[01/11/08] Eustace Asanghanwa, Atmel
For many years now, RFID technology has been touted the next ubiquitous technology to revolutionize the human way of life in many aspects. However, widespread adoption has been slow due to concerns with security and privacy. Passive RFID tags with built-in hardware cryptography for mutual authentication and encryption capabilities offer security and privacy assurances that may alleviate these concerns.
Optimism for RFID technology is high. In 2005, technology market research firm ABI Research estimated more than triple shipments of RFID transponders in the life sciences by the end of 2006. Market watcher, Venture Capital Corporation (VDC) in its 2006 year-end overview predicted pervasion of item level tracking with RFID technology, thereby estimating significant growth expectations for RFID adoption in the pharmaceutical, consumer product goods, and healthcare markets.
 |
RFID enthusiasts commend many of the conveniences this technology can deliver. For individuals, easy walkthrough-checkouts in retail stores, hands- and worry-free hospital visitations because medical and prescription histories are contained in a tag embedded under the skin, ultimate electronic homes where all gadgets, switches, doors, and appliances are remotely controlled from a single handheld unit. Let's not forget the smart refrigerator that automatically places replenishment orders for consumed or outdated groceries. For industrialists, highly automated inventory control systems where every unit item is accounted for in the entire supply chain including warehouses, transit, and retail outlets, personalized-infomercials beamed into their mobile navigation screens as they approach billboards while driving.
There is worry, however, that the same technology will enable massive invasion of privacy, and unprecedented security exposures. For individuals, the fear of "Big Brother" knowing everything about them including every ailment they've ever had, their prescription information, their purchasing habits, where they've been and with whom, how much they've had to drink and when, and how many times they exceeded the speed limit within any given time period, etc. Companies have major concerns as well. To achieve true supply chain visibility and efficiency for example, companies would have to share data with one another, which requires some infrastructure for interoperability. Standards organization, EPCglobal Inc., has made many advances towards standardizing product coding and information exchange to facilitate data sharing. However, the issue of security and privacy remains. Consider this hypothetical example from Forrester analyst, Christine Overby, published in Information Week magazine; "Let's just say theoretically that Wal-Mart uses the EPC Network to pass individual supply-chain information back to both Procter & Gamble and Kimberly-Clark about diapers," she says. "Kimberly-Clark and Procter & Gamble are competitors in this category. So Procter & Gamble needs to know that Kimberly-Clark can't see that supply-chain movement from Wal-Mart, and vice versa. So when this information is all pointed to a public network, that does become a concern". Whether founded or not, concerns about security and privacy issues with RFID are real and continue to negatively impact pervasion of the technology.
Make no mistakes, the desire to embrace RFID technology is there. Consider the pharmaceutical industry for example. The FDA encourages the use of RFID as the underlying mechanism to execute pedigree mandates targeted at delivering safety in drug administration and security to protect against diversion and counterfeiting. Industry experts and market analysts predicted RFID technology would power electronic pedigrees (e-pedigree) for most prescription drugs by 2007. Big chain stores like Wal-Mart, Target, and Albertsons passed sweeping requirements to its top suppliers to utilize RFID technology with the earliest deadlines dating back to January of 2005. In 2003, the US Department of Defense issued a mandate "requiring suppliers to use RFID tags on shipments to the military by January 2005".
With such interests, why isn't RFID technology ubiquitous? Early 2006, ABI research substantially revised its prediction to say only 10 prescription drugs shall receive large scale RFID tagging by the end of that year. Senior analyst at VDC, Louis Bianchin, judging from market flatness of RFID applications in the pharmaceutical industry in 2006, projected continuous flatness up till mid-2008. Industry experts cite costs (acquisition, deployment) and frequency wars (HF vs. UHF) as potential culprits, but by far, slow consumer adoption seems to be the greatest hindrance. Just consider the economics; if consumers massively embraced RFID technology, the resulting demand will seed rapid development of supply technologies that will eventually lower costs and concurrently define appropriate frequency band for each application space. Consumers may not have direct inputs but investors factor their opinions into technological investment decisions. Which manufacturer would want to invest in RFID technology to tag its product brand when an average consumer is more likely to preferentially choose a competitor's non-tagged brand simply because they are afraid of security and privacy violations?
Right Security Measures, Public Education
It would take the right security measures and public education for the public to fully embrace RFID technology. Truth be told, early discussions about RFID did not factor in concerns for security and privacy. We've all seen the TV commercials where the purported department store thief walks by the cash registers only to be handed a payment receipt by the security guard. Some of the supposed conveniences may not even be possible with RFID technology, but this does not detract from the "wow" factor. But so is the case of concern for security and privacy. Although many of the concerns are truly realistic, some have received unfair exaggeration resulting from misinformation about the extent of capabilities of the technology. Public information about the true capabilities of the technology will go a long way towards its fair evaluation, but most importantly, only incorporation of technology to specifically assure security and privacy with RFID can facilitate adoption. Some tag manufacturers recognize this already and encounter challenges to create practical solutions.
Keeping it Practical
Effectively assuring security and privacy with RFID requires practical solutions. It is of no use to anybody to have RFID tags that are inapplicable to product. To this end, it is imperative to realize that product applicability is most effective at the item level. True that pallet level protection is necessary to deter industrial espionage and inadvertent dissemination of proprietary information, but it is ultimately the consumer walking out of a department store or a pharmacy with purchases in their bags that are concerned about having purchased authentic products and keeping prying "eyes" off their shopping bags.
Achieving item-level protection for the majority of products requires that tags be passive, small, inert, and cheap. Passive tags do not have explicit energy requirements like onboard batteries since they derive energy from the RF field of the reader device. Done otherwise would require use of active tags that need explicit powering. Even more impractical about active tags would be the need to assure battery life, ensure customers in a department store scenario are not plugging batteries off merchandize tags, having to replace batteries in long shelf-life items, etc.
Tag size also matters. The smaller the tag, the easier it is to embed in many products at the item level and the easier it is to keeping it private as small tags generally emit signals only to short distances, typically less than a foot. Tags in the size of US Nickels are most ideal.
Inertness is another feature of practical tags. This allows for molding into or gluing onto products without concerns of tag damage or adverse interaction. In medical applications, the tags must withstand adverse environmental conditions like high temperatures and pressures associated with autoclaving sterilization processes.
Last but certainly not the least, tags must remain cheap for practicality. Embedding tags into products is added costs outside of regular product manufacturing costs. Making the tags cheap not only helps protect profit margins but also broaden the scope of products that can benefit from the technology.
Difficulty Making Wholes from Pieces
RFID technology suppliers understand cryptography holds the key to security and privacy in RFID. They also understand that effective security must include hardware security in the tag itself. Several attempts to incorporate cryptography into RF readers and tags attest to this notion. While reader manufacturers have been able to incorporate open standards cryptography into reader software, tag manufacturers continue to find difficulty incorporating cryptography in tags in the form that is both effective and practical. Reasons for this difficulty include impracticality of existing open cryptographic standards in tag technology and incomprehensive security coverage of each of the tags.
Existing open standard cryptographic algorithms in the public domain were designed to operate in computing resource rich environment like the personal computer. Computing resource in this context refers to available memory and processing power. Availability of gigahertz processors in the PC operating with gigabyte hard disks and RAM provides it ability to store several open standards algorithm at a time and to effectively process multitude of security requirements. Passive tags that are most applicable for practicality can only afford Kbyte non-volatile memory and typically with no onboard processor or RAM. Additional memory in passive tags only pushes technology envelops on power requirements and bloats the RFID device size. Large RFID device sizes directly translate into high unit costs and challenges creating versatile tags like those on malleable RFID labels. Large RFID devices on tags crack when applied to curved surfaces like cylindrical containers. Ignoring their limited versatility for a moment, active tags are also limited in the size of processor and memory they can embed again for reasons relating to powering requirements and unit costs.
Another reason why existing open standards cryptography is less suitable for tags is that the algorithms are very specialized in the kind of protection they offer. For example, while public key algorithms like RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography) are suitable for authentication and key exchange operations, symmetric key algorithms like AES (Advanced Encryption Standard) and DEA (Data Encryption Algorithm) are suitable for data encryption, and hash algorithms like SHA (Secure Hash Algorithm) and MD5 (Message-Digest algorithm 5) are suitable for operations geared towards verifying data integrity. In the PC environment, a typical secure transaction simultaneously uses at least one algorithm from each of the three functional areas. For example, when a user logs into their banking website to download account data, the PC utilizes a public key algorithm like RSA to authenticate the PC (and hence user) to the banking network and securely exchange encryption keys. It deploys a symmetric algorithm like AES to encrypt the account data, and then a hash algorithm like SHA-256 to verify integrity of the data. Passive RFID tags today are yet to handle resource intensive public key algorithms if at all possible, can barely embed open standard encryption or hash algorithms, not to talk of embedding multiple algorithms at one time.
Existing open standards cryptographic algorithms are therefore not suitable for RFID tags. Without the ability to embed multiple algorithms as intended and done on the PC, RFID tags cannot effectively provide comprehensive security with existing open standard cryptographic algorithms.
Evaluate use of Cryptography in Transponders with Care
Many RFID transponder manufacturers offer cryptographic protection in RFID transponders while some claim use of open standards cryptographic algorithms. While the claims are generally true, it is important for those seeking cryptographic protection to carefully examine the effectiveness of the implementation, practicality of the solution, and suitability for the target application. Not all applications require the highest level of cryptographic protection RFID tags can offer but it is important to understand their vulnerabilities in order to avoid inadvertently choosing inferior solutions. Keep in mind that a secure chain is only as strong as its weakest link.
 |
The most common application of cryptography in RFID transponders is use of strong open standards algorithm to hash and/or encrypt data, and storing the cryptographic output into plain RFID memory. This scheme provides some level of confidentiality to the data but that's it. Even though some of the algorithms are virtually impossible to crack, the implementation allows vulnerabilities privacy protection and establishing authenticity. Using sub-$100 equipment, the encrypted data is easily and subject to systematic attacks. Even worse is when the security is intended to combat counterfeiting. After reading the content, counterfeiters just need to program however many tags needed for their bogus product without needing to understand the content. Some manufacturers may spice up this scheme by using multiple algorithms and serializing the tags, and even make the serial numbers non-readable. These are only minor deterrents that sometimes do not enhance the security. The use of static serial numbers, for example, only gets security crackers to reach their goals faster by providing clear text inputs.
 |
A less vulnerable application of cryptography in RFID transponders entails embedding a microcontroller in the transponder IC (integrated circuit). Sometimes, the embedded hardware may also include a co-processor for a cryptographic algorithm. While this solution possesses potential for applying effective security, the inherent drawbacks involve applicability and practicality. In order to effectively apply this solution, the application developer will have to use security expertise to write specialized software or operating system to run the transponder system. Since most application developers are not security experts, the software becomes a point of vulnerability in the solution. In addition, the onboard micro- and cryptographic co-processors engender power requirements delivered mostly by active tags. When passive transponders are used, the size is usually very large in order to provide adequate antenna apertures to capture enough power for processing. Typical transponder size approximates credit card sizes or larger making them non-suitable for incorporation to products at the item level. In addition, associated transaction times are longer than generally acceptable.
Where there is a will, there is a way
Demand for security and privacy in RFID is high and some manufacturers are committed to delivering. While many suppliers continue with attempts to forcefully fit pieces of a puzzle not meant to go together, others sought outside-the-box thinking. Instead of trying to force open standards cryptography to work in the RFID space where they weren't intended for in the first place, they leveraged on their security expertise and experience to innovatively capture the security and privacy protection needs of RFID into hardware logic, an implementation that is power, size, and cost effictive, but most of all, practical and versatile. They use their security expertise to develop, or evaluate and license comprehensive security algorithms developed for resource-constrained applications but not yet available in the public domain. They then use their experience to deliver effective solutions in hardware as cryptographic RFID tags.
Cryptographic RFID Tags
Cryptographic RFID tags are next generation RFID with built in formidable hardware security to specifically provide solutions to security and privacy issues. Cryptographic RFID tags have a hardware-based 64-bit cryptographic engine embedded in silicon, multiple sets of 64-bit non-readable, separate authentication and session encryption keys, in a 2K bit configuration memory. The configuration memory provides application developers with true flexibility for customizing security, data and privacy protection options and then blowing fuses to permanently lock in the configuration and custom security keys in the hardware. Embedding cryptographic RFID tags into products and/or their packaging achieves security and privacy.
Secure Dynamic Mutual Authentication Capability
Where there is need to prove authenticity as in product authentication against counterfeits or secure access applications, cryptographic RFID tags deliver. Using the non-readable keys the tags can establish authenticity securely through a cryptographic dynamic mutual authentication process. They use the authentication keys, session encryption keys and a random numbers to generate a unique identity, or "cryptogram", for each transaction. Both the RF reader and the cryptographic RFID tag must be able to duplicate each other's cryptograms before any data can be accessed or written. The keys are completely inaccessible, even to the owner of the tag. A unique cryptogram is generated for each transaction, so a cryptogram, intercepted during a transaction, cannot be used to effect a second transaction. In the extremely unlikely event that the non-readable key(s) from one smartcard becomes known, they cannot be used with any other cryptographic tags because each cryptographic RF tag has its own unique set of authentication keys. Fuse bits are blown to permanently lock the security information in the tag such that even the tag silicon manufacturer cannot access it.
True Dynamic Stream Encryption for Data Confidentiality
The cryptographic RFID tag uses the same 64-bit hardware cryptographic engine to encrypt data between itself and a host reader for data confidentiality. The operation of the engine is dynamic such that for each set of plain text data, the corresponding encrypted text is always different for the life of the device. This makes replay attacks extremely difficult and goes a long way to assuring privacy. The encryption engine uses stream processing to maximize data encryption throughput.
Multiple Sectors With Configurable Access
Cryptographic RFID tags are available as a complete family in densities from 1 Kbit to 64 Kbits of completely usable memory to accommodate a wide range of information storage and cost requirements. The user memory itself may be divided into as many as 16 separate sections, each of which can independently be customized to allow different levels of read and write access. For example, a product tag may contain consumer loyalty information in one sector accessible only by readers in the store but no where else, warranty information in another sector that is writable by the product manufacturer but only readable by store personnel, chain of ownership information sections that are writable once by manufacturer, shippers, warehouses, and retail store, readable by all but not modifiable. As another example, a cryptographic RFID tag that contains health records might keep the patient's ID and billing address in a portion that is accessible by the billing department and insurance company, while diagnostic information is stored in another area that is accessible only by the doctor, and prescription information is stored in yet another section that can be written to only by the doctor, but only read by the insurance company and the pharmacist. Configurable access control allows customization of solutions to meet specific security and privacy needs.
Assurance of Message Integrity
Before modifying any content in its memory, the cryptographic RF tag first verifies that the message is coming from an authentic source even after authenticating the host. It also verifies that the information has not been modified in transit. This verification is in the form of Message Authentication Codes (MAC) that is cryptographically generated. Only authentic hosts can generate a correct MAC, and each new MAC is always different even for the same message. The cryptographic tag also provides MAC on data transactions from tag to host for host verification.
Soft and Hard Kill Options
The big consumer concern with adoption of RFID technology is privacy related when tags continue to emit information even after completing the transaction at the store or hospital. They fear people with appropriate readers can continue to query the tag to obtain private information. To alleviate this concern, cryptographic RFID tags offer two methods to disable the tag. The soft method utilizes software driven commands that a cash register can issue automatically at the store before the merchandize leaves. The command exhausts hardware access limit counters contained within the device hardware such that the information under protection is permanently disabled from any access. Having multiple sectors with configurable access rights makes it even better so that only sensitive data is disabled while preserving information for post-sale transactions like warranties and returns. The hard kill feature entails tamper-proof packaging techniques that physically servers the tag to completely disable it. No additional transactions are possible after this measure.
Dual Authentication Supports Cash-equivalent Cards
Uniquely, cryptographic RFID tags allow two completely independent users to access the same section of the memory, using completely separate authentication keys with different access levels for adding and deducting cash. As an example, energy meter applications that happen to be very popular in developing countries using pre-pay models, the energy company will use a higher privilege access key to add energy credits to the card from its offices. The energy meter at the purchaser's home is then equipped with a less privilege key that can only allow for reduction of energy credits and never vice-versa.
Multitude of Data Protection Options
Be it cash credits or private health records, cryptographic RFID tags provide many protection options customizable by the application developer at deployment time. These include one-time-program (OTP) modes, read-only modes and program-only modes. All these features are usable in conjunction with mutual authentication, encryption, and MAC. To top it all, the tags are implemented in hardened silicon using secure product strategies that include content scrambling, tamper monitors for environmental factors, and detection capabilities for physical and systematic security attacks.
Plug and Play Integration
With all the security captured in hardware logic, there are no requirements for specialized operating systems for cryptographic RFID tags. In addition, the tags offer a simplified interface comparable with standard memory interfaces with extensions for security operations. For this reason, application developers do not need security expertise to benefit from it. Passive RFID tag form-factor signifies no special connectivity requirements.
Innovative incorporation of cryptography into cryptographic RFID tags enables these tags to deliver much needed security and privacy in RFID applications. Using security algorithms that are comprehensive in coverage, and implementing them in pure hardware-logic allow these tags to overcome current challenges the industry faces in applying cryptography into the RFID space. Hardware-logic implementation permits further enhancement of the logic to support specific privacy concerns. Their simplicity, flexibility, and versatility allow them to embed into virtually any product.
About the Author
Eustace Asanghanwa is the Applications Engineering Manager for cryptographic and RF memories in Atmel's Advanced Products Group. He has over 11 years experience working in the semiconductor industry during which he has held positions as process engineer manufacturing ICs and design engineer designing microprocessor-based ASICs. His design portfolio includes a rich mix of security ICs, GPS, medical and other custom products. He holds a BSEE and MBA from the University of Colorado.
|
