Protecting RFID Communications in Supply Chains

1. Protecting RFID Communications in Supply Chains Yingjiu Li & Xuhua Ding School of Information Systems Singapore Management University

2. Background • RFID • Each tag has a globally unique identification number. • RFID tag has very weak computation power. • RFID tag has very limited storage.

3. Supply Chain Management • Supply Chain • A coordinated system of organizations moving a product from supplier to customer. Partner P4 Partner P2 Partner P3 Partner P1

4. Security Requirements • Authoritative Access • For a shipment to partner Pi, only Pi’s reader can access. • Authenticity • Only legitimate RIFD tags can be accepted • Unlinkability • Infeasible to determine whether two responses are from the same tag. • Supply Chain Visibility • Manager’s ability to track and identify the flow.

5. System Model • Consider a supply chain of N partners • P1, P2,…PN • Each has a pair of public/private keys. • Material flow: P1 P2  P3…  PN • No assumption on global knowledge of the entire supply chain. • Assumption: • Attackers are unable to access the stored secrets by physically compromising RFID readers or tags. • Attackers are able to eavesdrop the interaction between RFID tags and legitimate readers • Attackers are able to interrogate RFID tags arbitrary times.

6. Tag Initialization Database initialization ID Secret mask Response … c1 C1k2 C2k2 Cnk2 cn The Protocol A high level view : P1 initializes all RFID tags with a secret key from its next Partner. Partner Pi downloads the list of ids from Pi-1, reads all the tags, updates the tags for Pi+1. P1 tags C1 C2 Cn k2: the secret key chosen by P2

7. r t=H(r) ? t RFID Read Protocol (by Partner Pi) Pi ID Secret mask Response t c1 h(rc1ki) c2 h(rc2ki) cx r h(rcxki)   cn =cxki a a database Di ’ RFID tags

8. ID Secret mask Response c1 r1  c2  r2 a=kiki+1 b=H(acki) cx rx h(rcxki)  ? b H(a  ) cn rn  database Di RFID Write Protocol (by Partner Pi) Pi  =cxki =a= cxki+1 RFID tag

9. Read Protocol The readers are NOT authenticated. For a tag prepared for Pi, only Pi and Pi-1’s reader can extract its ID. Only legitimate tags are processed. Write Protocol For a tag prepared for Pi, only commands from Pi and Pi-1 will be accepted. Reveal no information to eavesdroppers. Security

10. a a  Balancing Security and Performance Basic Idea: Batch process with a shared nounce, instead of a fresh nounce per tag. Pi r3 r1 r2 a a a  a 

11. processed by Pi  ’  Unlinkability & Supply Chain Visibility Supply Chain Visibility Unlinkability • The ability to identify all tags and the present partner • by introducing an trusted authority and key escrow Are they the same tag?? A weaker notion than universal unlinkability.

12. Performance • Tag’s storage cost: <128 bits • Tag’s computation cost: 1 hash + 1 XOR for read; 1 hash + 2 XOR for write • Communication cost among Partners: the list of tag identifications, (not the whole database) • Computation cost for a Partner: • only hash, XOR and comparison are needed; • A major portion can be pre-computed; • suitable for batch processes; • Practical, since the bottleneck is the tag-reader communication delay;