Session-based security enhancement of RFID systems for emerging open-loop applications

Radio frequency identification (RFID) is an important technique used for automatic identification and data capture. In recent years, low-cost RFID tags have been used in many open-loop applications beyond supply chain management, such as the tagging of the medicine, clothes, and belongings after the point of sales. At the same time, with the development of semiconductor industry, handheld terminals and mobile phones are becoming RFID-enabled. Unauthorized mobile RFID readers could be abused by the malicious hackers or curious common people. Even for authorized RFID readers, the ownership of the reader can be transferred and the owners of the authorized mobile reader may not be always reliable. The authorization and authentication of the mobile RFID readers need to take stronger security measures to address the privacy or security issues that may arise in the emerging open-loop applications. In this paper, the security demands of RFID tags in emerging open-loop applications are summarized, and two example protocols for authorization, authentication and key establishment based on symmetric cryptography are presented. The proposed protocols adopt a timed-session-based authorization scheme, and all reader-to-tag operations are authorized by a trusted third party using a newly defined class of timed sessions. The output of the tags is randomized to prevent unauthorized tracking of the RFID tags. An instance of the protocol A is implemented in 0.13-μm CMOS technology, and the functions are verified by field programmable gate array. The baseband consumes 44.0 μW under 1.08 V voltage and 1.92 MHz frequency, and it has 25,067 gate equivalents. The proposed protocols can successfully resist most security threats toward open-loop RFID systems except physical attacks. The timing and scalability of the two protocols are discussed in detail.