International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
Hardware Implementation of Secured Authentication Protocol for RFID System
P. Thamarai, B.karthik, Bharath University
Department of Electronics and Communication
Abstract
In general, during the authentication process of RFID tags the tag/reader/server communicates over
an insecure channel due to “weak” authentication protocols. The Electronic Product Code (EPC) Class-1
Generation-2 (C1G2) specification have some serious security problems, so the password either leak directly
over the network or leaks the sufficient information i.e., while performing authentication, that allow hackers to
deduce or guess the password. To overcome this weak authentication a specially designed pad generation
(Pad Gen) function is used to improve security. The Pad Gen function is used to produce a cover-coding pad
to mask the tag's access password before the data transmission. Hence a mutual authentication protocol and
this XOR scheme is proposed to avoid the data leakage and data traceability during the data transmission
.This system model is simulated in Modelsim and synthesized using Xilinx ISE software. The performance of
this authentication scheme will be verified in hardware using Spartan 3E FPGA.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 25
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
1. Introduction
1.1Overview
RADIO-FREQUENCY identification (RFID) is a contact-less identification technology that enables remote
and automated gathering and sending of information between RFID tags or transponders and readers or
interrogators using a wireless link. In recent years, RFID technology has gained a rapid acceptance as a means
to identify and track a wide array of manufactured objects. It is composed of three main components: tag,
reader and a back-end database.
RFID tags come in a range of forms and can vary in storage capacity, memory type, radio frequency
and power capability. Most of these tags contain only a unique Electronic Product Code(EPC) number and
further information about the product is stored on a network of databases, called the EPC-Information
Services(EPC-IS).Through the wireless interface, each tag can report data when queried over radio by an
RFID reader. RFID readers can only recognize tags in proximity; a data tag that is out of range cannot be read
by a reader. This distance limitation severely restricts RFID deployment. Despite equipping readers and tags
with longer-range wireless communication capability, RFID readers still have difficulties in tracking or
monitoring tags at a distance.
1.1.1 EPC GLOBAL CLASS-1 GENERATION-2 STANDARD
RFID standards are major issues in securing high investments in RFID technology on different levels (e.g.,
interface protocols, data structure, etc.).The EPC global Class-1 Generation-2 (C1G2) ultra-high frequency
(UHF) RFID standard defines a specification for passive RFID technology and is an open and global
standard. The EPC C1G2 standard specifies the RFID communication protocol within the UHF spectrum
(860 to 960MHZ).The standard specifies that a complaint RFID tag should contain a 32-b kill password
(Kpwd) to permanently disable the tag and a 32-b access password (Apwd). The reader then performs a
bitwise XOR of the data or password with a random number from the tag to cover-code data or a password
in EPC Gen 2.
1.1.2 Components of an RFID System
The RFID system consists of various components which are integrated. This allows the RFID system to deduct
the objects (tag) and perform various operations on it. The integration of RFID components enables the
implementation of an RFID solution. The RFID system consists of following five components

Tag (attached with an object, unique identification).

Reader (receiver of tag information, manipulator).
ISSN: 2231-5381
http://www.ijettjournal.org
Page 26
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012

Communication infrastructure (enable reader/RFID to work through IT infrastructure).

Application software (user database/application/ interface).
1.1.3Tags
Tags contain microchips that store the unique identification (ID) of each object. The ID is a serial number
stored in the RFID memory. The chip is made up of integrated circuit and embedded in a silicon chip. RFID
memory chip can be permanent or changeable depending on the read/write characteristics. Read-only and
rewrite circuits are different as read-only tag contain fixed data and cannot be changed without re-program
electronically. On the other hand, re-write tags can be programmed through the reader at any time without
any limit.
There are three types of tags: the passive, semi-active and active. Semi-active tags have a
combination of active and passive tags characteristics. So, mainly two types of tags (active and passive) are
being used by industry and most of the RFID system.
1.1.4Antenna:
RFID antennas collect data and are used as a medium for tag reading. Each RFID system includes at
least one antenna to transmit and receive the RF signals. In some systems, a single antenna transmits and
receives the signals, in other systems, one antenna transmits and one antenna receives the signals. The quantity
and type of antennas used depend on the application.
1.1.5RF Transceiver:
The RF transceiver is the source of the RF energy used to activate and power the passive RFID tags.
The RF transceiver may be enclosed in the same cabinet as the reader or it may be a separate piece of
equipment. When provided as a separate piece of equipment, the transceiver is commonly referred to as a RF
module. The RF transceiver controls and modulates the radio frequencies that the antenna transmits and
receives. The transceiver filters and amplifies the backscatter signal from a passive RFID tag.
1.1.6Reader:
RFID reader works as a central place for the RFID system. It reads tags data through the RFID
antennas at a certain frequency. Basically, the reader is an electronic apparatus which produce and accept a
radio signals. The antennas contains an attached reader, the reader translates the tags radio signals through
antenna, depending on the tags capacity. The readers consist of a build-in anti-collision schemes and a single
reader can operate on multiple frequencies. As a result, these readers are expected to collect or write data onto
tag (in case) and pass to computer systems. For this purpose readers can be connected using RS-232, RS-485,
ISSN: 2231-5381
http://www.ijettjournal.org
Page 27
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
USB cable as a wired options (called serial readers) and connect to the computer system. Also can use WiFi as
wireless options which also known as network readers. The RFID reader directs the RF transceiver to transmit
RF signals, receives the encoded signal from the tag through the RF transceiver, decodes the tag's
identification, and transmits the identification with any other data from the tag to the host computer. The
reader may also provide other functions.
1.1.7RFID principles:
Many types of RFID exist, but at the highest level, we can divide RFID devices
INTO two
classes:
active and passive. Active tags require a power source—they're either connected to a powered infrastructure
or use energy stored in an integrated battery. In the latter case, a tag's lifetime is limited by the stored energy,
balanced against the number of read operations the device must undergo. One example of an active tag is the
transponder attached to an aircraft that identifies its national origin.
However, batteries make the cost, size, and lifetime of active tags impractical for the retail trade.
Passive RFID is of interest because the tags don't require batteries or maintenance. The tags also have an
indefinite operational life and are small enough to fit into a practical adhesive label. A passive tag consists of
three parts: an antenna, a semiconductor chip attached to the antenna, and some form of encapsulation. The
tag reader is responsible for powering and communicating with a tag. The tag antenna captures energy and
transfers the tag's ID (the tag's chip coordinates this process).
The encapsulation maintains the tag's integrity and protects the antenna and chip from environmental
conditions or reagents. The encapsulation could be a small glass vial or a laminar plastic substrate with
adhesive on one side to enable easy attachment to goods. Reading collocated tags one commercial objective
of RFID systems is to read, and charge for, all tagged goods in a standard supermarket shopping cart as it is
pushed through an instrumented checkout aisle. Such a system would speed up the checkout process and
reduce operational costs. Even if the RF reading environment for an RFID tag is ideal, it's still an engineering
challenge to support multiple collocated tags.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 28
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
2.RFID system
TheRFID tag’s 32-bit Access password and 32-bit kill passwords in achieving tag–reader mutual
authentication. Their scheme uses two rounds of PadGen to compute a cover-coding pad. The first round
performs PadGen over the access password, while the second round performs PadGen over the kill password.
The PadGen function is used to create the 16-b pads for “cover coding” the access password.
2.1 A detailed description of each step for RFID System
1.
The reader issues a Req_RN command to the acknowledged tag.
2.
The tag then generates two 16-b random numbers, namely, RT1 and RT2, and backscatters them with
its EPC to the reader. The reader forwards these messages to the manufacturer.
3.
The manufacturer matches the received EPC to retrieve the tag’s access password (Apwd) and kill
password (Kpwd) from the back-end database.
4.
The manufacturer then generates and stores two 16-b random numbers, namely, RM1 and RM2. The
“cover-coded passwords” for the 16 MSBs (CCPwdM1) and the 16 LSBs (CCPwdL1) are computed
by the PadGen function.
5.
CCPwdM1, CCPwdL1, and EPC along with four 16-b random numbers, namely, RM1, RM2, RM3,
and RM4, generated by the manufacturer are transmitted to the reader, which, in turn, forwards them
to the tag for verification.
6.
To authenticate the tag, the tag generates another two random numbers RT3 and RT4 along with the
received RM3 and RM4 used to compute CCPwdM2 and CCPwdL2 with the PadGen (RTi,RMi)
function for i = 3, 4.
7.
CCPwdM2, CCPwdL2, and EPC along with two 16-b random numbers, namely, RT3 and RT4, are
transmitted to the reader, which, in turn, forwards them to the manufacturer for verification.
2.2 SECURITY THREATS
There are several threats associated with RFID technology. RFID is vulnerable to Clandestine
scanning, Clandestine tracking, skimming, cloning and eavesdropping.
2.2.1Threat 1
ISSN: 2231-5381
http://www.ijettjournal.org
Page 29
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
Malicious RFID Readers: An RFID tag always response with its EPC number to any querying RFID
reader. Therefore a powerful malicious reader can illegally snoop upon the tags(attached to products) inside a
container, warehouse, etc, leading to corporate espionage. Such readers can corrupt and modify the tag’s data.
2.2.2.Threat 2
RFID Tag Cloning: A malicious reader can easily scan and copy the data(e.g., EPC number) on a
genuine tag and embed the same data on to a fake tag. This fake tag can be attached to a counterfeit product.
This threat cannot be prevented by tamperproof tags. Even though a particular tag gives out a genuine EPC
number, it must still be authenticated by the reader.
2.2.3.Threat 3
Insider Attack: The current ratified standard on EPC global Class 1 Gen 2 UHF RFID protocol describes
only a one-way reader-to-tag authentication scheme.The manufacturer of the product can embed a unique 32bit Access Password (APwd) into the tag. Only a reader with the right APwd can communicate with the tag.
This scheme is not secure and it does not provide detail on the secure distribution of the tags. APwd from
the manufacturer of the product to the stakeholder’s RFID reader. Any disgruntled, or compromised employee,
can easily obtain the APwd by eavesdropping on any one of the communication sessions between the product
lifecycle.
2.2.4.Threat 4
Man-in-the-Middle Attack: To accommodate quick and speedy scanning of goods in large bulks, EPC global
Class 1 Gen 2 UHF RFID tag’s exhibit outstanding far-field performance. Readers can query and
communicate with these tags over a range of ten meters. Therefore, we can anticipate man-in-the-middle
attack from powerful malicious readers.This attack can be mounted to eavesdrop on the communication
channel between the tag and the reader and to capture a tag’s EPC number and its APwd.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 30
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
3. XOR Scheme
Today security is imperative in many network-based applications. When dealing with data transfer, it
is crucial to determine whether the data that is being received has been corrupted.
In this system, we propose an authentication protocol, which mutually authenticates readers and tags.
It can resist man-in-the-middle attacks and reduce re-authentication overhead.
The main advantage of our proposed scheme is that it does not require the implementation of any
special cryptographic hash functions/keys within the tag. There is also no need for the tag and the reader to
synchronize security keys/hash values. We propose to improve the existing one-way reader-to-tag
authentication scheme.
This scheme utilizes the tag’s 32-b access and kill password in achieving tag-reader mutual
authentication scheme. It uses two rounds of PadGen to compute a cover-coding pad. The first round performs
PadGen over the access password, while the second round performs PadGen over the kill password.
The PadGen function is used to create the 16-b Pads for “covercoding” the access password. This
scheme is also much more difficult for an adversary to recover the access password under the correlation
attack or to forge successful authentication under the dictionary attack.
3.1 Padgen
The PadGen function is the key function used to produce a cover-coding pad to mask the tag’s access
password before transmission. The implementation of the PadGen function also requires the random number
generator to produce RTxand RMx.
3.1.1Access Password
An access password is required before data are exchanged between a reader and a single tag. The
access password is a 32-b value stored in the tag’s reserved memory. If this password is set, then the reader
has to have the valid password before the tag will engage in a secured data exchange.
3.1.2 Kill Password
The access passwords can be used in activating kill commands to permanently shut down tags, as
well as for accessing and relocking a tag’s memory. These passwords can be used in activating kill commands
to permanently shut down tags, as well as for accessing and relocking a tag’s memory.
3.1.3 Multiplexer
In electronics, a multiplexer or mux is a device that selects one of several analog or digital input signals and
forwards the selected input into a single line. A multiplexer of 2n inputs has n select lines, which are used to
select which input line to send to the output.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 31
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
An electronic multiplexer makes it possible for several signals to share one device or resource. A
multiplexer is often used with a complementary demultiplexer on the receiving end. Multiplexer are
combinational logic switching devices that operate like a very fast acting multiple position rotary switch. They
connect or control, multiple input lines called "channels" consisting of either 2, 4, 8 or 16 individual inputs,
one at a time to an output. Then the job of a multiplexer is to allow multiple signals to share a single common
output.
Multiplexers are used as one method of reducing the number of logic gates required in a circuit or
when a single data line is required to carry two or more different digital signals. Generally, multiplexers have
an even number of data inputs, a number of "control" inputs that correspond with the number of data inputs
and according to the binary condition of these control inputs, the appropriate data input is connected directly
to the output.
3.1.4 PadGen function based on XORoperation:
Step 1:
RT ⊕RM
= RT⊕M
= dx1dx2dx3dx4
Step 2:
Apwd-PadGen(RT,RT⊕M)
=adt1adt2adt3adt4_adt1+16adt2+16adt3+16adt4+16×_adx1adx2adx3adx4_
adx1+16adx2+16adx3+16adx4+16
= dW1dW2dW3dW4 (base 10)
Step 3:
Kpwd-PadGen(RV ,RW)
=
kdV1kdV
2kdV
3kdV
4_kdV
1+16kdV
2+16kdV
3+16kdV
4+16×
_kdW1kdW2kdW3kdW4×_kdW1+16kdW2+16kdW3+16kdW4+16
= hq1hq2hq3hq4 (base 16)
= PAD1
Step 4:
RV ⊕RW
= RV ⊕RW
= ds1ds2ds3ds4
Step 5:
Kpwd-PadGen(RV ,RV ⊕W)
= kdV1kdV 2kdV 3kdV 4_kdV 1+16kdV 2+16kdV 3+16kdV 4+16
× _kds1kds2kds3kds4×_kds1+16kds2+16kds3+16kds4+16
= hr1hr2hr3hr4 (base 16)
= PAD2.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 32
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
In each PAD function is computed based on one set of (RTx,RMx), which
is transmitted in the open space. In contrast to the PadGenproposed by Konidala et al., the present proposed
PAD function is computed based on one set of (RV ,RW), which is not transmitted openly. RV and RW are
computed based on Apwd-PadGen(RTx,RMx) and Apwd-PadGen(RTx,RTx⊕RMx), respectively. PAD1 and
PAD2 are then generated by Kpwd-PadGen(RV ,RW) and Kpwd-PadGen(RV ,RV ⊕RW), respectively. The
RV and RW values were calculated within the tags and readers. Therefore, an adversary would not
be able to correlate all the bits in ApwdM and ApwdL.
1.
Apwd-PadGen(RTx,RMx)=dv1dv2dv3dv4=RV. RTx,RMx, and Apwd are selected as the inputs for
PadGenoperation,and the calculation resultsRV by XOR-PadGen operation are stored in register
forfurther manipulation.
2.
Apwd-PadGen(RT,RT ⊕RM)=dw1dw2dw3dw4=RW.Through mux selection, RT , RT ⊕ RM, and
Apwd arechosen as inputs for PadGen operation.The calculation result RW is stored in register for
furthercomputation.
3.
Kpwd-PadGen (RV,RW)=hq1hq2hq3hq4=PAD1. ThePAD1 can then be obtained by muxselecting
RV, RW, and Kpwd as inputs for XOR-PadGenoperation.
4.
Kpwd-PadGen(RV,RV ⊕RW)=hr1hr2hr3hr4=PAD2.Similarly, the PAD2 can then beobtained using
RV , RV ⊕ RW, along with Kpwd forXOR-PadGen operation.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 33
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
4. Results
(i)
Simulation Output for Padgen:
Figure 5:Output Waveform For PadgenFuntion
(ii)
Simulation Output for XOR Scheme:
Figure 6: Output Waveform for XOR Scheme
ISSN: 2231-5381
http://www.ijettjournal.org
Page 34
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
Inputs:
Apwd_Access Password (32-bit) =abcd1234
Kpwd_Kill Password (32-bit) =1234abcd
Rtx_Tag Random Number (16-bit) =abcd
Rmx_Manufacturar Random Number (16-bit) =1234
Outputs:
Pad1_Padgeneration 1 (16-bit) =3d52
Pad2_padgeneration 2 (16-bit) =d387
CcpwdM_Codecoverpassword MSB (16-bit) =969f
CcpwdL_Codecoverpassword LSB (16-bit )=c1b3
ISSN: 2231-5381
http://www.ijettjournal.org
Page 35
International Journal of Engineering Trends and Technology (IJETT) – Volume 3 Issue 1 No2 – February 2012
5. Conclusion
To improve the security level of the original reader-to-tagauthentication protocol proposed under the
EPC C1G2 specification,the PadGen functions are used to protect the Access passwordagainst exposure. The
main advantage of the proposed schemeis that it does not require the implementation of any
specialcryptographic hash functions/keys within the tag and a centerserver/database. There is also no need for
the tag and the readerto synchronize security keys/hash values. The PadGen function was modified to
strengthen the security of the mutual authentication scheme. The PadGen functions based on XOR operation
and in association with the tag’s Apwd andKpwd are used to generate the PAD. The proposed protocol using
the manipulated values within the tags and reader to enhance the PadGen operation is a more secure method
for mutual authentication.
6. References
[1] Yu-Jung Huang, Senior Member, IEEE, Wei-Cheng Lin, and Hung-Lin Li, “Efficient Implementation of
RFID Mutual Authentication Protocol", ieee transactions on industrial electronics, vol. 59, no. 12, december
2012.
[2] Y. J. Huang, C. C. Yuan, M. K. Chen, W. C. Lin, and H. C. Teng, “Hardware implementation of RFID
mutual authentication protocol,” IEEE Trans. Ind. Electron., vol. 57, no. 5, pp. 1573–1582, May 2010..
[3] S. Piramuthu, “Lightweight cryptographic authentication in passive RFID-tagged systems,” IEEE Trans.
Syst., Man, Cybern. C, Appl. Rev.,vol. 38, no. 3, pp. 360–376, May 2008.
[4] Hung-Yu-chien, “A New ultralightweight RFID Authntication Protocol Providing Strong Authentication
and Strong Integrity”
[5] A.Juels, “RFID security and privacy: A research survey,” IEEE J. Sel.AreasCommun., vol. 24, no. 2, pp.
381–394, Feb. 2006.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 36