RFID Security

Contributed by Joanne C. Kelleher

The Security Research Group (SRG) of the BRIDGE project has put together a white paper called RFID Tag Security. You can view a copy of it here – http://www.bridge-project.eu/data/File/BridgesecuritypaperDL_9.pdf.  The objective of the report was to review their current RFID tag security activities and investigate future requirements.  It doesn’t report on activities by organizations outside of the BRIDGE project.

Here is more information about the BRIDGE project:

BRIDGE (Building Radio Frequency IDentification for the Global Environment) is a European Union funded 3-year Integrated Project addressing ways to resolve the barriers to the implementation of RFID in Europe, based upon GS1 EPCglobal standards. The project consists of a series of business, technical development and horizontal activities. Seven Business work packages have been set up to identify the opportunities, establish the business cases and perform trials and implementations in various sectors including anti-counterfeiting, pharmaceuticals, textile, manufacturing, re-usable assets, products in service and retail non-food items. The project includes an important research and development program in various aspects of RFID hardware, software, network and security. A series of horizontal activities will provide training and dissemination services, enabling the adoption of the technology on a large scale in Europe for the sectors addressed by BRIDGE and beyond. BRIDGE involves 30 partners and is coordinated by GS1.

The white paper explains the importance of RFID tag security, their view of RFID tag security requirements as well as related privacy issues.

In section 5.2 the SRG provides their recommendations of RFID tag security requirements: Authentication (Tag authentication), Reader authentication, Confidentiality (Encryption) and Signature. All of these operations have been discussed by SecureRF, in the various presentations we have given, as appropriate methods for secure RFID tags. Which methods are implemented should depend on the needs of the application.

The main area of difference between SecureRF’s approach and what the SRG is proposing is in the cryptographic method. SRG states that “The suggested security measures are based on a symmetric cryptographic approach, implemented in a way that the reading distance of low-cost tags is not reduced. In symmetric cryptography, identical cryptographic keys are used for both decryption and encryption.” SRG most likely recommended a symmetric solution because it is less computationally intensive then a traditional asymmetric (public key) solution but it introduces more key management issues because the sender and receiver must securely share a key in advance.

With the support of The National Science Foundation, SecureRF has proved the feasibility of applying their Algebraic Eraser™ linear-based cryptography method, onto a passive RFID Tag using an asymmetric approach. The initial design and testing targeted the EPCglobal Class 1 Generation 2 UHF RFID (Gen2) tags that will likely be used in the pharmaceutical supply chain. See http://www.securerf.com/pdf/SecureRF_Completes_NSF_Phase_I_Project.pdf.

I would recommend you take a look at this white paper and the other deliverables on the BRIDGE site. If you are unfamiliar with EPC standards for RFID tags the BRIDGE site also has a variety of training materials on this topic. - http://www.bridge-project.eu.