul><ul><ul><li>Length of power on </li></ul></ul><ul><ul><li>Duration within communication range </li></ul></ul><ul><li>US regulations for 915 MHz limit transaction time to 400 ms </li></ul><ul><li>Limit of state information </li></ul>
  21. 21. Data Coding and Modulation <ul><li>Determines bandwidth, integrity, and tag power consumption </li></ul><ul><li>Limited by the power modulation / demodulation capabilities of the tag </li></ul><ul><li>Readers are generally low bandwidth, due to government regulations </li></ul><ul><li>Passive tags can use high bandwidth </li></ul>
  22. 22. Coding <ul><li>Level Codes </li></ul><ul><ul><li>Non-Return-to-Zero </li></ul></ul><ul><ul><li>Return-to-Zero </li></ul></ul><ul><li>Transition Codes </li></ul><ul><ul><li>Manchester </li></ul></ul><ul><ul><li>Miller </li></ul></ul>
  23. 23. Coding Considerations <ul><li>Code must maintain power to tag as much as possible </li></ul><ul><li>Code must not consume too much bandwidth </li></ul><ul><li>Code must permit the detection of collisions </li></ul>
  24. 24. Coding for Readers and Tags <ul><li>Reader to Tag uses PPM or PWM (lower bandwidth) </li></ul><ul><li>Tag to Reader uses Manchester or NRZ (higher bandwidth) </li></ul>
  25. 25. Modulation <ul><li>RF communications typically modulate high frequency carrier signal to transmit baseband code </li></ul><ul><li>Three classes of digital modulation are ASK, FSK, and PSK. </li></ul><ul><li>ASK most common in 13.56 MHz load modulation </li></ul><ul><li>PSK most common in 915 MHz backscatter modulation </li></ul>
  26. 26. Tag Anti-Collision <ul><li>Limited power consumption </li></ul><ul><li>State information may be unreliable </li></ul><ul><li>Collisions may be difficult to detect due to varying signal strengths </li></ul><ul><li>Cannot be assumed to hear one another </li></ul>
  27. 27. Algorithm Classification <ul><li>Probabilistic </li></ul><ul><ul><li>Tags respond in randomly generate times </li></ul></ul><ul><ul><li>Slotted Aloha scheme </li></ul></ul><ul><li>Deterministic </li></ul><ul><ul><li>Reader sorts through tags based on tag-ID </li></ul></ul><ul><ul><li>Binary tree-walking scheme </li></ul></ul>
  28. 28. Algorithm Performance Trade-offs <ul><li>Speed at which tags can be read </li></ul><ul><li>Outgoing bandwidth of reader signal </li></ul><ul><li>Bandwidth of return signal </li></ul><ul><li>Amount of state that can be reliable stored on tag </li></ul><ul><li>Tolerance of the algorithm to noise </li></ul>
  29. 29. Algorithm Performance Trade-offs <ul><li>Cost of tag </li></ul><ul><li>Cost of reader </li></ul><ul><li>Ability to tolerate tags with enter and leave during interrogation period </li></ul><ul><li>Desire to count tags exactly as opposed to sampling </li></ul><ul><li>Range at which tags can be read </li></ul>
  30. 30. Regulations Effect <ul><li>US regulations on 13.56 MHz bandwidth offer significantly less bandwidth, so Aloha is more common </li></ul><ul><li>915 MHz bandwidth allows higher bandwidth, so deterministic algorithms are generally used </li></ul>
  31. 31. 13.56 MHz Advantages <ul><li>Frequency band available worldwide as an ISM frequency </li></ul><ul><li>Up to 1 meter reading distance in proximity / vicinity read </li></ul><ul><li>Robust reader-to-tag communication </li></ul><ul><li>Excellent immunity to environmental noise and electrical interference </li></ul>
  32. 32. 13.56 MHz Benefits <ul><li>Well-defined transponder interrogation zones </li></ul><ul><li>Minimal shielding effects from adjacent objects and the human body </li></ul><ul><li>Damping effects of water relatively small, field penetrates dense materials </li></ul>
  33. 33. 915 MHz Benefits <ul><li>Long range (from a few to several meters, depending on regulatory jurisdiction) </li></ul><ul><li>High data rates </li></ul><ul><li>Fast anti-collision and tags per second read rate capabilities </li></ul>
  34. 34. The EPC System <ul><li>System that enables all objects to be connected to the Internet by adding an RFID tag to the object </li></ul><ul><li>EPC </li></ul><ul><li>ONS </li></ul><ul><li>SAVANT </li></ul><ul><li>Transponders </li></ul>
  35. 35. The EPC <ul><li>Electronic Product Code </li></ul><ul><li>ID scheme designed to enable unique id of all physical objects </li></ul><ul><li>Only data stored on tag, since information about object is stored on network </li></ul><ul><li>EPC acts like a pointer </li></ul>
  36. 36. The ONS <ul><li>Object Name Service </li></ul><ul><li>Directory service that maps EPS to IP </li></ul><ul><li>Based entirely on DNS </li></ul><ul><li>At the IP address, data is stored in XML and can be accessed via HTTP and SOAP </li></ul>
  37. 37. The ONS <ul><li>Reduces power and memory requirements on tag </li></ul><ul><li>Transfer data communication to backend network, saving wireless bandwidth </li></ul><ul><li>Makes system more robust </li></ul><ul><li>Reduces size of microchip on tag </li></ul>
  38. 38. Savant <ul><li>System based on hierarchical control and data management </li></ul><ul><li>Provides automated control functionality </li></ul><ul><li>Manages large volumes of data </li></ul><ul><li>Acts as a gateway for the reader network to the next higher level </li></ul>
  39. 39. Savant <ul><li>Transfers computationally intensive functionality from tag to powered system </li></ul><ul><li>Any single point of failure has only local effect </li></ul><ul><li>Enables entire system to be scalable since reader sub-systems are added seamlessly </li></ul>
  40. 40. RFID Transponder <ul><li>Most numerous parts of system </li></ul><ul><li>Most cost-sensitive part </li></ul><ul><li>Protocols designed for 13.56 MHz and 915 MHz frequencies </li></ul><ul><li>Implement a password-protected Self Destruct command </li></ul>
  41. 41. RFID Security Benefits and Threats <ul><li>Airline passenger and baggage tracking made practical and less intrusive </li></ul><ul><li>Authentication systems already in use (key-less car entry) </li></ul><ul><li>Non-contact and non-line-of-sight </li></ul><ul><li>Promiscuity of tags </li></ul>
  42. 42. Previous Work <ul><li>Contact-less and constrained computational resource similar to smart cards </li></ul><ul><li>Analysis of smart card security concerns similar to RFID </li></ul><ul><li>RFID especially susceptible to fault induction and power analysis attacks </li></ul>
  43. 43. Security Goals <ul><li>Tags cannot compromise privacy of holders </li></ul><ul><li>Information should not be leaked to unauthorized readers </li></ul><ul><li>Should not be possible to build long-term tracking associations </li></ul><ul><li>Holders should be able to detect and disable tags they carry </li></ul>
  44. 44. Security Goals <ul><li>Publicly available tag output should be randomized </li></ul><ul><li>Private tag contents should be protected by access control and encryption </li></ul><ul><li>Spoofing tags or readers should be difficult </li></ul>
  45. 45. Low-cost RFID Issues <ul><li>Inexpensive read-only tags are promiscuous and allow automated monitoring – privacy concern </li></ul><ul><li>Neither tags nor readers are authenticated – security concern </li></ul><ul><li>Full implementation of privacy and security is costly – cost concern </li></ul>
  46. 46. Possible solutions <ul><li>Erase unique serial numbers at point of sale – tracking still possible by associating “constellations” of tags </li></ul><ul><li>Public key cryptography – too expensive </li></ul><ul><li>Shared key – if one tag is compromised, entire batch is effected </li></ul>
  47. 47. Approach to RFID Protection <ul><li>Use one-way hash function on tag – “meta-ID” </li></ul><ul><li>When reader knows meta-ID, tag is ‘unlocked’ and readable </li></ul><ul><li>After reader is finished, tag is locked </li></ul><ul><li>Tag has self-destruct mechanism to use if under attack </li></ul>
  48. 48. Future Research <ul><li>Development of low cost crypto primitives – hash functions, random number generators, etc. </li></ul><ul><li>Low cost hardware implementation w/o computational loss </li></ul><ul><li>Adaptation of symmetric encryption and public key algorithms from active tags into passive tags </li></ul>
  49. 49. Future Research <ul><li>Developing protocols that make tags resilient to power interruption and fault induction. </li></ul><ul><li>Power loss graceful recovery of tags </li></ul><ul><li>Research on smart cards and other embedded systems </li></ul>