Minimalist Cryptography for Low-Cost RFID Tags

A radio-frequency identification (RFID) tag is a small, inexpensive microchip that emits an identifier in response to a query from a nearby reader. The price of these tags promises to drop to the range of $0.05 per unit in the next several years, offering a viable and powerful replacement for barcodes. The challenge in providing security for low-cost RFID tags is that they are computationally weak devices, unable to perform even basic symmetric-key cryptographic operations. Security researchers often therefore assume that good privacy protection in RFID tags is unattainable. In this paper, we explore a notion of minimalist cryptography suitable for RFID tags. We consider the type of security obtainable in RFID devices with a small amount of rewritable memory, but very limited computing capability. Our aim is to show that standard cryptography is not necessary as a starting point for improving security of very weak RFID devices. Our contribution is twofold: We propose a new security model for authentication and privacy in RFID tags. This model takes into account the natural computational limitations and the likely attack scenarios for RFID tags in real-world settings. It represents a useful divergence from standard cryptographic security modeling, and thus a new basis for practical formalization of minimal security requirements for low-cost RFID-tag security. We describe a protocol that provably achieves the properties of authentication and privacy in RFID tags in our proposed model, and in a good practical sense. It involves no computationally intensive cryptographic operations, and relatively little storage.

[1]  Yael Tauman Kalai,et al.  Improved Online/Offline Signature Schemes , 2001, CRYPTO.

[2]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[3]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[4]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[5]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[6]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[7]  D. McCullagh RFID tags : Big Brother in small pachkages , 2003 .

[8]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[9]  Yang Yang,et al.  Organic nonvolatile memory by controlling the dynamic copper-ion concentration within organic layer , 2004 .

[10]  Jacques Stern,et al.  Cryptanalysis of the OTM Signature Scheme from FC'02 , 2003, Financial Cryptography.

[11]  Ronald L. Rivest,et al.  The blocker tag: selective blocking of RFID tags for consumer privacy , 2003, CCS '03.

[12]  Silvio Micali,et al.  On-line/off-line digital signatures , 1996, Journal of Cryptology.

[13]  Dan Boneh,et al.  Generating RSA Keys on a Handheld Using an Untrusted Server , 2000, INDOCRYPT.

[14]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[15]  Ari Juels,et al.  Squealing Euros: Privacy Protection in RFID-Enabled Banknotes , 2003, Financial Cryptography.

[16]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[17]  Bing Jiang,et al.  Some Methods for Privacy in RFID Communication , 2004, ESAS.

[18]  Markus Jakobsson,et al.  Security Weaknesses in Bluetooth , 2001, CT-RSA.

[19]  A. Juels,et al.  Universal Re-encryption for Mixnets , 2004, CT-RSA.

[20]  Ronald L. Rivest,et al.  Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems , 2003, SPC.

[21]  Adrian Perrig,et al.  TESLA Broadcast Authentication , 2003 .

[22]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[23]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[24]  Kazuo Takaragi,et al.  An Ultra Small Individual Recognition Security Chip , 2001, IEEE Micro.

[25]  Dawn Song,et al.  The TESLA Broadcast Authentication Protocol , 2002 .

[26]  David A. Wagner,et al.  Privacy and security in library RFID: issues, practices, and architectures , 2004, CCS '04.

[27]  Frank Stajano,et al.  The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks , 1999, Security Protocols Workshop.

[28]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[29]  Ari Juels,et al.  Soft blocking: flexible blocker tags on the cheap , 2004, WPES '04.

[30]  Daniel W. Engels,et al.  RFID Systems and Security and Privacy Implications , 2002, CHES.

[31]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[32]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[33]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[34]  Daniel W. Engels,et al.  I. Radio-Frequency Identification: Security Risks and Challenges , 2003 .