Secure EPCglobal Class-1 Gen-2 RFID System Against Security and Privacy Problems

Transcription

1 Secure EPCglobal Class-1 Gen-2 RFID System Against Security and Privacy Problems Kyoung Hyun Kim 1, Eun Young Choi 2,SuMiLee 3, and Dong Hoon Lee 4 Center for Information Security Technologies(CIST), Korea University, 1, 5-Ka, Anam-dong, Sungbuk-ku, Seoul, , Korea visionkkh@korea.ac.kr 1, bluecey@cist.korea.ac.kr 2, smlee@cist.korea.ac.kr 3, donghlee@korea.ac.kr 4 Abstract. Radio Frequency Identification (RFID) system is an important technology in ubiquitous computing environment. RFID system should be compatible with most RFID system applications to support the ubiquitous computing environment. Recently, researchers had studied about RFID standardization. After all, EPCglobal Class-1 Gen-2 (C1G2) RFID is selected as an international standard of RFID systems. Unfortunately, it has fatal security problems to be vulnerable to information leakage and traceability since a tag of EPCglobal C1G2 emits its fixed ID(EPC) without hiding or modifying. A main goal of our work is to propose the secure protocol well suitable for EPCglobal C1G2. First of all, our protocol exactly follows RFID standard with only current capabilities of a tag approved in the standard, assuring that our protocol is secure against impersonation, information leakage, and traceability etc. 1 Introduction Radio Frequency Identification (RFID) is an automatic identification system using a microchip that has capability of transmitting a unique serial number or other additional data through RF(radio frequency) signals. The advantage of RFID system is to provide good properties; many-to-many communication, wireless data transmission, and self-computing. These benefits enable more wider range of application fields such as manufacturing, supply chain management, and inventory control, etc. For the reason, RFID technology is expected to be massively deployed in the near future. To popularize RFID system, several organizations including EPCglobal and ISO had been working on standardization. In particular, the EPCglobal Class-1 Gen-2 (C1G2) RFID was adopted as an international standard by ISO/IEC. However, the EPCglobal C1G2 specification has fatal security problems. Generally, RF signals make RFID system vulnerable to various attacks such as eavesdropping, traffic analysis, spoofing and denial of service. These attacks may disclose sensitive information of tags and hence infringe on a user s privacy. Another type of privacy violation is traceability which establishes a relation between a user and a tag. If a link can be established between a user and the This research was supported by the Seoul R&BD Program(10665), Korea. R. Meersman, Z. Tari, P. Herrero et al. (Eds.): OTM Workshops 2006, LNCS 4277, pp , c Springer-Verlag Berlin Heidelberg 2006

2 Secure EPCglobal Class-1 Gen-2 RFID System 363 tag he/she holds, the tracing of the tag makes the tracing of the user possible [4]. Nevertheless the basic security concerns have been already considered in the related literatures, they are not considered in EPCglobal C1G2 specification. Namely, a tag emits EPC without hiding or modifying and anybody can be readable it. An adversary can easily obtain EPC by eavesdropping on communication between a reader and a tag. This can cause user s privacy infringement, because anybody can access a service which provides information of the object corresponding EPC [14]. Furthermore, the adversary with eavesdropping messages can clearly trace a user s movement, since EPC is a unchanging value. These problems in the RFID standard will make a limit of standard s public usage because security and privacy issue is very sensitive for people. For providing security in the standard, researchers should try to modify steps of the standard or add new components to the standard. The additional works have to pay a lot of expense and may be a bar to popularize RFID system through the standard. Therefore, it is important work to provide various security considered in general RFID system without modifying of the standard. We propose the secure protocol against security and privacy problems which maintains each step and components of the standard. 1.1 Related Works and Contributions Related works. Researchers have recognized the security problems of tags [2]. We describe related studies below. The simplest physical approach is to Kill tags [7]. Kill technique is to restrict the use of a tag by removing its ID. However, this method is not a useful solution. A tag will be used as active state in numerous applications. For example, in animal tracking system, the tag should not be killed, because the tags must always be in working state. Another approach is using hash function [3,7,9]. This approach can prevent an exposure of tag s ID using one-wayness property of a hash function. However, implementing a standard cryptographic hash function, such as MD5 or SHA-1, in a tag is beyond the capabilities of today s tags. So, current EPCglobal C1G2 specification does not make use of hash function. Recently, Juels et al. considered operation complexity of tag [8]. The protocol does not require for a tag to perform any cryptographic operations except XOR, simple bit-operation. It may be possible to implement the protocol in current low-cost RFID systems. Unfortunately, it did not consider eavesdropping and privacy issues and is not secure against privacy and information leakage. Thereafter, Duc et al. proposed a scheme for EPCglobal C1G2 [11]. They reported the security problems of EPCglobal C1G2, and suggested the solution about the problems. However, we had to modify composition of the standard for applying the scheme in the standard, since the authors of the paper [11] do not consider working steps of EPCglobal C1G2. In addition, the scheme can not resynchronize automatically when synchronization is broken. The works require additional costs, comparing with schemes which does not need re-synchronization. Contribution. In this paper, we analyze working steps and security threats of EPCglobal C1G2 in detail. This will help several security researches of

3 364 K.H. Kim et al. EPCglobal C1G2. We propose a secure protocol which is suitable for EPCglobal C1G2. The main contribution of our paper is that our protocol can apply to EPCglobal C1G2 without any modifying steps or components of the standard and is secure against security problems. In addition, our protocol does not need synchronization. By the advantages of our paper, the standard reduce entire costs adding security as well as is spread out wide and fast in our life. Organization of the paper. This paper is organized as follows: In Section 2, we describe RFID systems and analyze security problems of RFID system. In Section 3, We analyze EPCglobal C1G2 and threats of EPCglobal C1G2. Then We describe our proposed protocol in Section 4. We analyze our protocol in security in Section 5. Finally, we conclude in Section 6. 2 RFID System 2.1 Components In general, RFID system consists of a tag, a reader, and a back-end server. Tag: A tag is a small and low-priced chip which is adhered on objects. It consists of only a microchip with limited functionality and data storage, and an antenna to wireless communication with reading devices. RFID tags can be classified into two types, active or passive depending on powering technique. While an active tag can generate power by itself, a passive tag is not able to supply a power by itself. Therefore the passive tag obtains power from the reading devices when it is within range of some reading devices. Reader: A reader can read and re-write the data in a tag. A reader queries a tag to obtain the tag s contents though RF interface. After the reader queries to a tag and receives some information from the tag, the reader forwards the information to a back-end server. Back-end server: A back-end server is a device that manages and stores various information such as EPC for each tag. It can also determine a tag s identity from the information of a tag sent by an authenticated reader. 2.2 Threats of RFID System In RFID systems, because of wireless communication between a reader and a tag, an adversary can monitor all messages transmitted between a reader and a tag. The adversary can also infringe upon a user s privacy using various methods. Therefore, RFID systems must be designed to be secure against attacks such as eavesdropping and impersonation. Eavesdropping: A passive adversary can eavesdrop on messages between a reader and a tag. By eavesdropping, she may obtain a user s secret information. Therefore, RFID systems should be considered that she cannot get any secret information from the eavesdropped messages. Impersonation: An active adversary can query to a tag and a reader in RFID systems. By this property, she can impersonate the target tag or the legitimate reader. When a target tag communicates with a legitimate

4 Secure EPCglobal Class-1 Gen-2 RFID System 365 reader, an adversary can collect the messages sent to the reader from the tag. With the message, the adversary makes a clone tag in which information of a target tag is stored. When the legitimate reader sends a query, the clone tag can reply the message in response, using the information of a target tag. Then the legitimate reader may consider the clone tag as a legitimate one. Information Leakage: If RFID systems are used widely, users will have various tagged objects. Some of objects such as expensive products and medicine provide quite personal and sensitive information that the user does not want anyone to know. If RFID systems are not designed to protect information of tag, user s information can be leaked without acknowledgment of the user. Traceability: When a user has special tagged objects, an adversary can trace user s movement using messages transmitted by the tags. In the concrete, when a target tag transmits a response to a nearby reader, an adversary can record the transmitted message and can establish a link between the response and the target tag. Once a link established, the adversary is able to know the user s location history. 3 EPCglobal Class-1 Gen-2 RFID System In this section, we explain EPCglobal Class-1 Gen-2 RFID system[13], and analyze security problems of it. 3.1 EPCglobal Class-1 Gen-2 RFID EPCglobal C1G2 was adopted as international Standard by ISO/IEC. As result, RFID system will be able to be recognized without confusion. EPCglobal C1G2 tag has properties as follows [11,13]: 1. Tag is passive. 2. Tag uses UHF band ( MHz) and communication range is 2-10m. 3. Tag has on-chip Pseudo-Random Number Generator (PRNG) and Cyclic Redundancy Code (CRC). 4. Tag has two 32-bit PIN for kill command and access command. The kill PIN is used to kill the tag. The access PIN is used to write into the tag or to read something in password fields. EPCglobal C1G2 operates as shown in Fig.1 and a detailed description of each step is as follows: (1) A reader sends a request message to a tag. (2) Each tag which is received the request generates a 16-bit random value (RN16) using Pseudo-Random Number Generator. After that, each tag inputs the random value(rn16) into a slot counter, and starts a slot counter. A slot counter decreases the random value as a regular interval. When a slot counter becomes zero, the tag sends the random value(rn16) to the reader. (3) As response, the reader sends ACK which has the random value(rn16) in reserved field.

5 366 K.H. Kim et al. Fig. 1. Process of EPCglobal Class-1 Gen-2 RFID (4) The tag which is received ACK compares a random value in ACK with RN16 of the tag. If the values are the same, the tag sends PC(Protocol-Control), EPC(Electronic Product Code), and CRC to the reader. The PC bits contain Physical-layer information. In addition, the reader can make use of memory-writing command or kill command, as follows after above steps: (5) The reader sends ReqRN which contains RN16 to the tag. (6) The tag which receives ReqRN compares a random value in ReqRN with RN16 of the tag. If the two values are the same, the tag passes handle to the reader. (7) If the reader gets handle of the tag, it can construct memory-writing or kill command. The reader sends PIN for command of access or kill. (8) The tag verifies PIN which is received from the reader. If the PIN is right, the tag carries out command. When the reader sends PIN, PIN is XORed with RN16 as RN16 is repeated twice. In the EPCglobal C1G2 specification, a RFID tag is capable of generating 16- bit pseudo-random [13]. The pseudo-random number is not used for security but used for making a new session between a reader and a tag. A reader signal can wake up several tags. If many tags act upon reader signal simultaneously, then they may have a collision. By the reason, it needs the system of collision avoidance. The pseudo-random number is used for distinguishing a tag from several tags and preventing the collision. 3.2 Threats of EPCglobal Class-1 Gen-2 RFID System According to EPCglobal C1G2 specification, whenever a tag authenticates a reader, the tag emits EPC as plain text. With only eavesdropping on communication

6 Secure EPCglobal Class-1 Gen-2 RFID System 367 between a reader and a tag, an adversary can obtain EPC of the tag. It can bring about security problems as follows: Impersonation: An active adversary easily impersonates legitimate tags. The adversary stores EPC of a legitimate tag by eavesdropping. After a legitimate reader sends a request message, the adversary emits a stored value(legitimate EPC). Then the reader may consider the value as legitimate. Information Leakage: If an adversary can know EPC of user s tag, the adversary will become aware of some information of user s object, because EPC discovery service[14] is publicized. Therefore it can cause privacy infringement of the user. Traceability: Because tags emit fixed EPC, an adversary with EPC in user s tag can trace the user s movement in EPCglobal C1G2. When tags transmits EPC to a reader, the adversary records EPCs by eavesdropping. Then the adversary can establish a link between the user s tag and its EPC. Once a link is established, the adversary can know user s movement history. Another threat is that PIN can be disclose. When PIN is sent, PIN is XORed with random value (RN16). But RN16 is sent as plain text when session starts. Just by eavesdropping the 16-bit pseudo-random number and the XORed PIN, the PIN can be recovered by an adversary. If PIN is exposed, the adversary can write and delete the memory, and kill a tag. 4 Our Protocol Suitable for EPCglobal Class-1 Gen-2 RFID System In this section, we propose a privacy protection protocol suitable for EPCglobal C1G2. First of all, we define notations. After that, we describe our protocol. 4.1 Our Protocol The following notations are used for the computational operations to simplify the description. Notation RT32 RR32 PIN1, PIN2 EPC f n Description 32-bit random number generated by a tag 32-bit random number generated by a reader Two EPCglobal C1G2 PINs(access, kill) Electronic Product Code 32-bit pseudo-random number generator Thenumberoftagsinthesystem Concatenation of two inputs Exclusive-or of two inputs We assume that the channel between a reader and a back-end server is secure. The channel between a tag and a reader is insecure because of wireless.

7 368 K.H. Kim et al. Fig. 2. Process of our proposed protocol Our protocol exactly follows EPCglobal C1G2 steps with 96-bit EPC. The 16- bit pseudo-random number of EPCglobal C1G2 is not suitable for security. It is very small to use for security. Then we suggest that 32-bit pseudo-random number generator should be supported, in order to fulfill security and to take full advantage of 32-bit PIN. In this paper, we assume that both a reader and a tag use a 32-bit pseudo-random number generator in EPCglobal C1G2. Each tag T i where i {1,...,n}, has EPC i,pin1 i,pin2 i, and 96-bit secrete value S i of which the first bit is 0. Back-end server stores EPC j,pin1 j,pin2 j, and S j where j {1,...,n}, for each tag. Fig.2 shows the process of the proposed protocol, and the following gives a detailed description of each step: (1) A reader sends Query Request to a tag T i. (2) The tag T i generates 32-bit random RT32 from f. And it computes M1 = RT32 PIN1 i, sends M1 to the reader. (3) The reader generates a new 32-bit random RR32. The reader sends ACK(M1) and RR32. (4) The tag computes as follows: - M2 = RR32 PIN2 i RT32, M3 = f(m2) - T is a bit string of which the last 1-bit is removed from 0 RT32 M2 M3. T is 96-bit and the first bit of T is 0. -E=(T+S i ) EPC i, where T and S are 96-bit of which the first bit is 0. We must consider the first bit(carry) of T+S i.thenweset0inthe first bit of T and S i. The tag sends PC, E, CRC to the reader. (5) The reader sends E, M1, RR32 to a back-end server.

8 Secure EPCglobal Class-1 Gen-2 RFID System 369 (6) The back-end server searches EPC for each j where j 1,...,n as follows: -Foreach<EPC j,s j,pin1 j PIN2 j >, compute RT32 =M1 PIN1 j, M2 = RR32 PIN2 j RT32 and M3 = f(m2 ). -T is a bit string of which the last 1-bit is removed from 0 RT32 M2 M3 - Search EPC such that E = (T +S j ) EPC j When the reader wants to command writing, delete, and kill, PIN must be used. For protecting PIN, we accomplish as follows: (7) The reader requests PIN to the back-end server. (8) The back-end server computes P = M3 PIN, where PIN is PIN1 j or PIN2 j, and sends P to the reader (9) The reader sends P to the tag for a command. (10) The tag verifies P M3 = PIN1 i or PIN2 i, if it is true, the tag executes the command. 5 Analysis In this section, we give a security analysis of our proposed protocol. 5.1 Security Analysis We analyze the security of our protocol under section 2.2. as follows: Eavesdropping and Information leakage: A reader which is not authenticated by a back-end server does not obtain a tag s EPC although the reader sends requests to the tag. By eavesdropping, an adversary can obtain <E, M1, RR32>. In order to recover EPC from E, the adversary must know T+S i of each session. S i is a secrete value for each tag T and T is made by random values. Therefore, the adversary does not obtain information about T+S i. The adversary must guess 96-bits of T+S i. The probability is Inspite of the fact that the first bit of T and S i is 0, the probability that the first bit(carry) of T+S i is 1 equals 1/2. Therefore, the probability that the adversary obtain EPC by eavesdropping is negligible. Because EPC is hidden every session, the adversary does not obtain information of a user. In format of EPC, the front bit string of EPC is fixed and public. And for each tag, we can be aware of fixed part of EPC. For example, in 96-bit EPC, the first eight bits of EPC are version and length of serial number. An adversary can also know the front bits of EPC. Then the adversary can obtain the front bits of T+S i, too. Even if we assume that the adversary knows all bits of EPC, for getting the security value S i, the adversary must guess T. The T is made of random value RT32 and RR32. Because the two values are passed by PIN1 and PIN2, the adversary does not acquire the information about RT32 and RR32. Then, the probability guessing T is Therefore, although the front bit string of EPC is fixed and public, S i is secure.

9 370 K.H. Kim et al. Impersonation and Reply attack: An active adversary may be able to reply for cheating the legitimate reader, using data which legitimate tags emit. In proposed protocol, the values emitted by a tag are changed every session since random values are use by the reader and the tag. Because the probability that the legitimate reader and tag use same random values over twice is very small, it is hard that the adversary succeeds the reply attack. Traceability: An adversary can trace location of tags, if response of tag is same or similar pattern for each session. In proposed protocol, the adversary can obtain <E, M1, RR32> by eavesdropping. M1 is changed for each session, and can be considered as a random value. RR32 becomes a different value for each session, if the legitimate reader. E is also changed every session. Although a malicious reader sends requests to a tag by using same RR32, it is difficult that an adversary makes an accurate estimate of E. 6 Conclusion In spite of EPCglobal C1G2 system has been international standard, it is analyzed that it is insecure. In order to protect user s privacy in EPCglobal C1G2 system, we propose a RFID protocol which is secure against impersonation, information leakage, and traceability. We consider working steps and components of EPCglobal C1G2 system. Then our protocol does not alter composition of EPCglobal C1G2. Our protocol uses only approved abilities of tags in EPCglobal C1G2 specification. For that reason, our protocol is suitable for the application using EPCglobal C1G2. Namely, our protocol is a good alternative mechanism which can insert security in the specification without a lot of modification. References 1. A. Juels, R. L. Rivest and M. Szudlo. The Blocker Tag: Selective Blocking of RFID tags for Consumer Privacy. In the 8th ACM Conference on Computer and Communications Security, pp , ACM Press, S. E. Sarma, S. A. Weis and D. W. Engels. Radio-frequency identification systems. CHES 02, vol.2523 LNCS, pp , Springer-Verlag, M. Ohkubo, K. Suxuki and S. Kinoshita. Efficient Hash-Chain Based RFID Privacy Protection Scheme. Ubcomp2004 workshop. 4. G. Avoine and P. OecGJJS04hslin. A scalable and Provably Secure Hash-Based RFID Protocol. In IEEE PerSec 2005, Kauai Island, Hawail, March, L. Su Mi, H. Young Ju, L. Dong Hoon and L. Jong In. Efficient Authentication for Low-Cost RFID systems. ICCSA05, vol LNCS, pp , Springer-Verlag, C. Eun Young, L. Su-Mi, L. Dong HoonEfficient RFID Authentication Protocol for Ubiquitous Computing Environment. EUC Workshops, S. A. Weis, S. E. Sarma, S. A. Weis and D. W. Engels. Security and privacy Aspects of Low-Cost Radio Frequency Identification Systems. First International Conference on Security in Pervasive Computing,

10 Secure EPCglobal Class-1 Gen-2 RFID System Ari Juels, Strenthening EPC Tag against Cloning. To Appear in the Proceedings of WiSe D. Henrici and P. Muller. Hash-based Enhancement of Location Privacy for Radio- Frequency Identification Devices using Varying Identifiers. PerSec 04 at IEEE Per- Com Miyako Ohkubo, Koutarou Suzuki, and Shingo Kinoshita, Effiient Hash-Chain Based RFID Privacy Protection Scheme. In the Proceedings of International Conference on Ubiquitous Computing, Workshop Privacy, Dang Nguyen Duc, Jaemin Park, Hyunrok Lee, and Kwangjo Kim, Enhancing Security of EPCglobal Gen-2 RFID Tag against Traceability and Cloning The Symposium on Cryptography and Information Security, EPCglobal Inc., org/. 13. EPCglobal Inc., Class 1 Generation 2 UHF RFID protocol for communication at 860Mhz-960Mhz version EPCglobal Inc., EPCglobal Object Name Service (ONS) 1.0