1

Toward Practical Public Key Anti-Counterfeiting for Low-Cost EPC Tags

Alex Arbit, Avishai Wool, Yossi Oren, IEEE RFID April 2011

2

Outline

Anti-counterfeiting for RFID Cryptographic anti-counterfeiting Lab system setup WIPR protocol flow Implementation results Optimizations Summary & Future work

3

RFID EPC Supply chain Counterfeiting is considered one of the

greatest treats to the world’s economy

Electronic Product Code (EPC) is designed to guarantee uniqueness of every RFID Tag in Supply Chain

Problem: Standard RFID EPC-based supply chain is

generally unprotected and may become an easy target for the adversary

4

RFID Tags Anti-counterfeiting methods

Unique ID (EPC) Unencrypted value – an easy prey for adversary!

A world-wide readers network database to trace compromised tag IDs (track-and-trace) Essential cooperativeness of all supply chains Loss of information privacy

Cryptographic solution Asymmetric solution – Public key on Tag Strong system protection – “breaking” one Tag

doesn’t compromise the supply chain Was considered not feasible for RFID chain due

to high resource consumption on tag side and long execution times!

5

Cryptographic anti-counterfeiting protocol

Non-secret Public key (Tag, reader) Private key (Reader only)

R1

Ek(R1,R2,ID)

Interrogator(knows k)

Tag(knows ID, k)

Generate Random R1 Generate Random R2

Encrypt R1,R2 and ID

Decrypt and Verify R1

Output ID

6

Asymmetric cryptographic approach

Tag bears only a partial (public) key -> can only encrypt messages System not compromised even if a certain tag is

Reader possesses both key parts -> can encrypt and decrypt Only one private key is required for entire chain No need for a constant link to a central server

7

A system view of the suggested public-key based anti-counterfeiting system

Only Tag Integrator possesses all encryption and decryption keys

Tag manufacturer has no signing key Unable to create arbitrary signed TIDs not from Integrator’s

list Reader has private decryption key but no signing key

Can only verify tags but unable to forge new oneso System can operate completely offline once keys are

delivered

8

IAIK Demotag

EPC C1G2 fully compliant UHF tag ATMega128 AVR controller

Integral 128kB Flash, 4kB SRAM 16MHz crystal oscillator Communication interfaces

JTAG UART RFID Analog Front End

9

Experimental System Setup

IAIK UHF Demotag with a WIPR algorithm mounted on it CAEN RFID EPC1G2 Reader with MATLAB SCA toolkit 2 PC Workstations

11

Full WIPR Protocol flow

Seamless protocol integration with standard EPC Class I Generation II commands

R1

Ek(R1,R2,ID)

Interrogator(knows k)

Tag(knows ID, k)

Generate Random R1 Generate Random R2

Encrypt R1,R2 and ID

Decrypt and Verify R1

Output ID

12

Tag Firmware Architecture

13

Tag resources usage

14

Implementation results – message encryption time as f(heap size)

Message encryption time shortened from initial 7 seconds down to 180 milliseconds using optimizations!

Will be checked on existing ASIC implementation for the same dramatic effect of RAM usage on performance

2700 2750 2800 2850 2900 2950 3000 3050 3100 3150 32000

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000Y (ms)

X (bytes)

15

Response time as a function of block read size

Reader-tag maximum wireless link speed 15kbps After each data transaction reader “shuts down” the

link – inefficient reader implementation slows the link down

Reading out large chunks of data ensures fastest response time

17

Response time as a function of block read size – cont.

Reading out large chunks of data ensures fastest response time

19

Optimizations

Total system’s performance further improved from 840ms to 265ms with full link pipelining

1 2 30

100

200

300

400

500

600

700

800

900

T responseT encryptTchallenge

Total link time

20

Summary

A full strength Public key Crypto system is implemented on standard EPC C1 G2 Tag for RFID supply chain!

RAM usage presents a resource vs. message encrypt time latency trade-off.

A better use of air interface by the reader side squeeze the total execution time down to 0.265s for full pipelining.

System designed for fully off-line operation can be further strengthened by use of standard reader track-and-trace with no additional cost on Tag side .

21

Future Work

Adding a small amount of RAM to existing ASIC implementation to compare performances and benchmarking

Integrate suggested anti-counterfeiting solution with current EPC C1G2 tag chips

Work with other reader vendors to see if they handle a standard EPC Class I Generation II more efficiently

22

Thank You!!תודה רבה