ASIACCS 2007 Protecting RFID Communications in Supply Chains Yingjiu Li & Xuhua Ding School of Information Systems Singapore Management University

ASIACCS Background RFID Each tag has a globally unique identification number. RFID tag has very weak computation power. RFID tag has very limited storage.

ASIACCS Supply Chain Management Supply Chain –A coordinated system of organizations moving a product from supplier to customer. Partner P1 Partner P2 Partner P3 Partner P4

ASIACCS Security Requirements Authoritative Access –For a shipment to partner P i, only P i ’ s reader can access. Authenticity –Only legitimate RIFD tags can be accepted Unlinkability –Infeasible to determine whether two responses are from the same tag. Supply Chain Visibility –Manager’s ability to track and identify the flow.

ASIACCS System Model Consider a supply chain of N partners –P 1, P 2,…P N –Each has a pair of public/private keys. –Material flow: P 1  P2  P 3 …  P N No assumption on global knowledge of the entire supply chain. Assumption: – Attackers are unable to access the stored secrets by physically compromising RFID readers or tags. –Attackers are able to eavesdrop the interaction between RFID tags and legitimate readers –Attackers are able to interrogate RFID tags arbitrary times.

ASIACCS The Protocol A high level view : P 1 initializes all RFID tags with a secret key from its next Partner. Partner P i downloads the list of ids from P i-1, reads all the tags, updates the tags for P i+1. P1P1 C1C1 C2C2 CnCn tags Tag Initialization C1k2C1k2 C2k2C2k2 Cnk2Cnk2 k 2 : the secret key chosen by P 2 Database initialization cncn c1c1 … ResponseSecret mask ID

ASIACCS RFID Read Protocol (by Partner P i ) h(r  c 2  k i ) c2c2  h(r  c x  k i ) r cxcx cncn h(r  c 1  k i ) c1c1 ResponseSecret mask ID  r t=H(r  )  =c x  k i PiPi t t ? database D i a a ’’ RFID tags

ASIACCS RFID Write Protocol (by Partner P i )  a=k i  k i+1 b=H(a  c  k i )  =c x  k i PiPi  r2r2 c2c2  h(r  c x  k i ) rxrx cxcx  rnrn cncn  r1r1 c1c1 ResponseSecret mask ID database D i RFID tag b H(a   ) ?  =a  = c x  k i+1

ASIACCS Security Read Protocol –The readers are NOT authenticated. –For a tag prepared for P i, only P i and P i-1 ’s reader can extract its ID. –Only legitimate tags are processed. Write Protocol –For a tag prepared for P i, only commands from P i and P i-1 will be accepted. –Reveal no information to eavesdroppers.

ASIACCS Balancing Security and Performance r1r1 PiPi a a  a a  a a  r2r2 r3r3 IDSecret mask Response c1c1 r 1 h(r 1  c 1  k i ) c2c2 r 1 h(r 1  c 2  k i ) cxcx r 2 h(r 2  c x  k i ) c x+1 r 2 h(r 2  c x+1  k i ) Basic Idea: Batch process with a shared nounce, instead of a fresh nounce per tag.

ASIACCS Unlinkability & Supply Chain Visibility Are they the same tag?? A weaker notion than universal unlinkability.  processed by Pi ’’  Supply Chain Visibility Unlinkability The ability to identify all tags and the present partner by introducing an trusted authority and key escrow

ASIACCS Performance Tag’s storage cost: <128 bits Tag’s computation cost: 1 hash + 1 XOR for read; 1 hash + 2 XOR for write Communication cost among Partners: the list of tag identifications, (not the whole database) Computation cost for a Partner: –only hash, XOR and comparison are needed; –A major portion can be pre-computed; –suitable for batch processes; –Practical, since the bottleneck is the tag-reader communication delay;

ASIACCS