1 / 99

Tag Layer

Explore the classification of RFID tags, the communication protocol between readers and tags, and the memory architecture of RFID tags.

dudleyl
Download Presentation

Tag Layer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tag Layer CSCE 4013 RFID INFOSEC Instructor: Dr. Jia Di JBHT 523 5-5728, jdi@uark.edu

  2. Outline • RFID Tag Overview • Tag Architecture • Memory • Tag Protocol • Managing Tag Populations • Threats and Mitigation

  3. RFID Tag Overview

  4. Classification of RFID Tags • Class-1: Identity Tags (Normative) • Higher-Class Tags (Informative) • Class-2: Higher-Functionality Tags • Class-3: Semi-Passive Tags • Class-4: Active Tags • Higher-class tags shall not conflict with the operation of, nor degrade the performance of, Class-1 tags located in the same RF environment.

  5. Class-1: Identity Tags An electronic product code (EPC) identifier A tag identifier A ‘kill’ function that permanently disable the tag Optional password-protected access control Optional user memory Class-2: Higher-Functionality Tags An extended Tag ID Extended user memory Authenticated access control Optional other features Classification of RFID Tags (Cont’) • Class-3: Semi-Passive Tags • An integral power source • Integrated sensing circuitry • Class-4: Active Tags • Tag-to-tag communications • Active communications • Ad-hoc networking capabilities *Note that each higher-class tag has its extended features above and beyond its immediate predecessor *We focus on Class-1, UHF RFID Tags

  6. Review of Reader-Tag Communication • A reader transmits information to a tag by modulating an RF signal in the 860 MHz – 960 MHz frequency range. • The tag receives both information and operating energy from this RF signal. • A reader receives information from a tag by transmitting a continuous-wave RF signal to the tag. • The tag responds by modulating the reflection coefficient of its antenna, thereby backscattering an information signal to the reader. • Communication is half-duplex, meaning that readers talk and tags listen, or vice versa.

  7. Tag Architecture

  8. Reader-Tag Communication Protocol Overview • Physical Layer • Tag-identification layer • Select • Inventory • Access

  9. Circuit Block Diagram

  10. Antenna • K. V. S. Rao, P. V. Niktin, S. F. Lam, “Antenna design for UHF RFID tags: a review and a practical application,” IEEE Transactions on Antenna and Propagation, Vol. 53, Issue 12, Dec. 2005

  11. Power Generation and Management Circuit • Rectifier • Charge Pump • Voltage Regulator • Reset Circuit

  12. Rectifier • Convert alternating current to rectified direct current • Half-wave rectification • Full-wave rectification

  13. Charge Pump • Use capacitors as energy storage elements to create either a higher or lower voltage power source • Multi-stage operation • It can double, triple, halve, invert, fractionally multiply or scale voltages

  14. Voltage Regulator • Maintain a constant voltage level • Low Dropout (LDO) regulator – a DC linear voltage regulator which has a very small input-output differential voltage

  15. Reset Circuit • Generate reset signal for the whole chip • Power-on reset

  16. Demodulator • Envelope detector • Comparator • Ring oscillator • Bias generator

  17. Envelope Detector • Take a high-frequency signal as input, and provide an output which is the “envelope” of the original signal

  18. Comparator

  19. Ring Oscillator • A chain containing odd number of inverters, with the output of the last inverter feeds back to the input of the first inverter

  20. Modulator • Phase modulator – represent information as variations in the instantaneous phase of a carrier wave

  21. Memory

  22. Memory Banks • Four distinct banks, each has its own address space • Reserved Memory – contain kill and/or access passwords • EPC Memory – contain a CRC, Protocol-Control (PC) bits, and an identification code • TID Memory – contain an ISO/IEC allocation class identifier, and sufficient identifying information • User Memory – contain user-specific data storage

  23. Logical Memory Map

  24. Memory Access • Commands have a MemBank parameter to select which bank to access (00-Reserved, 01-EPC, 10-TID, 11-User), and an address parameter to select a particular memory location within the bank • Operations in one logical memory bank shall not access memory locations in another bank • Readers may lock, permanently lock, unlock, or permanently unlock memory • 16-bit word

  25. Tag Protocol

  26. Basic Operations • Select – choose a tag population for inventory and access • Inventory – identify tags • Access – communicate with (reading from and/or writing to) a tag

  27. Sessions and Inventory Flags • Four sessions (S0, S1, S2, S3) • Tag participates in one and only one session during an inventory round • Two or more readers can use sessions to independently inventory a common tag population • Tags maintain an independent Inventoried flag for each session – two value (A/B) • At the beginning of each and every inventory round a reader chooses to inventory either A or B tags in one of the four sessions • Tags participating in an inventory round in one session shall neither use nor modify the Inventoried flag for a different session • All other tag resources are shared among sessions except the Inventoried flags • After singulating a tag a reader may issue a command that causes the tag to invert its Inventoried flag for that session

  28. Session Diagram

  29. Tag Inventoried Flags Power-On Status • Persistence time • S0 Inventoried flag – set to A • S1 Inventoried flag – set to A or B • S2 Inventoried flag – set to A or B • S3 Inventoried flag – set to A or B • Question – since the power-on status of some flags are unknown by the reader, how can a reader inventory all tags in the field? • Selected flag – SL

  30. FSM • At a glance

  31. Ready State • A “holding state” for energized tags that are neither killed nor currently participating in an inventory round • After power-on, tag maintains in Ready state until it receives a Query command whose inventoried parameter and sel parameter match its current flag values • It will then draw a Q-bit number from RNG, load it into the slot counter, and transition to the Arbitrate state if the number is nonzero, or to the Reply state if the number is zero

  32. Arbitrate State • A “holding state” for tags that are participating in the current inventory round but whose slot counters hold nonzero values • Decrement its slot counter every time it receives a QueryRep command whose session parameter matches the session for the inventory round currently in progress • Transition to the Reply state when its slot counter reaches 0000h • If tag returns to Arbitrate state with slot counter as 0000, upon next QueryRep the tag decrements it to 7FFFh, and remains in Arbitrate state

  33. Reply State • Tag backscatters an RN16 • If tag receives a valid ACK it transitions to the Acknowledged state; otherwise returns to the Arbitrate state

  34. Acknowledged State • May transition to any state except Killed state depending on the command • Upon receiving a valid ACK containing the correct RN16, the tag re-backscatters its PC, EPC, and CRC-16; otherwise returns to Arbitrate state

  35. Open State • A tag in the Acknowledged state whose access password is nonzero shall transition to Open state upon receiving a Req_RN command, backscattering a new RN16 (handle) • Execute all access commands except Lock • May transition to any state except Acknowledged state • Upon receiving a valid ACK containing the correct handle, the tag re-backscatters it PC, EPC, and CRC-16

  36. Secured State • A tag in the Acknowledged state whose access password is zero shall transition to the Secured state upon receiving a Req_RN command, backscattering a new RN16 (handle) • A tag in the Open state whose access password is nonzero shall transition to Secured state upon receiving a valid Access command sequence • Execute all access commands • May transition to any state except Open or Acknowledged • Upon receiving a valid ACK containing the correct handle, the tag re-backscatters it PC, EPC, and CRC-16

  37. Killed State • A tag in either the Open or Secured states shall enter the Kill state upon receiving a Kill command sequence with a valid nonzero kill password and valid handle • Kill permanently disables a tag • Upon entering the Killed state a tag shall notify the reader that the kill operation was successful, and shall not respond to a reader thereafter • Killed tags shall remain in the Killed state under all circumstances and shall immediately enter Killed state upon subsequent power-ups • A kill operation is not reversible

  38. Random Number Generator and Slot Counter • RNG – random or pseudo-random number generator generates 16-bit random number RN16 • Slot Counter – a 15-bit counter, preload a value between 0 and 2Q-1 upon receiving a Query or QueryAdjust command

  39. Managing Tag Populations

  40. Reader/Tag Operation

  41. Selecting Tag Populations • Single command – Select • Assert/deassert a tag’s SL flag, or set a tag’s Inventoried flag to either A or B in any one of the four sessions • Parameters – Target, Action, MemBank, Pointer, Length, Mask, and Truncate • By issuing multiple identical Select commands a reader can asymptotically single out all tags matching the selection criteria even though tags may undergo short-term RF fades

  42. Inventorying Tag Populations • Several commands – Query, QueryAdjust, QueryRep, ACK, and NAK • Query sets a slot-count parameter Q. Tags pick a random value in the range of [0, 2Q-1], and load the value into their slot counter. • Tags that pick a zero transition to the reply state and reply immediately; others transition to the arbitrate state and await a QueryAdjust or QueryRep command.

  43. Inventorying Tag Populations (Cont’) • Assuming that a single tag replies • The tag backscatters an RN16 as it enters reply • The reader acknowledges the tag with an ACK containing this same RN16 • The acknowledged tag transitions to the acknowledged state, backscattering its PC, EPC, and CRC-16 • The reader issues a QueryAdjust or QueryRep, causing the identified tag to invert its inventoried flag and transition to ready, and potentially causing another tag to initiate a query-response dialog with the reader • If the tag fails to receive a correct ACK, it returns to arbitrate

  44. Inventorying Tag Populations (Cont’) • If multiple tags reply, the reader, by detecting the resolving collisions at the waveform level, can resolve an RN16 from one of the tags, the reader can ACK the resolved tag. • Unresolved tags receive erroneous RN16s and return to arbitrate without backscattering their PC, EPC, and CRC-16

  45. Accessing Individual Tags • Several commands – Req_RN, Read, Write, Kill, Lock, Access, BlockWrite, BlockErase • A reader accesses a tag in acknowledged state • The reader issues a Req_RN to the tag • The tag generates and stores a new RN16 (handle), backscatters the handle, and transitions the open if its access password is nonzero, or to secured if zero • The reader may now issue further access commands

  46. Accessing Individual Tags (Cont’) • Handle is an important parameter to access a tag • Write, Kill, and Access commands send a 16-bit word to the tag using one-time-pad based link cover-coding to obscure the word being transmitted • The reader issues Req_RN. Tag responds by backscattering a new RN16. The reader then generate a 16-bit ciphertext string comprising a bit-wise XOR of the 16-bit word to be transmitted with the new RN16, and issues the command with this ciphertext string as parameter • The tag decrypts the received ciphertext string by performing a bit-wise XOR of the received 16-bit ciphertext string with the original RN16 • Multi-step procedure – Kill, issuing an access password • Memory lock

  47. Tag Layer Threats and Mitigation Methods Some Slides Borrowed from Kris Tiri, Hwasun Chang, Yossef Oren, and Pankaj Rohatgi

  48. Limitations of Class I Gen 2 RFID Tags • Cost • Power • Wireless communication nature

  49. Attacks for Impersonation • Tag Cloning / Counterfeiting • Tag Spoofing • Relay Attack • Replay Attack

  50. Tag Cloning / Counterfeiting • An adversary can easily copy the memory content of an authentic tag to create an identical yet cloned tag • EPC Class I tags have no mechanism for preventing cloning • In many cases, cloned tags are indistinguishable from authentic ones

More Related