Development of privacy-preserving RFID authentication system using mobile devices

A mobile RFID system is a radio frequency identification technology that allows users to read the information on its tags. Systems that allow free reading of tags with mobile RFID reader devices represent a significant risk to individual privacy because unauthorized individuals may easily obtain personal information from the tags. In addition, the fixed ID values on tags can be used to track users in network segments. Although various solutions have previously been proposed to resolve this RFID privacy problem, most require numerous calculations to be performed on the tags. Therefore, these techniques require active tags with high-capacity embedded processors, which are expensive. In addition, it is not practical to apply these techniques to a mobile RFID system based on passive tags attached to devices because of not only the high price but also the bulkiness of the tags themselves. In this paper, we propose an efficient protocol for authentication, which allows transferring of the heavy calculations to the mobile reader devices, thus requiring only the resulting values to be stored on the tags. This study mainly focuses on improving the limitations of existing RFID authentication protocols, which usually assume active tags. The proposed protocol achieves the same security level and performance that can be obtained through active tags. To evaluate the performance of the proposed protocol, we implemented it using EPC Gen-2 tags, a smartphone, a UHF RF dongle, and a database. The proposed protocol meets various security requirements such as tag protection and location- and traffic-tracking prevention. The proposed protocol also meets other requirements such as lightweightness and the desired level of performance.