Minimalist Cryptography for Low-Cost RFID Tags (Extended Abstract)
A radio-frequency identification (RFID) tag is a small, inexpensive microchip that emits an identifier in response to a query from a nearby reader. The price of these tags promises to drop to the range of $0.05 per unit in the next several years, offering a viable and powerful replacement for barcodes.
The challenge in providing security for low-cost RFID tags is that they are computationally weak devices, unable to perform even basic symmetric-key cryptographic operations. Security researchers often therefore assume that good privacy protection in RFID tags is unattainable. In this paper, we explore a notion of minimalist cryptography suitable for RFID tags. We consider the type of security obtainable in RFID devices with a small amount of rewritable memory, but very limited computing capability. Our aim is to show that standard cryptography is not necessary as a starting point for improving security of very weak RFID devices. Our contribution is twofold:
We propose a new security model for authentication and privacy in RFID tags. This model takes into account the natural computational limitations and the likely attack scenarios for RFID tags in real-world settings. It represents a useful divergence from standard cryptographic security modeling, and thus a new basis for practical formalization of minimal security requirements for low-cost RFID-tag security.
We describe a protocol that provably achieves the properties of authentication and privacy in RFID tags in our proposed model, and in a good practical sense. It involves no computationally intensive cryptographic operations, and relatively little storage.
Keywordsauthentication privacy pseudonyms RFID tags
Unable to display preview. Download preview PDF.
- 1.Security technology: Where’s the smart money? The Economist, 69–70, February 9 (2002)Google Scholar
- 2.Prada’s smart tags too clever? Wired News, October 27 (2002)Google Scholar
- 3.Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)Google Scholar
- 4.Benetton undecided on use of ‘smart tags’. Associated Press, April 8 (2003)Google Scholar
- 5.Collins, J.: The cost of Wal-Mart’s RFID edict. RFID Journal, September 10 (2003)Google Scholar
- 6.Ewatt, D.M., Hayes, M.: Gillette razors get new edge: RFID tags. Information Week January 3 (2003), Referenced at, http://www.informationweek.com/story/IWK20030110S0028
- 7.Fishkin, K.P., Roy, S., Jiang, B.: Some methods for privacy in rfid communication. In: 1st European Workshop on Security in Ad-Hoc and Sensor Networks. Springer, Heidelberg (2004) (to appear) Google Scholar
- 8.Fishkin, K.P., Wang, M., Borriello, G.: A ubiquitous system for medication monitoring. In: Second International Conference on Pervasive Computing, Springer, Heidelberg (2004)Google Scholar
- 10.Garfinkel, S.: An RFID Bill of Rights. Technology Review, 35 (October 2002)Google Scholar
- 11.Golle, P., Jakobsson, M., Juels, A., Syverson, P.: Universal re-encryption for mixnets. Springer, Heidelberg (2004) (to appear)Google Scholar
- 12.Juels, A., Brainard, J.: Soft blocking: Flexible blocker tags on the cheap. In: WPES 2004, ACM Press, New York (2004) (to appear)Google Scholar
- 15.Auto-ID Labs. 13.56 MHz ISM band class 1 radio frequency identification tag interference specification: Candidate recommendation, version 1.0.0. Technical Report MIT-AUTOID-WH-002, Auto-ID Labs (2003), Referenced at, http://www.autoidlabs.org
- 16.Ma, L., Xu, Q., Yang, Y.: Organic non-volatile memory by controlling the dynamic copper-ion concentration within the organic layer. Nature (2003) (submitted)Google Scholar
- 17.McCullagh, D.: RFID tags: Big Brother in small packages. CNet January 13 (2003), Referenced at, http://news.com.com/2010-1069-980325.html
- 19.Molnar, D., Wagner, D.: Privacy and security in library RFID: Issues, practices, and architectures. In: ACM CCS 2004, ACM Press, New York (2004) (to appear)Google Scholar
- 20.Associated Press. Libraries eye RFID to track books: Privacy issues raised as San Francisco plans chips’ use. October 3 (2003)Google Scholar
- 21.RFID, privacy, and corporate data. RFID Journal June 2 (2003), Feature article. Referenced at www.rfidjournal.com on subscription basis
- 22.Sarma, S.E., Weis, S.A., Engels, D.W.: Radio-frequency-identification security risks and challenges. CryptoBytes 6(1)(2003)Google Scholar
- 23.Sarma, S.E.: Towards the five-cent tag. Technical Report MIT-AUTOID-WH-006, Auto-ID Labs (2001), Referenced at, http://www.autoidlabs.org/
- 25.Shim, R.: Benetton to track clothing with ID chips. CNET, March 11 (2003), Referenced at, http://news.com.com/2100-1019-992131.html
- 28.Weis, S.A., Sarma, S., Rivest, R., Engels, D.: Security and privacy aspects of low-cost radio frequency identification systems. In: First International Conference on Security in Pervasive Computing (2003)Google Scholar