an approach to security and privacy of rfid system for supply chain

AN APPROACH TO SECURITY AND PRIVACY OF RFID SYSTEM FOR SUPPLY CHAIN
Xingxin(Grace) Gao, Zhe(Alex) Xiang, Hao Wang, Jun Shen, Jian Huang, Song Song
IBM China Research Lab
4/F, HaoHai Building, No.7, 5th Street, Shangdi, 100085, Beijing,China, gaoxingx@cn.ibm.com
Abstract - Radio Frequency Identification (RFID) is
expected to become pervasive and ubiquitous, as it can be
embedded into everyday items as smart labels. A typical
scenario of exploiting RFID is supply chain. The RFID
based supply chain management yields convenience,
efficiency and productivity gains. However, RFID systems
create new risks to security and privacy.
This paper briefly presents the current solutions to RFID
security and privacy. A new approach is then proposed,
which exploits randomized read access control and thus
prevents hostile tracking and man-in-the-middle attack. In
addition, compared with current schemes that achieve the
similar security level, the proposed approach dramatically
decreases the computation load. Another benefit is that it is
suitable for RFID systems with a large number of tags.
Keywords – RFID, Security, Privacy
I. INTRODUCTION
Nowadays, low-cost radio frequency identification (RFID)
has been attracting more and more interests from both
industry and academic institutes.[1] It has gained wide range
adaptation for low-cost and ubiquitous computing
applications, such as location tracking, access control and
environmental conditions monitoring. An RFID system
consists of three parts: radio frequency (RF) tags, RF tag
readers and the back-end database that associates records
with tag data collected by readers. Tags are composed of a
microchip for memory and logical operations, and an
antenna coil for receiving and transmitting wireless signals.
Readers interrogate tags for their contents through RF
antenna and interface to back-end databases for more
functionalities.
A typical scenario of exploiting RFID is supply chain
management. It aims at reducing supply chain inefficiencies
and improved inventory flow whilst considering the returns
process. RFID based supply chain management achieves has
many beneficial features over traditionally used bar code. 1)
It doesn’t require line-of-sight access to read. 2) The reading
range of RFID is larger than bar code, though it’s still shortrange.
3) Tags can be read simultaneously. Inventory can be
obtained in a very short time without line of sight at the
entrance, because multiple tags can be read at the same time.
4) Tags can store more data, such as the unique ID for a
certain good and data from the readers and the environment.
Hence they can be tracked from producers to distributors
and to retailers.
The beneficial features greatly improve supply chain
management efficiency and ease of use. However, they
expose RFID based supply chain to security and privacy
challenges. A secure RFID system has to avoid
eavesdropping, traffic analysis, spoofing and denial of
service, as it has large read range and no line of sight
requirement. In contrast, security and privacy is not a
problem for barcode, as the reading range of barcode is as
short as several centimeters.
An important security concern is that a store’s inventory
labeled with unprotected tags may be monitored by
competitors’ unauthorized readers. The inventory data holds
significant financial value for commercial organization and
their competitors. Another privacy concern is that
individuals may be tracked through RFID tags labeled on
the carried objects. Even if the tags only contain product
codes rather than unique serial number, someone’s tastes in
brands “constellation” will also betray their identity.
Moreover, even if the responses of tags are encrypted, the
owner can also be identified and tracked by the fixed
encrypted code.
There have been some approaches to the RFID security and
privacy issues, including killing tags at the checkout,
applying a rewritable memory, physical tag memory
separation, hash encryption, random access hash, and hash
chains. These approaches will be introduced in details in the
next section.
A new approach is proposed in this paper, which requires
read access control. If a reader is inquiring a tag’s ID. The
tag has to firstly identify the reader is authenticated. In the
process of authentication, a tag sends out a random number.
The reader then responds to the tag with a function value of
the random number and its own ID. The reader’s output for
each query changes. Thus, even if the output is
eavesdropped, the adversary can not pass the authentication
in the next query. This random number based authentication
can prevent spoofing and man-in-the-middle attack.
This paper is organized as follows. The related works of
RFID in security and privacy are firstly introduced in
section II. Then our approach is proposed in section III. In
this section, the assumption is stated. Under this assumption,
the basic idea is presented and the working mechanism is
detailed.
Proceedings of the IEEE International Conference on E-Commerce Technology for Dynamic E-Business (CEC-East’04)
0-7695-2206-8/04 $ 20.00 IEEE

II. RELATED WORKS
There have been some approaches to the security and
privacy issues in RFID system for supply chain. The
approaches can be classified into two categories. One is to
disable tags totally or partially, when the ownership of the
products switched forward. The other is read access control
of tags.
A. Disable tags totally or partially
A simple approach is to kill tags when the owner of a
product in a stage of the life cycle is to pass his/her
ownership to the next stage, he/she takes off the Class ID[2].
Upon receiving the command, the tag erases itself. Another
approach is that a logically unique tag ID consists of a Class
ID and a locally unique ID. [3] A customer either kills the
Class ID or replaces it with a user-defined one at the checkout.
This function is useful in protecting the user privacy by
eliminating the uniqueness of tags, but a conscious decision
is required to initiate the procedure, and it is difficult to
ensure that the kill command was properly executed.
Moreover, tag suicide prevents any subsequent useful
services such as special services for each client. This
property actually diminishes the benefits of RFID tags. In
addition, partially disable or rewrite tag can not prevent
being tracked as tags response a fixed output.
B. Fixed read access control
With read access control, tags only respond to authorized
readers. Fixed read access control stands for an
authentication process, where the authentication key is fixed.
A basic method is that each RFID tag has a read only
memory (ROM) and a rewritable memory (e.g. RAM) [4]
[5]. In the RAM mode a tag can only response to the limited
users, who have the same fixed identification code as that in
the rewritable memory. An extension of this method exploits
hash function [6]. Each tag verifies the reader as follows.
The reader has a authentication key k for each tag, and each
tag holds the result metaID, metaID = hash(k) of a hash
function. A tag receives a request for ID access and sends
metaID in response. The reader sends a key that is related to
metaID received from the tag. The tag then calculates the
hash function from the received key and checks whether the
result of the hash function corresponds to the metaID held in
the tag. Only if both data sets agree does the tag send its
own ID to the reader.
However, it can not prevent being tracked, because tags
respond predictably. Furthermore, both the random key and
the tag ID can be eavesdropped by an adversary.
C. Randomized read access control
To avoid being tracked, the tag’s response should be not
predictable but randomized. There are mainly two
approaches of randomized read access control.
MIT Auto ID center proposed an Randomized Hash scheme,
which is an extension of the hash lock type scheme [6].
Instead of a fixed metal ID, tag’s response changes with
each query. As shown in Fig. 2., Each tag shares with the
reader an authentication key ID k . Upon query, the tag
generates a pseudo-random number R and outputs (R,
h(ID k ||R)), where h(ID k ||R) is the hash function based on the
input fromR and the authentication key ID k . The reader then
gets authentication keys of all tags. The reader calculates the
hash function using the received R and ID for all
authentication keys stored in the back-end database. If the
hash value matches that sent by the tag, the reader identifies
the authentication key ID k for the tag and sends it to the tag.
Since the tag output changes with each access, this scheme
deters tracking. However, this scheme is best suited for
consumers with a small number of tags, since a legitimate
reader identifies one of its tags by searching and calculating
with all of its known IDs. It is not practical for a large
number of tags.
Fig. 2. Randomized Hash-Locking: A reader unlocks a tag
whose ID is in the randomized hash-lock scheme.
NTT proposed a hash chain approach. A tag has initial
information S i . In the i-th transaction with the reader, the
RFID tag sends answer a i = G(S i ) to the reader, renews
secret S i+1 = H(S i ) as determined from previous secret S i ,
where H and G are hash functions, as in Fig. 3.
Fig. 1. Hash-Locking: A reader unlocks a hash-locked tag.
This scheme offers privacy control at low cost. All it
requires is a hash function and storage for metalID.
Fig. 3. RFID tag sends answer a i = G(S i ), and renews its
secret S i+1 = H(S i ).
Proceedings of the IEEE International Conference on E-Commerce Technology for Dynamic E-Business (CEC-East’04)
0-7695-2206-8/04 $ 20.00 IEEE

The reader sends a i to the back-end database. The back-end
database maintains a list of pairs (ID; S i ), where S i is the
initial secret information and is different for each tag. So the
back-end database that received tag output a i from the reader
calculates a 0i = G(H j (S i )) for each S i in the list, and checks
whether a i = a 0i .Ifa i matches a 0i , the ID is identified from
the pair of a 0i . This scheme satisfies indistinguishability and
forward security. G is a one-way function, so if the
adversary obtains tag output a i , he cannot know S i from a i . G
outputs random values, so if the adversary watches the tag
output, he cannot link a i and a i+1 . H is a one-way function,
so if the adversary tampers with a tag and obtains the secret
information in the tag, he cannot know S i from S i+1 . The
advantages are obvious. However, there are too much
computation and comparison. To identify an ID, the backend
server has to calculate with each ID on the ID list.
Suppose there are N known tag IDs in the data base. The
data base has to perform a search of N known IDs, 2*N hash
functions and N comparisons. The processing load increases
linearly with the length of the ID list. Therefore, this scheme
is not practical for a large number of tags.
III. PROPOSED APPROACH TO RFID SECURITY AND
PRIVACY PROTECTION
The proposed approach also exploits randomized access
control approach, which meets the requirements of
invulnerable to man-in-the-middle attack and hostile
tracking at a relatively low processing load.
A. Components of a secure RFID system
1) Tag
A tag consists of two parts. One part is a memory with read
only memory (ROM) and random access memory (RAM).
Tag memory:
Hash (TagID)
ROM + RAM
ID of an authenticated Reader
The other part is logic circuit, which is able to performing
simple computation, such as calculating hash functions or
creating simple pseudo random numbers.
2) Reader
Readers communicate with tags wirelessly. Each reader has
its ReaderID, which identifies a batch of authenticated
readers. For instance, all the readers in the supermarket
AAA share the same ReaderID showing that “We are from
AAA”. Upon query, the tag verifies a reader through its
ReaderID.
Readers als o connect and communicate to the back-end data
base to identify tags and run related applications.
3) Data Base
The back-end data base stores the pairs of a tag ID and its
hash value: [TagID, hash(TagID)]. Generally, the data base
connects readers through a wired and secure channel.
B. How it works
If a reader is inquiring a tag’s ID. The tag has to firstly
identify the reader is authenticated. After authentication, the
reader can obtain the tag ID by the tag’s response and
reference of the data base.
1) Authentication of a “ Good Reader”
Authorization between readers and tags has to be established
before tags response the information related to the tag ID.
Since the ID of the “ Good Reader” has been stored in the
tag’s memory in advance, tags are able to identify
authorized readers by their reader ID. Tags will not response
to unauthorized readers. Therefore, being tracked by
adversary is not possible where there are no authorized
readers nearby. In addition, the authorization process is
based on a random number created by the tag. Thus
spoofing can be prevented.
This authentication process is shown in Fig. 4. When a tag
receives the inquiry from a reader, the tag will first create a
random number k and send it out. After the random number
k is received by the reader, the reader sends k back to the
backend database. The backend database hashes (ReaderID
|| k) and sends out the hash value to the reader. The reader
then sends it to the tag. In the meantime, the tag also hashes
(ReaderID || k). Then the tag compares the hash value
calculated by the tag with that by the reader. If they equal,
the reader passes the authentication and the tag is ready to
provide some tag ID related information. Otherwise, the
reader is not authenticated and the tag will keep silent.
2) Obtaining a tag’s ID
Illustrated in Fig. 5., after the verification process, the tag
will respond the “ Good Reader” with its hashed TagID.
When the reader receives the hash value of TagID, it will
communicate with the back-end database and find the pair
of (TagID, Hash(TagID)). Thus, the corresponding TagID is
obtained by the reader.
Even if the hashed TagID is eavesdropped, when the tag is
sending it out, the eavesdropper will not know the TagID
value, since he has no idea about the relationship between
actual TagID and its hash value.
3) Updating the authenticated ReaderID in a tag’s memory
When an object is transported from one warehouse to
another one, the authenticated readers will be changed from
the previous warehouse readers to the destination warehouse
readers. This process is illustrated in Fig. 6. The reader
obtains the hash value of the tag and then sends it to the
back-end database. The database is then informed that the
Proceedings of the IEEE International Conference on E-Commerce Technology for Dynamic E-Business (CEC-East’04)
0-7695-2206-8/04 $ 20.00 IEEE

ReaderID stored in the memory of this tag has to be updated.
In response, the database finds out the NewReaderID and
transmits it to the reader. When the reader receives the
NewReaderID, it XOR it with the OldReaderID and sends
the XOR value to the tag. The tag can obtain the
NewReaderID from the XOR value and the OldReaderID.
Finally the ReaderID is updated.
In this process, even if the XOR value between
NewReaderID and OldReaderID is leaked out, the adversary
will not get the NewReaderID, because it has no knowledge
of the OldReaderID. In this way, spoofing is prevented.
C. Analysis for typical cases
1) Invulnerable to eavesdropping
In the process of authentication, even if an adversary
eavesdrops the reader’s output a(k), it can not pretend to be
an authorized reader in the following authentication rounds.
The reason is that the required a(k) value changes for every
authentication processes. The a(k) value of the former
authentication round is useless for the later authentication.
After authentication, the tag will output the hash value of its
TagID instead of the TagID itself. Since hash function is
hardly to inverse, the TagID is protected even if the output
is captured by an adversary.
When a tag wants to update a new ReaderID in its memory,
the new ReaderID is encrypted with the old ReaderID. It is
invulnerable to eavesdropping.
In one word, the proposed approach is secure when any
communications between readers and tags are eavesdropped.
2) Prevent being tracked by adversary
Tags keep silent to adversaries. They only respond to
authenticated readers. Furthermore, as explained above, it is
impossible for adversaries to pretend to be a “good reader” .
Since there is no tag output, adversaries are unable to track
the customers by the tags tagged to what they just bought
after they check out. The privacy of location and the objects
the customers carry is protected.
3) Low computation load
This scheme is fast and low-cost. When identifying a tag
from N known tags, the reader performs only one hash
operation and a search of N known IDs, while other
approaches of randomized access control (section II. C.)
need at least N hash operations and N searches . Obviously,
the computation load of this proposed scheme is
dramatically low, compared with the schemes at the similar
security level. Moreover, as the authentication process
relies on searching N known IDs and a hash, the
computation load increases gradually as the number of tags
increases.
4) Suitable for a large number of tags
Since the computation load is low and increase slowly with
the number of tags, the proposed approach is suitable for
protecting RFID systems with a large number of tags. This
feature is very important for a supply chain. Each part along
a supply chain deploys of numerous tags. In warehouses or
retail stores, thousands of products need to be tagged to
accelerate supply chain process. Therefore, a secure RFID
scheme suitable for a lot of tags is the prerequisite for the
popularization of RFID supply chain system.
5) Scalable for further services for consumers
The approach proposed in this paper is scalable for further
services for consumers. For example, a consumer can store
the ReaderID of his home in the tag’s memory, which is
tagged to a box of milk he bought from a supermarket. The
reader in the refrigerator will detect milk and let the owner
know whether there is enough milk.
IV. CONCLUSION
This paper proposed an approach to security and privacy
protection in RFID systems, especially for supply chain. It
requires the tag to have a rewritable memory and a simple
logic circuit. These requirements are practical and easy to
implement.
An advantage of the proposed approach is the high security.
It prevents spoofing, man-in-the-middle attack. Adversary
can not get the tag ID even if the tag’s outputs are
eavesdropped.
REFERENCES
[1] Vince Stanford, “ Pervasive computing goes the last
hundred feet with RFID systems”, IEEE pervasive
computing, Volume: 2 , Issue: 2 , Pages:9 – 14,April-
June 2003
[2] Auto-ID Center, “860MHz-960MHz Class I Radio
Frequency Identification Tag Radio Frequency &
Logical communication Interface Specification Proposed
Recommendation Version 1.0.0” , Technical Report
MIT-AUTOID-TR-007, Nov. 2002
[3] Sozo Inoue, Hiroto Yasuura, “ RFID privacy using usercontrollable
uniqueness” , RFID Privacy Workshop @
MIT,2003
[4] Sozo Inoue, S. Konomi, Hiroto Yasuura., “Privacy in the
digitally named world with RFID tags” , Workshop on
socially-informed design of privacy-enhancing solutions
in ubiquitous computing, 2002
[5] Shingo Kinosita, Fumitaka Hoshino, Tomoyuki Komuro,
Akiko Fujimura and Miyako Ohkubo, “ Non-identifiable
Anonymous-ID Scheme for RFID Privacy Protection” ,
to appear in CSS 2003 in Japanese.
[6] Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and
Daniel W. Engels , “Security and Privacy Aspects of
Proceedings of the IEEE International Conference on E-Commerce Technology for Dynamic E-Business (CEC-East’04)
0-7695-2206-8/04 $ 20.00 IEEE

Low-Cost Radio Frequency Identification Systems”,
First International Conference on Security in Pervasive
Computing. March, 2003.
Database
k
Reader
Hi!
k
Tag
Create a random number : k
Get stored Reader ID;
a(k)=hash(ReaderID || k)
a(k)
a(k)
a(k)*=hash(ReaderID || k)
a(k)*== a(k)*
Y
N
Authenticated!
Keep silent
Fig. 4. Authentication of a “ Good Reader”
Authenticated
Found:
Database
Hash (TagID)
Reader
Hash (TagID)
Tag
(TagID, Hash(TagID))
Fig. 5. Obtaining a tag’s ID
Database
Hash(TagID);
ReaderID
Reader
Obtaining TagID
Tag
NewReaderID
(NewReaderID)XOR
(OldReaderID)
Updated Memory:
Hash (TagID)
NewReaderID
Fig. 6. Updating the authenticated ReaderID in a tag’s memory
Proceedings of the IEEE International Conference on E-Commerce Technology for Dynamic E-Business (CEC-East’04)
0-7695-2206-8/04 $ 20.00 IEEE