On security with the new Gen2 RFID security framework

Radio frequency identification (RFID) systems compliant to the EPCglobal Generation 2 (Gen2) passive UHF RFID protocol are being deployed in a broad range of applications including access control, automated tolling, personal identification, anti-counterfeiting, and supply chain management. With the broad applications and the demand for ever increasing amounts of on-tag functionality, security on the tag has become a critical enabling functionality in many applications. To address this growing marketplace need, EPCglobal is developing a standard security framework within which security functionality may be integrated seamlessly into the Gen2 protocol. We review the proposed Gen2 security framework and introduce example cryptographic suites to illustrate how to utilize this framework to provide a range of security functionality. We analyze the security of the Gen2 protocol and this new functionality in the context of timing-based attacks. We conclude that the tight communication timings specified in the Gen2 protocol mitigate timing-based attacks; however, the loose timing implementations on commercial interrogators and limited timing enforcement on tags lesson the effectiveness of the specified timing constraints. Further, we conclude that the new security framework allows for the efficient integration of secure functionality that, as specified, is resistant to timing-based attacks; however, we caution that using the delayed response of the new Gen2 security functionality creates new vulnerabilities to timing based attacks such as relay attacks and man-in-the-middle attacks.

[1]  Jung Yeon Hwang,et al.  Security Improvement of an RFID Security Protocol of ISO/IEC WD 29167-6 , 2011, IEEE Communications Letters.

[2]  Panu Hämäläinen,et al.  Design and Implementation of Low-Area and Low-Power AES Encryption Hardware Core , 2006, 9th EUROMICRO Conference on Digital System Design (DSD'06).

[3]  Daniel W. Engels,et al.  Evaluation of ISO 18000-6C artifacts , 2009, 2009 IEEE International Conference on RFID.

[4]  Ari Juels,et al.  Shoehorning Security into the EPC Tag Standard , 2006, SCN.

[5]  Markus G. Kuhn,et al.  An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[6]  Ari Juels,et al.  RFID security and privacy: a research survey , 2006, IEEE Journal on Selected Areas in Communications.

[7]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[8]  Joseph Timothy Foley,et al.  The networked physical world: an automated identification architecture , 2001, Proceedings. The Second IEEE Workshop on Internet Applications. WIAPP 2001.

[9]  Tadayoshi Kohno,et al.  EPC RFID tag security weaknesses and defenses: passport cards, enhanced drivers licenses, and beyond , 2009, CCS.

[10]  Vincent Rijmen,et al.  AES implementation on a grain of sand , 2005 .