GB2422746A - Radio frequency identification transponder security - Google Patents

Radio frequency identification transponder security Download PDF

Info

Publication number
GB2422746A
GB2422746A GB0500596A GB0500596A GB2422746A GB 2422746 A GB2422746 A GB 2422746A GB 0500596 A GB0500596 A GB 0500596A GB 0500596 A GB0500596 A GB 0500596A GB 2422746 A GB2422746 A GB 2422746A
Authority
GB
United Kingdom
Prior art keywords
reader
tag
transponder
identifier
tree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0500596A
Other versions
GB2422746B (en
GB0500596D0 (en
Inventor
Andrea Soppera
Trevor Burbridge
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
British Telecommunications PLC
Original Assignee
British Telecommunications PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by British Telecommunications PLC filed Critical British Telecommunications PLC
Publication of GB0500596D0 publication Critical patent/GB0500596D0/en
Priority to AT06700492T priority Critical patent/ATE480836T1/en
Priority to CN200680002023XA priority patent/CN101103365B/en
Priority to EP06700492A priority patent/EP1836653B1/en
Priority to US11/794,715 priority patent/US7940179B2/en
Priority to PCT/GB2006/000080 priority patent/WO2006075146A1/en
Priority to DE602006016731T priority patent/DE602006016731D1/en
Priority to JP2007550835A priority patent/JP4768752B2/en
Priority to KR1020077016075A priority patent/KR101177958B1/en
Publication of GB2422746A publication Critical patent/GB2422746A/en
Application granted granted Critical
Publication of GB2422746B publication Critical patent/GB2422746B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/08Methods or arrangements for sensing record carriers, e.g. for reading patterns by means detecting the change of an electrostatic or magnetic field, e.g. by detecting change of capacitance between electrodes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2129Authenticate client device independently of the user

Abstract

Security and privacy of tag information in an RFID-based system can be achieved through the usage of pseudonyms generated based on one-way hash functions. A system based on binary one-way trees allows for the scalable generation and decoding of authentication keys to obtain access to tag identities. This tool can also be adapted to provide limited access for readers to tag information, e.g. the right to read a transponder for a predetermined number of read attempts may travel down a supply chain.

Description

I
RADIO FREQUENCY IDENTIFICATION TRANSPONDER SECURITY
This invention relates to RFID (radio-frequency identification) technology in general, and specifically describes apparatus and methods for operating secure and private systems in the use of such technology.
RFID technology has great potential in, and is increasingly used in, supply chains to reduce the time and cost of inventory management. For example, consumer goods typically pass through the ownership and control of manufacturers, transport agents, wholesalers and retailers before reaching the consumer; thereafter the item could be re- sold, rented or recycled. Systems have been developed which include RFID tags affixed to the goods directly, or on their packaging, or on the vehicles transporting such goods.
While RFID technology is now commonly deployed by a single company to track goods within their control, the true advantage of RFID becomes apparent when goods can be tracked between companies or from country to country. However, the proliferation of RFID technology may create security and privacy problems. The data serving as the ID of each RFID tag will allow tracking of goods not only within the supply chain but also to track people having those goods. Outside the personal sphere, companies with RFID- tagged products, or who issue their personnel with company badges with RFID chips, could be vulnerable to commercial espionage or worse by competitors. RFID tags are relatively easy to "eavesdrop on, as any party equipped with a suitable scanner and close access to a typical tag can activate it and read its contents. Consumer associations and manufacturers alike have voiced concerns in this regard which may slow down the adoption and deployment of RFID technology.
For an introduction to RFID systems, their components and operations, the reader is referred to the paper by Sama, Weis and Engels whose publication is reference below and which is incorporated by this reference.
It is therefore desirable to increase levels of security in the use of RFID tags. In particular, tags should not compromise the privacy of the holder of the tagged item. This means that unauthorised parties should not be able to gain access to the tag information. One aspect of this is that there should not be long-term associations allowing tracking by previously- authorised (but now unauthorised) readers - especially relevant in the context of supply chains.
The present invention describes apparatus and methods to operate an RFIDbased system with improved security and privacy. For illustrative purposes, the discussion below takes place in the context of the supply chain for consumer goods, but it will be understood that the invention can have a wide range of applications and is thus not restricted to any particular context.
One known method to improve the security of RFID technology is to provide tags which include a "kill command". The idea here is that the tag can be detected and disabled so that the tag and the tagged item become anonymous thereafter. For example in the retail context, the tag can be "killed" at the point of sale. The EPCgIobal and ISO-18000 standards support this feature in RFID tags. One problem with this solution is the lack of flexibility: prior to being "killed", everyone can indiscriminately access the tag; after, no- one can. This would be inconvenient when, for example, a consumer wants to return a defective item after sale. The kill command scheme assumes that the tag ID is openly accessible to any party within read range of the tag. There is no provision for privacy between entities in the supply chain, or from other parties, before the tag is issued a kill command.
Currently, an insecure tag will yield up its information to any suitably configured reader.
Various proposals to improve security have been made, including those in the following publications: A Juels and R Pappu: "Squealing Euros: Privacy-Protection in RFID-Enabled Banknotes" (Financial Cryptography 03, pages 103-121, R Wright, ed. Springer-Verlag. 2003.
LNCS no. 2742.) 2. Sanjay E Sarma, Stephen A Weis and Daniel W Engels: "REID Systems and Security and Privacy Implications" (Workshop on Cryptographic Hardware and Embedded Systems, pages 454--470. Lecture Notes in Computer Science, 2002.) 3. A Juels: "Minimalist Cryptography for REID Tags" (Security of Communication Networks (SON), C. Blundo, ed., 2004.) The schemes described incorporate additional functionality to the tag so that it remains secure within a specific domain. The principle is that the tag does not output its real ID to a reader, but instead sends, for example, a message encrypted by using a one-way hash function. The tag ID thus remains unknown to the reader if it does not share the same key or hash seed as the tag. In this case, some solutions incorporate a trusted third party to provide the reader with the necessary key to allow the reader to access the tag's real ID.
The chief issue here concerns cost as having to perform remote look-up every time tag access is required is expensive.
Where a reader has in itself the key to unlock the encrypted tag output, it is deemed to be an authorised party with access rights, and the tag output can be understood and the real ID identified. The downside of such systems where the tag and reader are coupled in this manner, is that the particular reader would continue to have access to the tag, even after ownership or control of the tagged item changes hands. This compromises the privacy of other parties within the supply chain.
One solution to this problem of coupled tags and readers, is to reencrypt the tag at each point of transfer along the supply chain, and use a third party to facilitate the translation of the tag ID information. However, the cost and administration of using a third party is significant. Additionally, the tag is vulnerable to re-encryption by malicious parties unless some form of access control is provided. This of course has its own infrastructure which has to be managed. Moreover, as the re-encryption must be performed every time ownership or control of the item changes hands, each party in the supply chain will have to have the necessary equipment to do so - which represents additional cost. It is particularly unlikely that end consumers will have the means or impetus to re-encrypt the tag after purchase of the item.
The present invention provides a cost-efficient and secure way for tags on items travelling along a supply chain to be identified, only to authorised parties, and only for a limited number of reading operations. This is achieved by providing a more transient coupling between tag and reader, and arranging for the keys to be provided to the readers by a trusted third party. Instead of requiring that the reader refer to the third party for each and every reading however, which is the approach taught by the prior art cited above, the reader is given a temporary key, which expires after a designated number of read operations. This allows for a flexible system where authorised readers can be added or removed as desired, as the good moves along the supply chain.
The present invention also takes into account the very limited resources available in such RFID systems. Owing to cost considerations, only the most basic tags are likely to be considered for ubiquitous deployment in, for example, consumer good supply chains.
Accordingly, only simple functions should be implemented in the tag. The present invention can be implemented using simple, low-cost tag technology (although of course it could be deployed with more complex, and hence, more expensive, tags). The solution according to the invention can thus be implemented more cheaply than those deploying relatively more complex functions such as random number generation.
Systems based on hash function-based encryption require much processing as it is generally not possible to determine if whether a tag is. ilkflowfl, or whether the tag currently has an ID in a future part of the hash chain that has yet to be checked. For this reason, such methods are not scalable nor resilient. Attacks or failures in transmission or storage can break the synchronisation between the tag pseudonym, and the expected values searched in the back-end systems. In the present invention, reader computational requirements to access the tag ID have been reduced to save time and costs at the back end of such systems.
According to a first aspect of the invention, there is provided a radio frequency identification transponder configured to respond, on detecting an interrogation attempt, by providing an output which is an identifier, the identifier being, or being based upon, a leaf or a node of a hash tree of at least binary order, wherein the identifier which is provided is different for every detected interrogation attempt.
According to a second aspect of the invention, there is provided a radio frequency identification transponder configured to respond, on detecting an interrogation attempt, by providing an output which is an identifier, the identifier being, or being based upon, a leaf or a node of a hash tree of at least binary order, wherein the identifier which is provided is different for every detected interrogation attempt, and which provides, in response to each of a sequence of detected interrogation attempts, one identifier of a predetermined sequence of identifiers which sequence is or is based on a predetermined sequence of leaves of the hash tree.
1. According to a third aspect of the invention, there is provided a system for providing a reader of RFID transponders with the right to read a particular transponder for only a predetermined multiplicity of read attempts, the system comprising: the reader; an authorisation means; and a radio frequency identification transponder configured to respond, on detecting an interrogation attempt, by providing an output which is an identifier, the identifier being, or being based upon, a leaf or a node of a hash tree of at least binary order, wherein the identifier which is provided is different for every detected interrogation attempt; the authorisation means and the transponder sharing knowledge of the hash tree of the tag which knowledge is not known to the reader; wherein the reader is: (i) configured to interrogate the transponder, to obtain an identifier output by the transponder; (ii) arranged to contact the authorisation means and to reveal its own identity and the obtained identifier; the authorisation means being arranged to check the entitlement of the reader to read the transponder and, if the reader is entitled to read the transponder, to provide to the reader information about the hash tree to permit the reader to read the transponder over/for the predetermined multiplicity of a interrogation attempts.
According to a further aspect of the invention, there is provided a method for providing a reader of radio frequency identification transponders with the right to read a particular transponder for only a predetermined multiplicity of read attempts, the transponder being configured to respond, on detecting an interrogation attempt, by providing an output which is an identifier, the identifier being, or being based upon, a leaf or a node of a hash tree of at least binary order, wherein the identifier which is provided is different for every detected interrogation attempt, the method comprising: (i) interrogating the transponder with the reader to obtain an identifier output by the transponder; (ii) providing, from the reader, an authorisation authority with the identity of the reader and the obtained transponder identifier; (iii) the authorisation authority checking the entitlement of the reader to read the transponder and, if the reader is entitled to read the transponder, providing to the reader information about the hash tree to permit the reader to read the transponder over/for the predetermined multiplicity of a interrogation attempts.
Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which: Figure 1 depicts an embodiment of the invention for providing a reader temporary access to a tag in an RFID system Figure 2 is a flowchart describing the steps of the method depicted in Figure 1 Figure 3 depicts a first embodiment of how a tag can generate tag pseudonyms and hint messages.
Figure 4 depicts a private authentication scheme based on a hash scheme Figure 5 depicts a binary one-way tree Figure 6 depicts a private authentication scheme based on a hash scheme with a one-way binary tree Figure 7 depicts how a hint message is used in to access a tag in connection with a one- way binary tree Figure 8 depicts the use of a one-way binary tree in an alternative embodiment of the invention Figure 9 depicts the reading operations in an alternative embodiment of the invention Figure 10 depicts the operation of a hint message in an alternative embodiment of the invention.
Figure 1 is a schematic overview of an embodiment of the invention, showing the relationship and communications between the three main components of an RFID system according to the invention. A number of exchanges El to E5 take place in the course of events between the tag, reader and third party authority.
Figure 2 is a flow chart describing the steps of a typical read and access session.
An embodiment of the invention will now be discussed in connection with Figures 1 and 2.
In step Sl of Figure 2, the reader (4) establishes initial contact with the tag (2) by scanning it with the appropriate radio frequency radiation. This is depicted by the arrow labelled El in Figure 1.
In step 82, the tag responds by sending output E2, incorporating a pseudonymu, to the reader. The pseudonym is an encrypted value.
In step S3, the reader receives the pseudonym (output E2). If the reader has within itself information which will allow it to decrypt the pseudonym ("YES"), it will not need to seek a decrypting key (sometimes referred to as "seed" within this description) from a third party authority. If the reader does not have this information ("NO"), the process moves into the authorisation phase.
Step S4 represents the start of the authorisation process. Here, the reader may obtain a "hint message" (E4) from the tag in response to E3. The tag may have already released such hint information along with the pseudonym in message E2 (as described in Figure 10). In this case messages E3 and E4 will not take place. The hint message is information which helps the reader identify the decryption key. This can be sent by the tag to the reader in a number of ways. For example, one or more hint messages could be contained in the same message as the pseudonym (as shown in Figure 10). Alternatively the hint message could be a separate output, so that the reader must interrogate the reader several times to have a hint generated (see discussion below regarding this embodiment in connection with Figure 3). Yet another embodiment of this aspect of the invention could have hint messages generated in response to a different command from the reader.
In step S5, the reader sends an authorisation request (E5) to a third party authority that has the information required by the reader (6). The authorisation request can comprise a combination of the hint message(s), the pseudonym, and the reader's credentials. The reader's credentials can be any pre-agreed matter which the third party authority would accept for purposes of determining if the particular reader should be granted authority and access to the tag's real ID. For example, they could include or be the reader's own ID.
They could additionally or alternatively be information passed to the reader by the previous party in the supply chain by means of an electronic bill or the like. The third party authority checks the credentials, such as a certificate, in order to authenticate the reader before releasing information. Once the reader is authenticated, the access rights allowed to the reader can be retrieved and information released in accordance with these rights.
In step S6, the third party authority determines the validity of the authorisation request (E5). If it is satisfied that the reader should be authorised, it may release to the reader the decryption key(s) and the tag ID (E6). It may be the case that the authority contacted by the reader does not have sufficient keys to understand the hint message or generate the access key(s) for the reader. In this case the authority may pass the request onto another authority which has greater access rights.
In step S7, the reader now has the decryption key. This allows it to discover the true tag ID, by a method which is discussed below. As noted above in connection with step S3, if the reader already has the key at that stage, it can bypass the authorisation process (steps Si to S6) and move directly to the decryption process in 57.
Exchanges E7 and E8 of Figure 1 will be discussed below in connection with Figure 4.
These exchanges concern the optional steps of mutual authentication of tag and reader, which provide even greater security in use.
In this embodiment of the invention, the reader will have only temporary access to the tag.
This is achieved by granting the reader only a limited number of reads. When this limit is reached, and the reader requires further access, a new authorisation phase must be applied for. The role of the third party authority can be implemented by the tag manufacturer, or issuer, or the first user of the tag, as described above. It could also be performed by the device described in the applicants' co-pending patent application (applicants' internal reference no. A30584). Although at least one authority must have knowledge of the entire set of pseudonyms that may be generated by a tag, additional authorities may be delegated subsets of this knowledge, allowing them to grant access for only periods of the tag's life. Cascading the authorities in a hierarchy can reduce the load placed on the primary authority.
The following is an illustration of how the method described in Figures 1 and 2 can be applied in the context of a supply chain in the pharmaceutical industry: Pharmaceutical items (such as drugs) are, at their point of manufacture, fixed with a tag.
The tag implements a secure scheme according to the invention. Several such pharmaceutical items are typically packed together and sent to the next party in the supply chain - for example, distributors. The tag(s) on each item will be read several times by different parties before they leave the supply chain and enter the consumer domain.
When the pharmaceutical items transit between the manufacturing and wholesale domains, a bill will typically be sent to the destination (say, a wholesaler). The bill can contain a description of the products (e.g. their electronic product codes "EPCs") and the location (e.g. the uniform resource locator) of a third party authority. This alone, or coupled with other information, could serve as all or part of the reader's credentials referred to in step S5 above. When the items reach the wholesaler, a reader will read the output of the tag(s) and request access from the third party authority. After being granted access, the wholesaler will have access to the tag ID(s). With such access, the wholesaler can then verify that all the products listed on the bill have arrived. Further, the wholesaler could also look up information associated with the tags in a database that might give information about matters such as the manufacturing dates of the items, etc. Such a database could be local to the wholesaler, or this could be a centralised database maintained by the manufacturer, for instance, that could provide e.g. up to date product information.
When a pharmacy puts in an order for the pharmaceutical items, the wholesaler arranges shipment and billing. The wholesaler passes on to the pharmacy the EPCs of the products and the contact details (such as the URL) of the third party authority. This information may again be contained in an electronic bill. While these details could accompany the goods as they are shipped from the wholesaler to the pharmacy, security is enhanced id they were sent separately, preferably in a secure manner. The pharmaceutical items would have a package or shipment ID which would also appear on the bill or other message from the wholesaler to the pharmacy, so that the EPCs of the items and the relevant URL can be clearly associated with a shipment received by the pharmacy.
When the items reach the pharmacy, the tags will again be read, and authorisation is again requested from the third party authority.
Of course, the shippers during any stage of the process above might require access to the tags and this could be obtained in the same way, by sending a request to the third party authority.
After reaching the retail pharmacy, the items will then be put on the shelves of the pharmacy for sale. When an item is sold, ownership is passed to the end user. The security solution according to the invention includes a method to revoke the pharmacy's access to the tag and to pass control to the user. This is an important feature of the system. For example, a person prescribed with 3TC is likely to have the human immunodeficiency virus, and might desire for such information to be kept confidential.
Now the tag is in the consumer domain. The consumer will have two options. The first option is that the user has no need to exploit the tag for any further service. In this case the solution according to the invention ensures the privacy of the user - no tracking or reading of medical information will be possible. Any attempt to read the tags without the decryption key will fail. It is, however, possible that the consumer needs to access the tag's ID. For example, the consumer could put the item on an "intelligent shelf', which would notify the consumer when a specific drug should be taken. In this case the consumer's reader would need to request tag ID access from the third party authority.
When the user disposes of the drug container with any unused drugs, the disposal company could use the tag for the recycling purposes. In this case, the scheme would protect the privacy of the consumer but would maintain the functionality of the tag for purposes of tracking and for linking to information on the disposal company's own database.
Figure 3 is a representation of a method to generate hint messages from the tag, briefly discussed in connection with step S4 above. When the reader requests a hint message from the tag (E3), a different command from the request for the next pseudonym (El) may be used. Alternatively, a single reader command may be used, and the tag can release hint messages periodically - for example, one hint message for every n' pseudonyms generated. This method is illustrated in Figure 3.
The tag's output (exchange E2 in Figure 1) changes for each reading operation. In particular, each output of the tag cannot be correlated with any other previous or future tag output by an unauthorised reader. This is an important property to prevent tracking, and hint messages similarly must not be repeated. This means that a reader specifically requiring a hint message (through command E3), will have to advance the tag pseudonym (by making multiple read operations, for example) up to n' steps before the hint is released. If other readers desire simultaneous access rights to the tag, this manner of outputting hints may not be the most efficient. The discussion below in connection with Figure 10 also provides another solution concerning hint messages.
Figure 4 depicts the exchanges between the tag and a reader that take place in a hash- based pseudonym scheme. It is possible to prevent unauthorised tracking and identification of tags based on use of key hashed messages, described for example by Krawczyk, H, Bellare, M and R Canetti in "HMAC: Keyed- Hashing for Message Authentication" (RFC 2104, September, 1997).
At set-up time, the tag is provided with a unique pair of identifiers (Y10, ID). YID is the secret (comprising a sequence of bits) which will be shared between the tag and an authorised reader. G is a one-way hash function, whose operation is such that its output does not reveal any information about the input. When queried, the tag generates a new element produced from the application of hash functions to the secret Y10' and obtains, over multiple reads, a series of elements: YID 1, Y10 2. .. YID n-I, Y10 n. For each transaction a pseudonym Sk = G(rl, G(rl, VID k)) will be generated and sent by the tag to the reader.
The reader will identify the pair (Y10, ID) that verifies the tag message may optionally reply to the tag with ID XOR G (rI, YID k). This information authenticates the identity of the reader to the tag allowing for mutual authentication, as G(rl, YID k) can only be generated by a reader that shares the same pair (YID, ID) with the tag.
To a reader without knowledge of the pair (YID, ID), a single output of the tag is indistinguishable from a random value and cannot be correlated with previous or future outputs. An eavesdropper on the communication between the tag and reader cannot acquire any further information about the tag.
The mutual authentication method described above may restrict the ability of malicious users to cycle the tag value along the hash chain, or for the tags or accompanying devices such as the device described in the applicants' co-pending patent application no. GB 0428543.3 (applicants' internal reference no. A30584) to identify legitimate readers.
Current known authentication methods that calculate ID k by using a single hash function applied to YID are not scalable since many one-way hash operations need to be performed by the reader's back end system. Upon obtaining a hashed value, the reader must check through all combinations of possible tags, and their potential hashed values. The reader cannot know when to stop this operation since it cannot distinguish between an unknown tag, and an untested hashed value.
Embodiments of the present invention provide a tool to enable the scalable generation and decoding of authentication keys. This tool can be adapted to provide temporary access for readers to tag information.
Figure 5 shows a binary one-way tree with two one-way functions. They are here termed respectively, the left' and the right' functions. Typically they could be constructed using a one-way hash function such as the SH1 or MD5 algorithms.
The sequence of keys in the tree can be constructed as follows. An initial root seed S(root)' is associated with the tree and a parameter of depth D expresses the number of leaves of the tree N=2.
The intermediate values are generated as follows: * The D level key values are Z(0)=left {Z(root)}, Z(1)=right {Z(root)}.
* The D-1 level of keys would be: Z(00)=left {Z(0)}, Z(01)right {Z(0)}, Z(10)left{Z(1)}, Z(1 1)=right {Z(1)}.
2S The D-2 level of the tree would be: Z(000)=left {Z(0O)}, Z(001)=right {Z(00)}, Z(01 0)=left {Z(01)}, Z(0 11)=right {Z(01)}, Z(1 00)left {Z(1 O)} , Z(1 01)=right {Z(1 0)}, Z(1 10)=left Z(1 1)}, Z(1 I 1)=right {Z(1 1)} and so on, creating a binary tree of intermediate seed values to a depth of D levels.
In this example, it can be noted that: * A seed at a level i' generates a 2(1.1) number of leaves.
* The children of a seed bear no resemblance to each other, owing to the properties of the "left" and "right" one-way functions.
The children in the tree are half as valuable as the parent, in that a parent can generate twice as many leaves and consequently gives greater access to the tag identifiers. If access to a part of the tree is to be granted, access is given to the smaller set of seeds closest to the leaves that enables the calculation of all the keys in the tree to be disclosed. When the access to a seed is given, the receiver needs to know where the seed resides in the tree.
In a tree of e.g. D=8, if access is given to a seed at level 3 (e.g. SOOl), the receiver will be able to generate 4 leaf keys. All the other keys will remain hidden. The choice of the level limits the number of keys disclosed. If more keys need to be accessed by the reader a new key or keys can be disclosed to extend the reader access.
The above tool can be used to grant a reader temporary access by applying to the hash based authentication scheme discussed above with Figure 4, but limiting the number of reading operations available to the reader. In addition to achieving the purpose of restricting tag access by readers that were once authorised but which no longer are, this helps reduce the computational complexity for the reader.
According to this aspect of the invention, the seed YID k used in the authentication protocol, is a leaf of the binary one-way tree. As described above, Y10 k is changed for every reading operation. However, in this aspect, the invention provides that instead of YID k progressing through the values in a single hash chain, YID k progresses along the leaves of the tree.
The advantages of a scheme implemented according to the invention in this way are: * A well-defined sequence is presented to the reader so that the reader and tag sharing knowledge of this sequence can communicate.
* Revealing intermediate values in the tree can reveal a sub-sequence to the reader.
The reader will only be able to authenticate and access the tag for a limited number of reading operations (since it will run out of tree leaf values that it understands).
To gain access to a tag for n' operations the reader may be given as little as 1 seed at a level log(n)+1. For example, 8 read operations may be granted by knowing a single seed value at level 4. Alternatively 8 read operations may be granted by 2 seeds each at level 3. The number of keys that must be granted for n' operations varies depending upon the starting position in the tree.
The reader is now loosely coupled to the tag, and only for the duration of the read operations for which sufficient seeds are known. All tags generate a new pseudonym per reading query. No tag re-coding operation is required when an item changes hands since a reader would only be able to track and access the tag for the number of reading operations granted to it. When the reader reaches the end of the number of granted operations granted to it, its access to the tag is automatically ends. In a case where a tag is transferred from one party to the next in the chain with read operations still unused by the previous party, it is possible to dispose of these operations. This can be achieved through multiple reads of the tag, or if the reading protocol is extended, it can be possible to skip directly to a value some distance along the tree leaves. This serves to revoke previous access rights to the tag without the requirement to write new secrets to the tag.
The coupling between a reader and a tag is left to the third party authority. In a possible scenario, the original manufacturer controls the pair (YID, ID) and acts as a third party authority for tags to store reader credentials and to grant or deny access. When a reader needs to access a specific tag, it requires a set of seeds (or elements of the tree). The set consists of intermediate nodes of the tree that give access to the required number of read operations. The number of permitted operations can be extended by a new authorisation request.
When requesting authorisation, a new reader must inform the third party authority of the current state of the tag. This is because the third party authority does not know the current state of the tag and which leaf value it is currently using. The third party authority could calculate both the tag ID and the current state of the tree sequence from the pseudonym value generated by the tag. However, as the third party authority will probably know a very large number of tags, this operation is not scalable.
The third party authority needs to know which seed to distribute to a certain reader without the reader knowing the tag identity beforehand. If the tag cannot release information about the tag ID to the currently unauthorised reader, it is possible that information about the state of the tree sequence can be released instead, to help the singulation of the tag ID/current key value pair. A reader, upon requiring access, would provide to a third party authority the usual credentials, along with the current tag message and a hint message generated from an intermediate node in the pseudonym tree along the path from the root to the leaf value currently used.
This mechanism provides robustness against denial of service attacks by malicious readers. In some known hash-based schemes, a malicious reader can advance the tag key to a point where the reader back end system fails. In the scheme of the present invention, a hint can be used to identity the tag more quickly than searching for the pseudonym, providing a sufficient number of seeds are known to understand the hint message. Where the authorised reader has a significant number of keys, it may be able to perform this operation itself. Readers with a more limited keys can ask a third party authority for this information, and for the issuance of new keys.
A private authentication scheme with a one-way binary tree according to the invention will now be discussed in connection with Figure 6.
The authentication hash based protocol is modified. At set-up time, the tag is again provided with a unique pair (YID, ID), where YID is the root seed of the tree for that tag.
There is assumed to be a tree for n' reading operations where the tree depth is Iog(n)+1.
A tag with n=4096 will require a tree of depth d=12+1. An average of 2 one-way hash functions (minimum 1, maximum Iog(n)) would need to be computed for each reading operation provided the tag maintains the intermediate node values. In order to maintain a tree a tag is required to store the current position in the tree. When queried, the tag generates a new leaf Yleaf' (previously referred to as YID k) and generates a message Sk= G(rl, G(rl, (Yleaf)).
Assuming an authorised reader has been granted access to a sub-set of the tree. A tag is identified by a reader by a pair (Yi, ID), Yi being an element of the tree at level i'. A secret at level i' (where i=1 is the leaf of the tree) will give access to 21) reading operations. For efficiency, i' is chosen to be a small value, which will limit the amount of work (to 2(2Q)2 hash functions evaluations) which needs to be performed by the reader to access a specific tag. Upon receiving the tag message the reader will find the pair (Yi, ID) that verifies the tag message.
On average, the invocation of four one-way hash functions for the tag (i. e. twice for the binary tree and twice G) is required for each reading cycle. The tree information needs to be updated at every cycle. This example uses a binary one-way tree and the tag may store log(n)+1 secrets from the root secret to the current leaf of the tree. The tag can store less information at the cost of increasing the computational cost of the tag in terms of one-way hash-functions required.
The question of how access to a tag can be granted, when it is not known how many times the tag has already been read, will now be considered. For example, a reader receives a new tag and it does not know which secret should be used for the access. A third party authority could grant the access but in order to do so it needs to have some information about the current tree leaf used by the tag.
Figure 7 depicts a solution according to the invention.
The tag can generate tree location hints. Hint messages contain information that points to a seed in the binary one-way tree. The hint can therefore act as an indicator to what part of the tree is currently used. Furthermore, the hint message produced from an intermediate node can identify the tag in exactly the same manner as a pseudonym produced from a leaf of the tree.. By exploiting hint messages a third party authority can identify the tag and disclose to an authorised reader a valid set of seeds to access the tag from that point in time.
Hint messages can be released at different levels between the root seed used to produce the pseudonyms, and the current pseudonym itself. A hint near to the root enables easy identification of the tag, but will only be understood by higher authorities, whereas a hint nearer the current pseudonym is less powerful but can be used by lower delegated authorities including the reader itself.
The scheme described now uses an interleaving of pseudonym values as described earlier in Figure 3, with hints produced from the intermediate nodes of the tree. In this example, only one level of intermediate nodes are used to produce hint messages, although in practice, many levels can be used so long as the level is clearly indicated by the output of the tag. One drawback of interleaving hints (of different levels) and pseudonyms is that some sequence information is clear to an unauthorised reader and may be used for limited tracking of the tag. Another is that the tag pseudonym must be deliberately advanced to obtain a hint value. These issues are addressed by the alternative method of providing hint messages described below in connection with Figure 10.
In the following steps we show how hint messages can be used to identify the current tag: 2. Every 2' reading operations, the tag discloses a hint message. A hint could be H(Yi), where Yi is a seed at level i that gives access to 2(11) operations and H is a hash function.
H(Yi) does not disclose any information about the tree to adversaries because of the one- way function. H(Yi) it is shared (known) by the third party authority.
3. This hint would be used by the reader to request access. When a reader receives a new tag, it needs to retrieve H(Yi). The reader according to the scheme shown in Figure 3, will repeatedly read the tag until the hint value is disclosed. At this point the reader would be able to access the third party authority and request access by providing the authority with the hint message.
4. If the reader is authorised, the third party authority would then communicate the seed value Vito the reader. The reader will be temporarily granted access.
The use of the hint message is extremely beneficial because it reduces complexity enormously. If it is assumed that a third party authority role receives only the pseudonym from a tag, the process to generate a seed would have an order of complexity that is O((n)(N)), where n represents the number of leaves generated by a tree and N the number of tags managed by the third party authority.
Without the use of hint messages, problems occur when either: 3 A tag arrives unexpectedly at a new owner with no information transferred with the tag.
* Other parties have performed an unknown number of reads on the tag since it was last scanned by the particular reader.
In these instances, a reader must give up after a limited check along the pseudonym chain for each possible tag, and conclude that the tag is unknown. The reader cannot distinguish between a response for an unknown tag, and a pseudonym from a known tag but which is beyond the point to which the reader has checked.
With the hint message the complexity is reduced to O((k)(N)), where k depends on the level of the seed disclosed. If the level is high, the third party authority would have to do a limited number of hash operations to find the correct tree and to identify the tag. For example: d=1O(tree dimension) i=8 to identify a tag the key authority goes through 2'4 secrets. The search complexity is O(4*N).
Exploiting the hint message, the tag should be able to be read by multiple readers who are all currently authorised. This would require a more frequent disclosure of hint messages and more complicated access control management.
In this first embodiment, the process works as follows: * The reader reads the current pseudonym from the tag and attempts to match the pseudonym against the space of expected pseudonym values.
* If this match fails, the reader obtains a hint value from the tag. This can be obtained by repeated reads until the hint value is obtained, or by a special instruction that advances the tag automatically until the hint value is given.
* If the hint value is at a level in the hash tree that may be covered by the keys known to the reader, the reader can attempt to match the hint value with a known tag. For example, attempting to match against a hint value 4 levels above the leaves of the tree is equivalent to searching a space of 32 pseudonyms along the leaves of the tree. Thus by searching along the higher-level hint values known, the reader can quickly identify if the tag is known. The tag must give the reader information about the level hint being used.
* If the hint value obtained is higher in the tree than the reader knows about, or if the hint value cannot be matched since it falls beyond the sequence known to the reader, then the reader must ask a third party authority. This authority may know the root seed, and thus all of the tree, or merely part of the tree but a part with more seeds than the reader itself knows.
* If the above authority is unable to decode the hint message, the request may be referred to another authority, such as the root authority with knowledge of the whole tree, to decode the hint value.
The root authority can always decode the tag since it knows the root secret of the tree.
For the root authority the cost of decoding the hint value depends upon the level of the hint in the tree. If the hint were the root value itself, then the authority can immediately look up the value in the list of root seeds. For some levels below the root, it is feasible to have precomputed all of the possible values for each tag, and to perform an immediate look-up. If this match fails, then the tag is unknown to the authority. For hint values lower in the tree, the authority will store the last known position in the tree, and check along a limited space of values. If this search fails, then the tag may be unknown, or sufficiently advanced along the pseudonym tree so as to fail the identification. It should be noted again that searching a limited set of hint messages is equivalent to searching a much larger pseudonym space along the leaves of the tree.
It should be noted that multiple levels in the tree can be used as hint values in a system according to the invention. Indeed, one solution is to use all levels in the tree.
One implementation of releasing hints at all levels is presented here. Interleaved pseudonym values and hint messages can be produced in response to the reader request. The tag can respond in the same manner in both cases, but using the hash value of an intermediate nodes in the tree instead of the hash value at the leaf, that is of a node which is nearer to the root than is the leaf. The release of hint messages may thus be integral to the pseudonym sequence. For example, the hash values may be the values in the tree depicted in Figure 5, revealed left-to-right.
In this figure, the hash value used to produce the tag response may progress: Z000, ZOO, ZOOl, ZO, ZOl 0, ZOl, ZOl 1 and so on. Each release must be identified with the level used so that a reader can ascertain which hash values to attempt to match with.
The cost-benefits of including hint messages in a system of the invention will now be discussed. As noted above, a reader in receipt of a pseudonym may find it difficult to identify a tag without a hint message. The pseudonym will be checked against a set of expected pseudonyms and tags. The set of tags can be restricted by knowledge (such as process/inventory knowledge about what products might arrive in front of a particular reader on that day, etc). By starting the search from the last known pseudonym value however, pseudonym search can be limited. The use of hint messages allows the search to be performed across a far smaller set of values at an intermediate level in the tree.
Moreover, hints obtained from multiple levels of the tree simultaneously can enable both the quick identification of the tag (from a high level hint), and the ease of navigation down to the current leaf pseudonym (but matching intermediate level hints).
We now present a second embodiment that improves the efficiency of the tag reading operation by combining the pseudonym along with hints in a combined tag message.
This approach (shown in Figures 8, 9 and 10) releases hint information along with the pseudonym as an integral part of the tag response. While the tag response is larger, the advantages are considerable since the pseudonym does not need to be advanced by the reader to obtain a hint value, as would be necessary for the embodiment discussed in connection with Figure 3 above. Also the hint values released at the same time as the pseudonym allow the reader (or authority) to navigate directly to the pseudonym instead of searching a space for the match.
This alternative approach decreases the complexity in the back-end system but increases the communication complexity in terms of messages exchanged between the reader and the tag.
Here, H is defined as a one-way hash function and R is defined as a pseudo-random number. A tag is identified by a pair of identifiers (YID, ID), where YID is a secret and ID is the tag identifier. During a reading operation, the reader sends a random number RI, the tag sends in response a message RI, R2, H(RI, R2, YID). Only readers that have access to the pair (YID, ID) can identify the tag.
The generation of the random number can be obtained in two ways: (i) through a random number generator, or (ii) through a one-way hash function. In the use of a one-way hash function, we generate R being a random number, R=H(CNT, S), CNT is a counter incremented at every reading operation, S is a I28bit secret (not shared), H is a one-way hash function or pseudo-random-function.
This scheme implements some of the suggestions proposed in the publication David Molnar, David Wagner: "Privacy and security in library RFID Issues, Practices and Architectures" (2004 ACM Computer and Communications Security conference).
However, Molnar and Wagner's scheme does not allow for control or ownership of a tagged item to change hands, whereas our approach of applying the binary one-way hash tree allows for the provision of limited access to the tag identity.
In applying the one-way binary tree tool presented above the computational complexity of the back-end system is reduced. The secret Y10 is associated with the seed in the binary one-way tree. Unlike the first scheme described above, the tag does not generate a single output associated with the leaf of the tree, but multiple outputs associated with the different secrets from the root to the leaf of the tree.
As shown in Figure 8, the tag is provided at set-up time with a unique pair of identifiers (Z- Root, ID), where YID =ZRoot is the root seed of the tree. As a result, there is a tree for n' reading operations, where the tree depth D=Iog (n). An average of 2 one-way hash functions would need to be computed for each reading operation.
When interrogated by the reader, the tag generates a new leaf of the tree that includes a new branch. The reader sends a random number RI, and the tag sends a sequence of messages Ri, R2, H(R1, R2, Z-root), H(RI, R2, Zi), H(RI, R2, Zi+I), H(RI, R2, Zlog(n)).
The messages of the sequence are associated with the different seeds from the root to the leaf of the tree.
In this case a tag is not identified with a single pseudonym produced from a leaf, but with a sequence of messages. The reader or third party authority will not have to progress the authentication of the tag from a shared seed to the leaf with a complexity 0(N.log(n)), but will access directly the seed with a 0(N) complexity.
As in the previous case an authorised reader can be assumed to have been granted access to a sub-set of the tree. In Figure 9, a tag is identified by a reader through a pair (Yi, ID), where Vi is an element of the tree at level 9'. A secret at level 9' will give access to 21) reading operations. Upon receiving the tag message, the back-end system will find the pair (Yi, ID) that verifies the tag message.
This scheme is as private as before but it allows the authentication of a tag with a limited cost. The cost that is linear with the number of tag 0(N) and the communication cost has a complexity of 0(Iog(n)). It is important to notice that the output of the different messages can be truncated to fewer bits in this manner the communication cost can be improved.
Figure 10 depicts the role of the hint message in the present embodiment.
In the first scheme above discussed in connection with Figure 1 for example, a tag generates some explicit hints. By exploiting hint messages a third party authority can identify the tag and disclose to an authorised reader a valid seed to access the tag.
In this case however, explicit hint messages need not be generated. When a reader receives a message that cannot be authenticated, it passes the message to a third party authority that can verify the root seed and identify the tag. In this case the output of the tag implicitly contains index information. After identifying a tag the third party authority will grant access to that specific tag for a certain number of reading operations.
To conclude, the present invention describes a secure, efficient way of allowing only authorised readers to have access to information relevant to it for a limited period of time.
This is achieved through constantly changing the tag identifier, allowing more flexibility to control tag access.
The skilled person would also appreciate that there may be other ways to implement the invention so it is not limited to the particular implementation described herein; nor is it limited to use in the particular contexts described. For example, the use of the tree structure described above is not limited to two-branch trees - trees with more branches could also be used.

Claims (8)

  1. Claims: 1. A radio frequency identification transponder configured to
    respond, on detecting an interrogation attempt, by providing an output which is an identifier, the identifier being, or being based upon, a leaf or a node of a hash tree of at least binary order, wherein the identifier which is provided is different for every detected interrogation attempt.
  2. 2. A radio frequency identification transponder configured to respond, on detecting an interrogation attempt, by providing an output which is an identifier, the identifier being, or being based upon, a leaf or a node of a hash tree of at least binary order, wherein the identifier which is provided is different for every detected interrogation attempt, and which provides, in response to each of a sequence of detected interrogation attempts, one identifier of a predetermined sequence of identifiers which sequence is or is based on a predetermined sequence of leaves of the hash tree.
  3. 3. A radio frequency identification transponder as claimed in claim I or claim 2, wherein each identifier output by the transponder in response to detection of an interrogation attempt is a combination of: (i) a leaf of the hash tree or based on a leaf of the hash tree; or (ii) a node of the hash tree or based on a node of the hash tree; or is based on such a combination.
  4. 4. A radio frequency identification transponder as claimed in claim 1 or claim 2, wherein each identifier output by the transponder in response to detection of an interrogation attempt is either: (i) a leaf of the hash tree or based on a leaf of the hash tree; or (ii) a node of the hash tree or based on a node of the hash tree.
  5. 5. A radio frequency identification transponder as claimed in claim 4, wherein each identifier output by the transponder in response to detection of an interrogation attempt is a leaf of the hash tree or based on a leaf of the hash tree.
  6. 6. A radio frequency identification transponder as claimed in any one of the preceding claims, wherein the hash tree is a one-way binary hash tree.
  7. 7. A system for providing a reader of RFID transponders with the right to read a particular transponder for only a predetermined multiplicity of read attempts, the system comprising: the reader; an authorisation means; and a radio frequency identification transponder configured to respond, on detecting an interrogation attempt, by providing an output which is an identifier, the identifier being, or being based upon, a leaf or a node of a hash tree of at least binary order, wherein the identifier which is provided is different for every detected interrogation attempt; the authorisation means and the transponder sharing knowledge of the hash tree of the tag which knowledge is not known to the reader; wherein the reader is: (iii) configured to interrogate the transponder, to obtain an identifier output by the transponder; (iv) arranged to contact the authorisation means and to reveal its own identity and the obtained identifier; the authorisation means being arranged to check the entitlement of the reader to read the transponder and, if the reader is entitled to read the transponder, to provide to the reader information about the hash tree to permit the reader to read the transponder over/for the predetermined multiplicity of a interrogation attempts.
  8. 8. A method for providing a reader of radio frequency identification transponders with the right to read a particular transponder for only a predetermined multiplicity of read attempts, the transponder being configured to respond, on detecting an interrogation attempt, by providing an output which is an identifier, the identifier being, or being based upon, a leaf or a node of a hash tree of at least binary order, wherein the identifier which is provided is different for every detected interrogation attempt, the method comprising: (i) interrogating the transponder with the reader to obtain an identifier output by the transponder; (ii) providing, from the reader, an authorisation authority with the identity of the reader and the obtained transponder identifier; (iii) the authorisation authority checking the entitlement of the reader to read the transponder and, if the reader is entitled to read the transponder, providing to the reader information about the hash tree to permit the reader to read the transponder over/for the predetermined multiplicity of a interrogation attempts.
GB0500596A 2004-12-24 2005-01-12 Radio frequency identification transponder system Active GB2422746B (en)

Priority Applications (8)

Application Number Priority Date Filing Date Title
PCT/GB2006/000080 WO2006075146A1 (en) 2005-01-12 2006-01-11 Radio frequency identification tag security systems
CN200680002023XA CN101103365B (en) 2005-01-12 2006-01-11 Method for operating radio frequency identification system, and the system and device
EP06700492A EP1836653B1 (en) 2005-01-12 2006-01-11 Radio frequency identification tag security systems
US11/794,715 US7940179B2 (en) 2005-01-12 2006-01-11 Radio frequency identification tag security systems
AT06700492T ATE480836T1 (en) 2005-01-12 2006-01-11 SECURITY SYSTEMS FOR RFID LABELS
DE602006016731T DE602006016731D1 (en) 2005-01-12 2006-01-11 SAFETY SYSTEMS FOR RFID LABELS
JP2007550835A JP4768752B2 (en) 2005-01-12 2006-01-11 Radio frequency identification tag security system
KR1020077016075A KR101177958B1 (en) 2005-01-12 2006-01-11 Radio frequency identification tag security systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0428377A GB0428377D0 (en) 2004-12-24 2004-12-24 Radio frequency identification tag security

Publications (3)

Publication Number Publication Date
GB0500596D0 GB0500596D0 (en) 2005-02-16
GB2422746A true GB2422746A (en) 2006-08-02
GB2422746B GB2422746B (en) 2009-06-17

Family

ID=34130940

Family Applications (3)

Application Number Title Priority Date Filing Date
GB0428377A Ceased GB0428377D0 (en) 2004-12-24 2004-12-24 Radio frequency identification tag security
GB0500596A Active GB2422746B (en) 2004-12-24 2005-01-12 Radio frequency identification transponder system
GB0500597A Active GB2422514B (en) 2004-12-24 2005-01-12 Radio frequency identification tag security systems

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GB0428377A Ceased GB0428377D0 (en) 2004-12-24 2004-12-24 Radio frequency identification tag security

Family Applications After (1)

Application Number Title Priority Date Filing Date
GB0500597A Active GB2422514B (en) 2004-12-24 2005-01-12 Radio frequency identification tag security systems

Country Status (1)

Country Link
GB (3) GB0428377D0 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2428122B (en) 2005-07-08 2011-03-23 Hewlett Packard Development Co Pharmaceutical product packaging
US8234501B2 (en) 2007-11-30 2012-07-31 Infineon Technologies Ag System and method of controlling access to a device
WO2009083708A1 (en) * 2007-12-28 2009-07-09 British Telecommunications Public Limited Company Radio frequency identification devices and reader systems

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4728938A (en) * 1986-01-10 1988-03-01 Checkpoint Systems, Inc. Security tag deactivation system
US4742341A (en) * 1985-06-14 1988-05-03 N.V. Nederlandsche Apparatenfabriek Nedap Electromagnetic detection system, as well as a responder for such a system
EP0932109A2 (en) * 1998-01-22 1999-07-28 Yeda Research & Development Company, Ltd. A method for authentification item
US6292795B1 (en) * 1998-05-30 2001-09-18 International Business Machines Corporation Indexed file system and a method and a mechanism for accessing data records from such a system
US20030018688A1 (en) * 2001-07-23 2003-01-23 Sternin Jeffrey Y. Method and apparatus to facilitate accessing data in network management protocol tables
WO2003052673A1 (en) * 2001-12-17 2003-06-26 Koninklijke Philips Electronics N.V. Communication station for inventorizing transponders by means of selectable memory areas of the transponders
US20040222878A1 (en) * 2003-05-06 2004-11-11 Ari Juels Low-complexity cryptographic techniques for use with radio frequency identification devices

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4816653A (en) * 1986-05-16 1989-03-28 American Telephone And Telegraph Company Security file system for a portable data carrier
FR2819662B1 (en) * 2001-01-16 2003-07-04 Schlumberger Systems & Service METHOD OF USING ELECTRONIC PAYMENT CARDS TO SECURE TRANSACTIONS

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4742341A (en) * 1985-06-14 1988-05-03 N.V. Nederlandsche Apparatenfabriek Nedap Electromagnetic detection system, as well as a responder for such a system
US4728938A (en) * 1986-01-10 1988-03-01 Checkpoint Systems, Inc. Security tag deactivation system
EP0932109A2 (en) * 1998-01-22 1999-07-28 Yeda Research & Development Company, Ltd. A method for authentification item
US6292795B1 (en) * 1998-05-30 2001-09-18 International Business Machines Corporation Indexed file system and a method and a mechanism for accessing data records from such a system
US20030018688A1 (en) * 2001-07-23 2003-01-23 Sternin Jeffrey Y. Method and apparatus to facilitate accessing data in network management protocol tables
WO2003052673A1 (en) * 2001-12-17 2003-06-26 Koninklijke Philips Electronics N.V. Communication station for inventorizing transponders by means of selectable memory areas of the transponders
US20040222878A1 (en) * 2003-05-06 2004-11-11 Ari Juels Low-complexity cryptographic techniques for use with radio frequency identification devices

Also Published As

Publication number Publication date
GB0428377D0 (en) 2005-02-02
GB2422514A (en) 2006-07-26
GB2422514B (en) 2009-05-06
GB0500597D0 (en) 2005-02-16
GB2422746B (en) 2009-06-17
GB0500596D0 (en) 2005-02-16

Similar Documents

Publication Publication Date Title
US7940179B2 (en) Radio frequency identification tag security systems
US8035489B2 (en) Radio frequency identification transponder security
US8143995B2 (en) Control of data exchange
US9124565B2 (en) Radio frequency identification devices and reader systems
Gandino et al. A security protocol for RFID traceability
GB2422746A (en) Radio frequency identification transponder security
Kim et al. Single tag sharing scheme for multiple-object RFID applications
Song RFID authentication protocols using symmetric cryptography
Han et al. Anonymous mutual authentication protocol for RFID tag without back-end database
Anandhi et al. An RFID cloud authentication protocol for object tracking system in supply chain management
JP2007280256A (en) Id privacy protective method, id privacy protective system, id privacy protective security server, id privacy protective reader device, id privacy protective server program and id privacy protective reader program
Xia et al. A privacy protection protocol for RFID-enabled supply chain system
Lee et al. Enhanced RFID Mutual Authentication Scheme based on Synchronized Secret Information
Oyarhossein et al. Cryptography and authentication processing framework on RFID active tags for carpet products
Vartak Protecting the privacy of RFID tags
Shemaili et al. Smart RFID Security, Privacy and Authentication
Konidala et al. Light-weight RFID Tag-Reader Mutual Authentication Scheme
Koralalage Where the POP Architecture Stands among the other RFID Solutions