Conformation of EPC Class 1 Generation 2 standards RFID system with mutual authentication and privacy protection

Abstract

Radio frequency identification (RFID) technology has recently aroused great interest due to its convenience and economic efficiency. Through RFID become popular worldwide, it is susceptible to various attacks and security problems. Since RFID systems use wireless transmission, user privacy may be compromised by malicious people intercepting the information contained in the RFID tags. Many of the methods previously proposed to prevent such attacks do not adequately protect privacy or reduce database loading. In this paper, we propose a new authentication and encryption method that conforms to the EPC Class 1 Generation 2 standards to ensure RFID security between tags and readers. Our scheme not only reduces database loading, but also ensures user privacy. Finally, we survey our scheme from several security viewpoints, and prove its feasibility for use in several applications.

Introduction

Radio frequency identification (RFID) systems use a small device (RFID tag) to receive and send remote commands. RFID systems contain tags, readers, hosts and antennae (Garfinkel et al., 2005). There is a small low-cost tag in each RFID object that provides every product a unique identity—the Electronic Product Code (EPC). Once an RFID reader sends a request signal, the RFID tag responds to the reader's reading and writing request.

Previously, bar-code systems were widely utilized; however these have been largely replaced by RFID systems. RFID systems have many advantages over bar-code systems and can identify objects along several lines of sight simultaneously; by comparison bar-code systems only identify objects at a close proximity. Moreover, each RFID tag can be assigned a unique identification, whereas bar-code systems do not allow for this. Thus, RFID systems perform well in stocks and sales management and are convenient.

By reducing the cost of RFID tags, they can be implemented in a wide field of applications such as: entrance control, pet identification, highway toll collection, industrial control, property management, and home automation (Angeles, 2005; Karkkainen, 2003; Srivastava, 2004; Wang et al., 2006). As there is no standard operating mechanism, each company has developed its own, consistency in RFID systems is not desirable.

There exists a potential security risk in RFID systems. This risk would become apparent if, for example RFID systems were applied to medicinal management systems. After a patient receives medicine, an RFID tag would be applied to the medicine's packing. If an attacker with a reader scans the tag, he/she would know the identity of the medicine the patient is taking, and even that of the patient's disease. Taipei Medical University Hospital used RFID system trace and monitor patient during SARS period. If the message has no encryption, attacker can get privacy information easily (Wang et al., 2006). Likewise, an attacker could identify the book buying habits of someone who buys books with RFID tags.

It is clear that, the radio read/write characteristic of RFID system can threaten user privacy. Once the attacker gets tag's EPC, he/she can query Object Naming Service (ONS) from EPCglobal network (EPC, 2008) to get product details, and it will threaten personal privacy. In spite this, RFID systems bring great advantages; but they cannot protect personal privacy, they will not be accepted by the general public. Therefore, how to protect the object's EPC become an important issue. Thus, RFID systems must utilize mutual authentication. Furthermore, previous RFID systems lack specific operational standards. The privacy protection schemes most often proposed by scholars are hash function, symmetric encryption and asymmetric encryption. Due to the logic gates of the current tags are about 500–5000, they are limited by computing resources and cost. However, these methods are not practical for use limited resource tags. If there are not the common standards, the circulation of the product will be obstructed, and have not the common interface standards. This cost will increase. Therefore, EPCglobal (EPC, 2008) has drawn up the EPC Class 1 Generation 2 (C1G2) standard for tag operational ability; this provides an industrial standard for RFID system design in the future. On the basis of the Authentication Processing Framework (Ayoade, 2006), we therefore design a secure RFID access control system which conforms to the EPC C1G2 standard. Tags can identify legal readers, and readers are able to identify registered tags. Legal tags and readers can communicate with each other only so long as they have registered and constructed a secure platform. This methodology protects user privacy sufficiently.