This document proposes an algorithm to detect and discriminate tampered RFID data using steganography. The objectives are to develop an algorithm that requires fewer computations and memory overhead. The motivation is that RFID tags are vulnerable to physical tampering since they store sensitive data. The approach embeds a chaotic watermark across RFID tag memory partitions. When tampering occurs, the extracted watermark is compared to detect and identify the specific memory partition that was tampered. The algorithm is implemented on a low-cost hardware with an RFID reader, microcontroller and RFID tags.

1. Tamper Detection & Discrimination
in Passive RFID Systems using
Steganography
By,
Giridhar R
Mahadevan SM
Manishgant A P
Under the guidance
of
Dr.E.Janardhanan

2. Objective
• To develop an algorithm to detect and discriminate tampered RFID data.
• To scale the algorithm in such a way as to require fewer arithmetic
operations and memory overhead
• To implement the same on a low cost hardware interfaced to the RFID
reader.

3. Motivation
• Unlike other types of IT systems where the data is stored in a physically
secure location such as a data server in a server room, RFID systems store
some of its sensitive data on the RFID tag itself, which is in turn affixed to
physical objects that travel along the supply chain.
• This means that’s its relatively easy for potential attackers to gain physical
access to the RFID tags and mount an attack.
• As physical access to the tags grant direct access to the memory area of
the RFID tag, attackers who successfully gain physical access can then
alter data easily on the tag
• These attackers can also carry out those attacks a lot more easily as they
can easily circumvent any security measures put in place by security
protocols to protect against remote access attacks.

4. General Passive RFID Memory banks
• The Header, is fully used for identifying the EAN.UCC key and the
partitioning scheme
• The EPC Manager, is used to identify the manufacturer uniquely.
• The Object Class, is used to identify the product manufactured by the
manufacturer
• The Serial Number, which is the last partition, is used to uniquely identify
an item, which belongs to a particular Object Class

5. Literature Survey
Paper Title Content
Recovering and Restoring
Tampered RFID Data
using Steganographic
Principles
A theoretical approach to embed secret
pattern inside RFID Serial Number
Partition to recover tampered data in
Object Class.
A Watermarking Based
Tamper Detection Solution
for RFID Tags
Embedding a watermark in RFID to
detect tampering on any of the data
fields of the tag.
Tamper Discrimination in
RFID tags using Chaotic
Watermarking
Original Chaotic Watermarking is
applied to RFID tags. This provides for
Tamper detection as well as
discrimination.

6. Disadvantages of Existing Methods
METHOD DISADVANTAGE
Tamper Detection
in RFID Tags using Fragile
Watermarking
• Provides only for detection of
tamper overall and does not
specify where the tamper has
occurred.
A Watermarking Based
Tamper Detection Solution for
RFID Tags
• This method provides for
identifying the area of attack, but
does not delve upon recovery.
• Uses reserved Kill Bit field for
storage.
Tamper detection in
ubiquitous RFID Supply
Chains
• Only a Generic function
described to generate pattern.

7. Our Approach
• The “Object Class” (24 bits) is used to uniquely identify one
product. if product A (Orange) has cheaper transportation
cost compared to product
• B (Mango), the attacker might attempt to change OC of
product B, to gain an economic benefit.
• However if the attacker changes the serial number (SN),
which is used to identify one item of a specific product,
he/she cannot gain any economic benefit,

8. EPC C1G2 Data Structure
• Electronic Product Code (EPC) was first developed by Auto-ID
Center in MIT in 1999.
• This centre developed the initial RFID standard and later
transferred to EPCGlobal for commercialization in late 2003.
• Two data structures were designed by EPC,
– 64 bit EPC was designed primarily for testing and
– 96 bit EPC were designed for commercialization.

9. EPC C1G2 Data Structure

10. Principles of Chaotic Systems
• Chaotic theory has been established since 1970s from many different
research areas, such as physics, mathematics, biology and chemistry, etc.
• The most well-known characteristics of chaos are the so-called “butterfly-
effect” (the sensitivity to the initial condition), and the pseudo-
randomness generated by deterministic equations.
• A chaotic dynamical system is an unpredictable, deterministic and
uncorrelated system that exhibits noise-like behavior through its sensitive
dependence on its initial conditions which generates sequences similar to
PN sequence.
• The chaotic dynamics have been successfully employed to various
engineering applications such as automatic control, signals processing and
watermarking.

11. Principles of Chaotic Systems
• Chaotic systems can be applied to any of the number systems.
• Chaotic sequences can range from few bits to few thousand
bits, based on the equation and the number of iterations.
• This dynamic range of the sequences is beneficial in RFID
systems, where the memory on the tag is a huge constraint.
• Watermark generated using chaotic sequences can be used in
such cases.

12. Block Diagram
Generate Secret
Pattern
Embed pattern in
[SN] using Chaotic
watermarking
Also Chaotically
embed OC data
across several
tags.
Chaotically arrange
select bits in [SN]
in reserved
Tampering occurs
Extracted pattern
is compared at
receiver side for a
match
The variation in
watermark will
indicate the field of
attack

13. Basic approach
• The embedding algorithm begins by selecting a set of one way
functions F {f1, f2, f3}.
• Each one way function is applied to the values within the RFID
tags partition to generate a secret value as shown

14. Basic approach
• This secret value is then embedded at predefined location
within the Serial Number partition by appending it to the
original Serial Number Value (SNorg) to generate the
appended Serial Number (SNapp).

15. Generating the Watermark
• STEP 1 – Two different chaotic sequences (as given below)
are taken as the keys for encryption
𝑍 𝑛+1 = 𝜇𝑍 𝑛(1 − 𝑍 𝑛) - (1)
𝑆 𝑛 = 1 + 0.3 × 𝑆 𝑛−2 − 1.08 + 379𝑆 𝑛−1
2
+ 1001 × 𝑍 𝑛
2
𝑚𝑜𝑑 3 –
(2)
Where,
n = 1,2,3… map iteration index
𝜇= system parameter (3.57< 𝜇<4)
𝑍 𝑛 and 𝑆 𝑛 are chaotic sequences with initial values
(0 < 𝑍1< 1) and (-1.5< 𝑆0, 𝑆1 <1.5)

16. Generation(Contd..)
• STEP 2 – Map 8 bits of Header, anterior 14 bits of EM,
latter 14 bits of EM, anterior 12 bits of OC, latter
12 bits of OC as decimal fractions, d1,d2,d3,d4,
d5 respectively. If b7b6b5b4b3b2b1b0 is the header
𝑑1 = 𝑏7 × 2−1
+ 𝑏6 × 2−2
+ ⋯ + 𝑏0 × 2−8
• STEP 3 – For the length of Header is 8 bits, when Header is
tampered, d1 is variational.

17. Generation (Contd..)
STEP 4 - Use d1 as the initial value of (1) will generate various chaotic
sequences.
STEP 5 - The sequence is converted to binary and any 2 bits from it is
designated as W1
STEP 6 - The EM is divided into two parts and each part is mapped into
two decimal fractions d2 and d3.
STEP 7 - Since the length of each part is 14 bits, when each part is
tampered, d2 and d3 will be variational.

18. Generation (Contd…)
STEP 8 – d2 and d3 are used as initial condition for (1) and (2)
respectively and any 5 bits from the obtained binary
sequence is taken as W2
STEP 9 – Similar method described above is used to generate
watermark W3 for OC
STEP 10 – Connect W1,W2 and W3 to form final watermark Wf

19. Embedding and Detection
STEP 1 – Chaotic scheme is again used to determine 12 positions
inside the 36 bit SN field and the 12 bits are embedded in
the respective positions.
STEP 2 – Chaotic watermark algorithm discussed previously is used to
generate the watermark Wg at the reader side. The
watermark Wf is compared.
• If they are same, then no data tamper is observed;
• If anterior 2 bits are different, then Header in RFID tags is tampered
• If middle 5 bits are different, then EM in RFID tags is tampered
• If latter 5 bits are different, then OC in RFID tags is tampered.

20. Watermark Generation
Header EPC Manager Object Class
Serial
Number
CCS CCS CCS
+
Watermark
Header EPC Manager Object Class
Serial
Number

21. Embedding Process
Header EPC Manager Object Class
Serial
Number
Attack
Header EPC Manager Object Class
Serial
Number
CCS CCS CCS
+
Watermark
Extracted
Watermark
Match
?
Tamper!

22. Results
Tamper detection after OC data is changed

23. Results
Tamper detection after EM data is changed

24. Implementation
RFID TAG
RFID
READER/WRITER MCU
RFID TAG

25. Hardware Description of Components
• The choice of the microcontroller is the Atmel ATMega89S52 8 bit
controller.
• The AT89S52 is a low-power, high-performance CMOS 8-bit
microcontroller with 8K bytes of in-system programmable Flash
memory.
• The device is compatible with the industry-standard 80C51
instruction set and pinout. The on-chip Flash allows the program
memory to be reprogrammed in-system or by a conventional
nonvolatile memory programmer.

26. AT89S52 Properties
• 8K bytes of Flash,
• 256 bytes of RAM,
• 32 I/O lines,
• Watchdog timer,
• 2 data pointers,
• Three 16-bit timer/counters,
• A six-vector two-level interrupt architecture,
• A full duplex serial port,
• On-chip oscillator and clock circuitry.

27. AT89S52 Pinout Diagram

28. RFID Reader/Writer
• HY502 series of RFID reader/writer modules are based on non-
contact card reader ASCI chip compatible with ISO14443 standard.
• It uses 600nm CMOS EEPROM technology, supports ISO14443
typeA protocol, and also supports the MIFARE standard encryption
algorithm.
• HY502 series supports Mifare One S50, S70, Ultra Light & Mifare
Pro, FM11RF08 and other compatible cards.

29. HY502 Reader/Writer

30. RFID Tags
• The MIFARE Classic 1K offers 1024 bytes of data storage, split into
16 sectors.
• It has namely 3 major blocks, the RF section for transmitting and
receiving data. The EEPROM memory is for storage and a DCU is
present for authentication and control.
• They can be programmed for operations like reading, writing,
increasing value blocks, etc.
• The cards are contactless and operate at 13.56 MHz

31. Ehouyan RFID card

32. Interfacing
• Interfacing of the RFID Reader/Writer with the Microcontroller is
done using the MAX232 IC.
• The MAX232 is an integrated circuit that converts signals from an
RS-232 serial port to signals suitable for use in TTL compatible
digital logic circuits.
• The MAX232 is a dual driver/receiver and typically converts the RX,
TX, CTS and RTS signals.

33. MAX232 Interfacing

34. Circuit Diagram of the Motherboard

35. Keil IDE
• Keil C51 development environment is used for developing
applications on the 8051 microcontroller architecture.
• Keil has tools to directly compile the source code (both in C and in
assembly) into the standard Intel .hex format.
• The tools also have the facility to directly burn the code onto the
controller using a non-volatile programmer.

36. Keil IDE

37. ProgISP
• ProgISP is a Flash/EEPROM burner software designed specifically
for writing the Intel Hex files into the 8051 family of
Microcontrollers designed by Atmel
• There are various functions available to erase and program the chip
as desired
• There are also the standard debug utilities to verify the chip I/O and
also verify and lock the program inside the IC

38. ProgISP

39. Results
• The hardware is tested real time by using two RFID read/write
cards which can be written and read many times over.
• The system is initialized and made to run the algorithm and write
the watermark onto the card.
• After the writing part, the algorithm checks for the authenticity of
the watermark and displays the output accordingly on the LCD
display.

40. Results
RFID INITIALIZATION

41. Results
Watermark Validation success

42. Results
Watermark Validation failed

43. Conclusions
• The proposed algorithm aims to address the security fault in RFID in
2 ways.
• The algorithm gives a fool proof way to detect tamper in the
passive RFID cards.
• The algorithm effectively runs on a low cost hardware so that it can
be employed along with the reader/writer for portable security.

44. References
[1] M. I. Youssef, M. Zahara, A. E. Emam, and M. Abd ElGhany;
Chaotic Sequences Implementations on Residue Number Spread
Spectrum System; International Journal Of Communications, Issue 2,
Volume 2, 2008
[2] Noman, Curran, Lunney; Watermarking Based Tamper Detection
for RFID tags; IIH-MSP Sixth International Conference 2011.
[3] Mohan, M.; Potdar, V.; Chang, E.; Recovering and Restoring
Tampered RFID Data Using Steganographic Principles;IEEE
International Conference On Industrial Technology (ICIT) 2006

45. References
[4] Bogdan Cristea ; Statistical Properties of Chaotic Binary Sequences ;
IEEE Transactions on Information Theory ; 2008
[5] Harinda Fernando and Jemal Abawajy ; A Taxonomy of Security in Very
Large Scale Networked RFID Systems; Deakin’s University; 2009
[6] Government of Honkong Special Administrative Region ; RFID Security;
2008
[7] Kirk Wong, Patrick Hui, Allan Chan, “Cryptography and authentication on
RFID passive tags for apparel products,” Computers in Industry, 2006.

46. References
[8] Stephen Weis, Sanjay Sarma, Ronald Rivest, et al, “Security and privacy
aspects of low-cost radio frequency identification systems”
[9]D.Molnar and D. Wagner, “Privacy and security in library RFID: Issues,
practices, and architectures” In Conference on Computer and Communications
Security – CCS, ACM Press, 2004 pp. 210-219
[10]S. A. Weis, S. E. Sarma, R. L. Rivest, D. W. Engels, “Security and
Privacy Aspects of Low-cost Radio Frequency Identification Systems”, in D.
Hutter et al. Edn. Security in Pervasive Computing 2003, LNCS 2802, pp.
201-212, 2004

47. THANK YOU