Protecting RFID
Communications in Supply
Chains
Yingjiu Li & Xuhua Ding
School of Information Systems
Singapore Management University
ASIACCS 2007
Background
• RFID
• Each tag has a globally unique identification number.
• RFID tag has very weak computation power.
• RFID tag has very limited storage.
ASIACCS 2007
2
Supply Chain Management
• Supply Chain
– A coordinated system of organizations moving
a product from supplier to customer.
Partner P4
Partner P2
Partner P1
Partner P3
ASIACCS 2007
3
Security Requirements
• Authoritative Access
– For a shipment to partner Pi, only Pi’s reader
can access.
• Authenticity
– Only legitimate RIFD tags can be accepted
• Unlinkability
– Infeasible to determine whether two
responses are from the same tag.
• Supply Chain Visibility
– Manager’s ability to track and identify the flow.
ASIACCS 2007
4
System Model
• Consider a supply chain of N partners
– P1, P2,…PN
– Each has a pair of public/private keys.
– Material flow: P1 P2  P3…  PN
• No assumption on global knowledge of the entire
supply chain.
• Assumption:
– Attackers are unable to access the stored secrets by
physically compromising RFID readers or tags.
– Attackers are able to eavesdrop the interaction
between RFID tags and legitimate readers
– Attackers are able to interrogate RFID tags arbitrary
times.
ASIACCS 2007
5
The Protocol
A high level view :
P1 initializes all RFID tags with a secret key from its
next Partner. Partner Pi downloads the list of ids from Pi-1,
reads all the tags, updates the tags for Pi+1.
P1
Tag Initialization
Database initialization
ID Secret mask
tags
C1
C2
Cn
C1k2
C2k2
Cnk2
k2: the secret key chosen by P2
Response
…
c1
cn
ASIACCS 2007
6
RFID Read Protocol (by Partner Pi)
Pi
t
r
t
t=H(r)
a
Response
c1
h(rc1ki)
c2
h(rc2ki)
cx

=cxki
?
ID Secret
mask
r
h(rcxki)

cn
a
’
database Di
RFID tags
ASIACCS 2007
7
RFID Write Protocol (by Partner Pi)
Pi
ID Secret
mask
c1
Response


r1
c 2 r2
a=kiki+1
b=H(acki)

b
?
H(a  )
=cxki
=a= cxki+1
cx
rx
cn
rn
h(rcxki)


database Di
RFID tag
ASIACCS 2007
8
Security
• Read Protocol
• Write Protocol
– The readers are NOT
authenticated.
– For a tag prepared for
Pi, only Pi and Pi-1’s
reader can extract its
ID.
– Only legitimate tags
are processed.
– For a tag prepared for
Pi, only commands
from Pi and Pi-1 will be
accepted.
– Reveal no information
to eavesdroppers.
ASIACCS 2007
9
Balancing Security and Performance
Basic Idea: Batch process with a shared nounce,
instead of a fresh nounce per tag.
Pi
ID
r1
r3
r2
a
aa
aa

a

Secret
mask
Response
c1
r1
h(r1c1ki)
c2
r1
h(r1c2ki)
cx
r2
h(r2cxki)
cx+1
r2
h(r2cx+1ki)

ASIACCS 2007
10
Unlinkability & Supply Chain Visibility
Supply Chain Visibility
Unlinkability

processed
by Pi

’
• The ability to identify
all tags and the present
partner
• by introducing an
trusted authority and
key escrow
Are they the
same tag??
A weaker notion than universal
unlinkability.
ASIACCS 2007
11
Performance
• Tag’s storage cost: <128 bits
• Tag’s computation cost: 1 hash + 1 XOR for
read; 1 hash + 2 XOR for write
• Communication cost among Partners: the list of
tag identifications, (not the whole database)
• Computation cost for a Partner:
– only hash, XOR and comparison are needed;
– A major portion can be pre-computed;
– suitable for batch processes;
– Practical, since the bottleneck is the tag-reader
communication delay;
ASIACCS 2007
12
ASIACCS 2007
13