Strengthening EPC tags against cloning

The EPC (Electronic Product Code) tag is a form of RFID (Radio-Frequency IDentification) device that is emerging as a successor to the printed barcode. Like barcodes, EPC tags emit static codes that serve to identify and track shipping containers and individual objects. EPC tags, though, have a powerful benefit: they communicate in an automated, wireless manner.Some commercial segments, like the pharmaceutical industry, are coming to view EPC tags as a tool to combat counterfeiting. EPC tags are a potent mechanism for object identification, and can facilitate the compilation of detailed object histories and pedigrees. They are poor authenticators, though. EPC tags are vulnerable to elementary cloning and counterfeiting attacks.In this paper, we present simple techniques to strengthen the resistance of EPC tags against elementary cloning attacks. Our proposals are compliant with the EPCglobal Class-1 Generation-2 UHF standard for EPC tags, which is likely to predominate in supply chains. Such EPC tags contain PIN-based access-control and privacy enhancement mechanisms that are meant to enable tag authentication of readers during the transmission of sensitive commands (like the "kill" command). We show how to leverage such PINs to achieve the opposite goal, namely reader authentication of tags. We describe what may be viewed as crude challenge-response authentication protocols. These protocols do not defend against a full range of attacks, but still have significant practical application. Our techniques can strengthen EPC tags against cloning even in environments with untrusted reading devices.

[1]  Ari Juels,et al.  Squealing Euros: Privacy Protection in RFID-Enabled Banknotes , 2003, Financial Cryptography.

[2]  Ronald L. Rivest,et al.  Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems , 2003, SPC.

[3]  Daniel W. Engels,et al.  I. Radio-Frequency Identification: Security Risks and Challenges , 2003 .

[4]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[5]  Sandra Dominikus,et al.  Strong Authentication for RFID Systems Using the AES Algorithm , 2004, CHES.

[6]  David A. Wagner,et al.  Privacy and security in library RFID: issues, practices, and architectures , 2004, CCS '04.

[7]  Ronald L. Rivest,et al.  The blocker tag: selective blocking of RFID tags for consumer privacy , 2003, CCS '03.

[8]  Ari Juels,et al.  "Yoking-proofs" for RFID tags , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[9]  Frédéric Thiesse,et al.  Extending the EPC network: the potential of RFID in anti-counterfeiting , 2005, SAC '05.

[10]  Tinker Ready,et al.  The color of money. , 2003, Nature medicine.

[11]  D. McCullagh RFID tags : Big Brother in small pachkages , 2003 .

[12]  Matthew Green,et al.  Security Analysis of a Cryptographically-Enabled RFID Device , 2005, USENIX Security Symposium.

[13]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[14]  Avishai Wool,et al.  Picking Virtual Pockets using Relay Attacks on Contactless Smartcard , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[15]  Bing Jiang,et al.  Some Methods for Privacy in RFID Communication , 2004, ESAS.

[16]  Jacques Stern,et al.  Cryptanalysis of the OTM Signature Scheme from FC'02 , 2003, Financial Cryptography.

[17]  Ari Juels,et al.  Minimalist Cryptography for Low-Cost RFID Tags , 2004, SCN.