TREA

METHOD AND DEVICE FOR INCREASED RFID TRANSMISSION SECURITY

Follow

Information

  • Patent Application
  • 20090015385
  • Publication Number
    20090015385
  • Date Filed
    June 01, 2006
    18 years ago
  • Date Published
    January 15, 2009
    16 years ago
Information
Abstract
A method and system for secure RFID system communication is provided. The RFID system comprises an RFID reader (101) communicating with an RFID tag (102). The RFID reader (101) sends (116) to the RFID tag (102) a request to write. The RFID tag (102) generates random data (P), and sends (122) the random data (P) to the RFID reader (101). The RFID system encrypts information (M2) by using the random data (P), and the RFID reader (101) sends (124) the encrypted information (E) to the RFID tag (102) which decrypts the information (E) by using the random data (P). Finally the RFID tag (102) stores (126) the decrypted information (M2) on a memory (103) of the RFID tag (102).
Description

The invention relates to an RFID tag, an RFID system and a method for communicating between an RFID tag and reader.


The term RFID (radio frequency identification) describes the use of radio frequency signals to provide automatic identification of items. RFID technology is used in numerous applications, most of which require a relatively high standard of security. Also, interoperability between different actors may be required.


Basically, RFID tags are electronic microcircuits equipped with an RF (Radio Frequency) antenna. An RFID tag is a passive electronic device containing data, for example identification data of an item to which the RFID tag is attached. RFID devices are relatively small, and can be attached to virtually every item. The passive RFID tag can be activated and powered by radio-frequent (RF) energy. When this happens, the tag transmits its stored information, via the built-in RF antenna. Thus, data can be read from the tag. Alternatively, information is broadcasted towards the tag and received by the built-in RF antenna. Thus, data can be written to the tag.


An RFID system generally comprises an RFID reader in addition to the RFID tag. The reader receives RF transmissions from the tag and passes the data to a host system for processing. The reader generally also includes an RF transceiver, which generates the RF energy for activating the tag. It should be emphasized that the reader performs both tag reading and writing operations.


As is clear from the above, a feature of the passive RFID tags is that they do not require any battery. An RFID tag is powered directly by the RF energy supplied to it by the RF transceiver. As a consequence, RFID systems generally operate over relatively short communication distances; for example, in a system based on the ISO-14443 standard, the tag and reader generally can no longer communicate when the distance between them becomes greater than 10 centimeters.


This proximity tends to be seen as an inherent security feature. However, it has recently been found that attacks on the RFID system can be performed from further away than expected. For example, a successful attack on the communication from reader to tag has recently been demonstrated at a distance of 50 meters from the RFID system. This is especially a problem when writing information to the tag. For more details, see the Internet article “Picking Virtual Pockets using Relay Attacks on Contactless Smartcard Systems” by Z. Kfir and A. Wool, which can be viewed at web address http://eprint.iacr.org/2005/052.pdf. This article is incorporated herein by reference.


It is possible to increase security by establishing of a completely secure communication channel, however this requires a full smartcard solution, where, instead of the relatively simple RFID tags, real smartcards incorporating CPU, RAM, ROM, and means for handling public cryptography operations have to be used. Such a solution is relatively expensive.


It is an object of the invention to increase security in the communication between RFID devices, in particular between an RFID tag and an associated RFID reader, at relatively low costs.


According to a first aspect of the invention, a method of controlling storage in an RFID tag communicating with an RFID reader is provided. The method is performed in the RFID tag and comprises the steps of:

    • receiving a request to write,
    • generating random data,
    • sending the random data,
    • receiving encrypted information,
    • decrypting the received information by using the random data, and
    • storing the decrypted information.


The random data may, in other words, be generated according to a one time pad scheme, and the random data may be derived from measuring any of thermal resistance noise, thermal shot noise, atmospheric noise and nuclear decay. The random data and decrypted information may furthermore have the same length, thereby fulfilling the properties of a one time pad.


The step of decrypting the information may be followed by the step of overwriting or deleting the random data, and said steps may be preceded by the steps of receiving a request to read, and sending RFID tag information. The step of generating the random data may also be followed by the step of storing the random data.


An RFID tag comprising means arranged to perform the methods according to the first aspect above, is also provided.


According to a second aspect of the invention, a method of controlling writing of information by an RFID reader communicating with an RFID tag is provided. The method is performed in the RFID reader and comprises the steps of:

    • sending a request to write,
    • receiving random data, and
    • sending information encrypted by the random data.


According to this seconded aspect of the invention, the step of receiving the random data may be followed by the step encrypting information by using the random data, and the steps may be preceded by the steps of sending a request to read and receiving RFID tag information. The step of sending the encrypted information may also involve writing the information on the memory of the RFID tag, and the random data may, in other words, be a one time pad scheme.


An RFID reader comprising means arranged to perform the methods according to the second aspect above, is also provided.


According to a third aspect of the invention, a method of communication for an RFID system comprising an RFID reader communicating with an RFID tag is provided. The method comprises the steps of:

    • sending, from the RFID reader to the RFID tag, a request to write,
    • generating, by the RFID tag, random data,
    • sending, from the RFID tag to the RFID reader, the random data,
    • encrypting information by using the random data,
    • sending, from the RFID reader to the RFID tag, the encrypted information,
    • decrypting, by the RFID tag, the information by using the random data, and
    • storing, by the RFID tag on a memory of the RFID tag, the decrypted information.


According to this third aspect of the invention, the random data may, in other words, be a one time pad scheme, and the random data may be derived from measuring any of thermal resistance noise, thermal shot noise, atmospheric noise and nuclear decay. Furthermore the random data and decrypted information may have the same length, thereby fulfilling the properties of a one time pad.


The method according to the third aspect of the invention may have the step of decrypting the information followed by the step of overwriting or deleting, by the RFID tag, the random data, and the steps according to the third aspect may be preceded by the steps of sending, from the RFID reader to the RFID tag, a request to read, and sending, from the RFID tag to the RFID reader, RFID tag information. The step of generating the random data may also be followed by the step of storing the random data, by the RFID tag, on a memory of the RFID tag.


An RFID system comprising an RFID reader according to above communicating with an RFID tag according to above, is also provided.


The invention makes use of the feature that an RFID communication is strongly asymmetric: the reader-to-tag communication can be eavesdropped from a much larger distance than the tag-to-reader communication. Therefore, in order to increase security, it appears to be sufficient to protect only half of the RFID communication against eavesdropping, in particular the insecure half, which is the reader-to-tag communication.


The tag-to-reader communication channel is still considered as inherently secure, due to the high proximity required to eavesdrop a message broadcast over this channel. The invention makes use of this feature, by using the relatively secure tag-to-reader channel for protecting the relatively insecure reader-to-tag channel.


In a preferred embodiment, when the reader reads information from the tag, the information is sent by the tag as usual. However, when the reader has to write information, the tag first generates random data. Preferably, this random data is then broadcasted over the secure channel to the reader, which uses it to encode information to be written to the tag.


After this, encoded data can be sent over the insecure channel towards the tag. The tag generally stores the random data it generated in a memory, and uses this to decode the information received from the reader. Thus, the original information is written to the tag. However, if an attacker intercepts the communication channel from reader to tag, he will not know which random data was used to encode the information to be written to the tag, and therefore he can only write random bits to the tag's memory when he broadcasts a message over the reader-to-tag channel.


Thus, a relatively secure communication can be obtained with inexpensive means, in particular using an RFID tag. Moreover, the communication according to the invention can be set up faster than when using a completely secure communication channel as there is no cryptographic handshake to process, and software development on the reader is easier as no cryptographic handshake routine need be implemented.


It is well known how to implement a means for generating random numbers into the RFID tag. For example, this can be done using the publicly available INTEL® Random Number Generator design. This design is elucidated in the paper with the same name, that can be retrieved from web address http://cnscenter.future.co.kr/resource/crypto/algorithm/random/criwp.pdf


This paper is incorporated herein by reference. The block diagram at page 3 shows the involved blocks and the needed functionality. The basis of the random number generator is a general noise source, that can be based on a resistor together with an amplifier that stimulates a first oscillator, which gets sampled by at least a second oscillator. After some digital corrections and statistical shaping the resulting bitstream can be used as random data. Because of the white noise character of the noise source, the generated data can be considered as truly random in nature.


Preferably, the communication method according to the invention incorporates a one time pad scheme (Vernam cipher) as disclosed in U.S. Pat. No. 1,310,719. This scheme requires the use of a true random data generating means in the tag, such as the above mentioned INTEL® Random Number Generator design to generate the pad. Moreover, the pad must be transmitted over a secure channel such as the tag-to-reader communication channel. Encoding of data in the one time pad scheme is straightforward and can be as simple as performing an XOR (exclusive OR) operation on the data using the pad.





Embodiments of the present invention will now be described, by way of example, with reference to the accompanying schematic drawings, in which:



FIG. 1 is a diagram of the method of communication for the RFID system,



FIG. 2 is a schematic diagram of an RFID tag, and



FIG. 3 is a schematic diagram of an RFID reader.






FIG. 1 shows schematically RFID communication between reader 101 and tag 102 according to the present invention. When information M1 is to be read from the tag 102, the reader 101 sends 110 a request to read to the tag 102. The RFID tag 102 answers as usual, namely by directly transmitting 114 the stored information M1 over the relatively secure tag-to-reader channel. The dashed parts 115 of the lines represent any arbitrary time and/or communication traffic between the reader 101 and the tag 102.


When information M2 is to be written 126 to the tag 102, the reader 101 sends 116 a request to write to the tag 102. In response to this, the tag 102 activates its random data generator 202 for generating a one time pad P. This pad P is stored 118 in the tag memory 103 itself, or alternatively a dedicated memory in the tag 102, and is subsequently transmitted 122 over the relatively secure channel to the reader 101, in response to the write request. The reader 101 is arranged for encoding the information to be written M2 involving the pad P, for example by performing an XOR operation. The encoded data E is then sent 124 over the relatively insecure reader-to-tag channel to the RFID tag 102. The tag 102 uses the stored pad P for decoding the encoded data E, thus obtaining original information M2 to be written 126 to the tag memory 103.


In FIG. 1, the entire memory contents M1 and M2 are read and written, but in real applications, it is of course possible to retrieve or write only parts or sectors of the memory 103. Also, variable memory sizes can be read or written, if the reader 101 sends a start address and an end address to the tag 102, or a start address and the number of bytes to send or stored. When the tag memory 103 itself is used for storing the pad P in writing, the pad P can be stored in the memory section where information M2 should be stored, as the pad P can be overwritten by information M2, thereby erasing the pad P, without problems.


In the scheme set out above, the tag 102 first generated pad P to fill 118 its memory 103 and then sends 122 it to the reader 101, but there is in practice no restriction on this sequence, as long as the tag 102 remembers which pad P was sent 122 to the reader 101. In this scheme, there is no guarantee that the second message (encoded data E) actually comes from the intended reader 101. But, if a malicious reader sends data instead of the intended reader 101, the message will result in random bits on the tag's memory 103, as the attacker does not know the pad P.


To further improve on this scheme, it may be possible to add a message integrity mechanism for the tag 102 to the message, in order to verify the decrypted message. Due to the properties of the one time pad (P), a cryptographically insecure message integrity mechanism such as CRC-32 is enough. Alternatively, or in addition, a reader 101 can verify the tag content the next time the tag 102 will be read.



FIG. 2 shows an embodiment of a tag 102 according to the present invention. Only the main blocks needed in a contactless RFID tag 102 are shown. Particularly, the present invention relies on the presence of true random generator (TRNG) 202, for generating the random data. The contact pads in the analogue RF interface connect to the RF antenna 208 shown in the figure. FIG. 2 does not show the implementation of the TRNG 202 according to the present invention. Apart from an analog RNG block 202 that puts out a serial bitstream, such as the Intel® Random Number Generator, this implementation requires at least a digital block 200. The digital block 200 retrieves of the right amount of random data (P) from the TRNG 202, and writes the random data (P), via a memory interface 204, onto a memory 206 such as a RAM or a flip-flop. The digital block 200 also sends the random data (P), via the RF interface 208, to the reader 101.



FIG. 3 shows an RFID reader 101 comprising an RF-interface 302 and a control unit 300. The control unit 300 may encrypt the information M2 to be stored on the RFID tag 102, or optionally it may be connected to a back data processing unit performing the encryption.


In summary, the invention proposes to protect the relatively insecure reader-to-tag RFID communication with dedicated electronics, which is much cheaper than a full smartcard solution. Basically the RFID tag 102 is provided with a means to generate random data. When a reader 101 wants to write information to the tag 102, it first retrieves random data via the secure tag-to-reader communication channel. This data is used to encrypt the data to be written to the tag 102. Thus, encrypted data is sent via the insecure reader-to-tag channel and subsequently decoded in the tag 102. If an attack is carried out on the insecure channel, the attacker can only write meaningless data into the tag 102.

Claims
  • 1. A method of controlling storage in an RFID tag communicating with an RFID reader, said method performed in the RFID tag and comprising the steps of: receiving a request to write,generating random data,sending the random data,receiving encrypted information,decrypting the received information by using the random data, andstoring the decrypted information.
  • 2. The method of claim 1, wherein the step of generating the random data is followed by the step of: storing the random data.
  • 3. The method of claim 1, wherein the random data is derived from measuring any of thermal resistance noise, thermal shot noise, atmospheric noise and nuclear decay.
  • 4. The method of claim 1, wherein the random data and decrypted information are of the same length, thereby fulfilling the properties of a one time pad.
  • 5. The method of claim 1, wherein the step of decrypting the received information is followed by the step of: overwriting or deleting the random data.
  • 6. The method of claim 1, wherein said steps are preceded by the steps of: receiving a request to read, andsending RFID tag information.
  • 7. An RFID tag for storing information and communicating with an RFID reader, said RFID tag comprising: means for receiving a request to write,means for generating random data,means for sending the random data,means for receiving encrypted information,means for decrypting the received information by using the random data, andmeans for storing the decrypted information.
  • 8. A method of controlling writing of information by an RFID reader communicating with an RFID tag, said method performed in the RFID reader and comprising the steps of: sending a request to write,receiving random data, andsending information encrypted by the random data.
  • 9. The method of claim 8, wherein the step of receiving the random data is followed by the step of: encrypting information by using the random data.
  • 10. The method of claim 8, wherein said steps are preceded by the steps of: sending a request to read, andreceiving RFID tag information.
  • 11. The method of claim 8, wherein the step of sending the encrypted information involves: writing as the information on the memory of the RFID tag.
  • 12. An RFID reader for controlling writing of information on an RFID tag, said RFID reader comprising: means for sending a request to write,means for receiving random data, andmeans for sending information encrypted by the random data.
  • 13. A method of communication for an RFID system comprising an RFID reader communicating with an RFID tag, said method comprising the steps of: sending, from the RFID reader to the RFID tag, a request to write,generating, by the RFID tag, random data,sending, from the RFID tag to the RFID reader, the random data,encrypting information by using the random data,sending, from the RFID reader to the RFID tag, the encrypted information,decrypting, by the RFID tag, the encrypted information by using the random data, andstoring, by the RFID tag on a memory of the RFID tag, the decrypted information.
  • 14. The method of claim 13, wherein the step of generating the random data is followed by the step of: storing the random data, by the RFID tag, on a memory of the RFID tag.
  • 15. The method of claim 13, wherein the random data is derived from measuring any of thermal resistance noise, thermal shot noise, atmospheric noise and nuclear decay.
  • 16. The method of claim 13, wherein the random data and decrypted information are of the same length, thereby fulfilling the properties of a one time pad.
  • 17. The method of claim 13, wherein the step of decrypting the information is followed by the step of: overwriting or deleting, by the RFID tag, the random data.
  • 18. The method of claim 13, wherein said steps are preceded by the steps of: sending, from the RFID reader to the RFID tag, a request to read, andsending, from the RFID tag to the RFID reader, RFID tag information.
  • 19. An RFID system comprising an RFID reader according to claim 12 communicating with an RFID tag.
Priority Claims (2)
Number Date Country Kind
05104959.1 Jun 2005 EP regional
05111441.1 Nov 2005 EP regional
PCT Information
Filing Document Filing Date Country Kind 371c Date
PCT/IB06/51761 6/1/2006 WO 00 12/3/2007