|
 ABSTRACT
The EPC (Electronic Product Code) tag is a form of RFID (Radio-Frequency IDentification) device that is emerging as a successor to the printed barcode. Like barcodes, EPC tags emit static codes that serve to identify and track shipping containers and individual objects. EPC tags, though, have a powerful benefit: they communicate in an automated, wireless manner.Some commercial segments, like the pharmaceutical industry, are coming to view EPC tags as a tool to combat counterfeiting. EPC tags are a potent mechanism for object identification, and can facilitate the compilation of detailed object histories and pedigrees. They are poor authenticators, though. EPC tags are vulnerable to elementary cloning and counterfeiting attacks.In this paper, we present simple techniques to strengthen the resistance of EPC tags against elementary cloning attacks. Our proposals are compliant with the EPCglobal Class-1 Generation-2 UHF standard for EPC tags, which is likely to predominate in supply chains. Such EPC tags contain PIN-based access-control and privacy enhancement mechanisms that are meant to enable tag authentication of readers during the transmission of sensitive commands (like the "kill" command). We show how to leverage such PINs to achieve the opposite goal, namely reader authentication of tags. We describe what may be viewed as crude challenge-response authentication protocols. These protocols do not defend against a full range of attacks, but still have significant practical application. Our techniques can strengthen EPC tags against cloning even in environments with untrusted reading devices.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
S. Bono, M. Green, A. Stubblefield, A. Juels, A. Rubin, and M. Szydlo. Security analysis of a cryptographically enabled RFID device. In USENIX Security Symposium, 2005. To appear. Available at www.rfidanalysis.org.
|
| |
2
|
J. Collins. Marks & Spencer expands RFID retail trial. RFID Journal, 10 February 2004.
|
| |
3
|
EPCglobal Web site. www.epcglobalinc.org, 2005.
|
| |
4
|
EPC™ Radio-Frequency Identity Protocols Class-1 generation-2 UHF RFID Protocol for Communicaitons at 860 MHz -- 960 Mhz, Version 1.0.8, 2005. Available at http://www.autoid.org.
|
| |
5
|
Security technology: Where's the smart money? The Economist, pages 69--70, 9 February 2002.
|
| |
6
|
RFID: eWeek.com special report, 2004.
|
| |
7
|
M. Feldhofer, S. Dominikus, and J. Wolkerstorfer. Strong authentication for RFID systems using the AES algorithm. In M. Joye and J.-J. Quisquater, editors, Cryptographic Hardware and Embedded Systems (CHES), pages 357--370. Springer-Verlag, 2004. LNCS no. 3156.
|
| |
8
|
K. P. Fishkin, S. Roy, and B. Jiang. Some methods for privacy in RFID communication. In 1st European Workshop on Security in Ad-Hoc and Sensor Networks (ESAS 2004), 2004.
|
| |
9
|
United States Food and Drug Administration. Combatting counterfeit drugs: A report of the Food and Drug Administration, 18 February 2004.
|
| |
10
|
A. Juels. Minimalist cryptography for low-cost RFID tags. In C. Blundo and S. Cimato, editors, Security in Communication Networks (SCN '04), pages 149--164. Springer-Verlag, 2004. LNCS no. 3352.
|
| |
11
|
|
| |
12
|
A. Juels and R. Pappu. Squealing Euros: Privacy protection in RFID-enabled banknotes. In R. Wright, editor, Financial Cryptography '03, pages 103--121. Springer-Verlag, 2003. LNCS no. 2742.
|
 |
13
|
|
| |
14
|
K. Kfir and A. Wool. Picking virtual pockets using relay attacks on contactless smartcard systems. In SecureComm '05, 2005. To appear. Available at http://eprint.iacr.org/2005/052.
|
| |
15
|
J. Mandel, A. Roach, and K. Winstein. MIT Proximity Card Vulnerabilities. Technical report, Massachusetts Institute of Technology, March 2004. Slide presentation. Available at http://web.mit.edu/keithw/Public/MIT-Card-Vulnerabilities-March31.pdf.
|
| |
16
|
J. Mara. Euro scheme makes money talk. Wired News, 9 July 2003.
|
| |
17
|
D. McCullagh. RFID tags: Big Brother in small packages. CNet, 13 January 2003. Available at http://news.com.com/2010-1069-980325.html.
|
| |
18
|
|
| |
19
|
Nokia unveils RFID phone reader. RFID Journal, 17 March 2004. Available at http://www.rfidjournal.com/article/view/834.
|
| |
20
|
RFID, privacy, and corporate data. RFID Journal, 2 June 2003. Feature article. Available at www.rfidjournal.com on subscription basis.
|
| |
21
|
R. L. Rivest. Chaffing and winnowing: Confidentiality without encryption. CryptoBytes, 4(1):12 -- 17, Summer 1998.
|
| |
22
|
M. Roberti. EPCglobal ratifies gen 2 standard. RFID Journal, 16 December 2004.
|
| |
23
|
S. E. Sarma, S. A. Weis, and D.W. Engels. Radio-frequency-identification security risks and challenges. RSA Laboratories. CryptoBytes, 6(1), 2003.
|
| |
24
|
S.E. Sarma. Towards the five-cent tag. Technical Report MIT-AUTOID-WH-006, MIT Auto ID Center, 2001. Available from http://www.epcglobalinc.org.
|
| |
25
|
M.I. Shamos. Paper v. electronic voting records - an assessment, 2004. Paper written to accompany panel presentation at Computers, Freedom, and Privacy Conference '04.
|
| |
26
|
Stop & Shop supermarket company to test ExxonMobil Speedpass. Texas Instruments RFID eNews, 10, July 2002.
|
| |
27
|
|
| |
28
|
C.P. Wallace. The color of money. Time Europe, 158(11). 10 September 2001.
|
| |
29
|
S. A. Weis, S. Sarma, R. Rivest, and D. Engels. Security and privacy aspects of low-cost radio frequency identification systems. In First International Conference on Security in Pervasive Computing, 2003.
|
| |
30
|
S.A. Weis. Radio-frequency identification security and privacy. Master's thesis, M.I.T., June 2003.
|
| |
31
|
J. Westhues. Proximity cards, October 2003. Web site. Available at http://cq.cx/prox.pl.
|
| |
32
|
Wal-Mart, DoD Forcing RFID. Wired News, 3 November 2003.
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
C.3