1

Security in RFID Systems Project report for GMU ECE 646

Alireza Pirayesh Sabzevar

Abstract— Nowadays low cost Radio Frequency Identification

(RFID) systems are one of the hot topics in the computer industry and it is receiving lots of attention from public and private sector. While RFID is suffering from poor security mechanisms, adding RFID tags to ordinary goods jeopardizes public privacy and has caused consumer protests. It is not surprising that security in RFID has received little attention so far. Until now RFID has been mainly used in closed systems with Read-Only (RO) tags. Plus the RFID industry has focused its attention on increasing the performance (read range) and reducing cost, and has paid little attention to the security requirement of the users.

There is a growing need in the RFID community to overcome several troubling problems and the industry has responded to this need in several ways. In this project, we review the background of RFID and the possible attacks against the current systems and their corresponding defensive mechanisms. As RFID tags and smart cards are getting closer in architecture and applications, we review the security mechanism of smart cards and potential threats against them to see how these mechanisms can possibly be adapted to RFID systems. It is possible to engineer a new generation of RFID tags with embedded security mechanisms based on the current architectures. In this project an algorithm for such a tag has been simulated by RPC and reviewed.

Index Terms— RFID, Smart Card, One-time pad, Security

I. INTRODUCTION adio Frequency Identification (RFID) technology has

been around for a quite some time but recently it has been changed to a controversial subject. On one side, the public and private sectors see the potential of RFID and are eager to start using this technology to enhance their products and lower costs. At the same time, RFID is suffering from poor security mechanisms and adding RFID tags to ordinary goods infringes on public privacy which has caused consumer protests.

The purpose of an RFID system is to enable data to be transmitted by a portable device, called a tag, to an RFID reader and processed according to the needs of the particular application. This system consists of 4 items as is shown in picture 1:

Picture 1: RFID System Model

Tag: An RFID tag is a small object, such as an adhesive

sticker, that can be attached to or incorporated into a product. The tag stores relevant data about the tagged item.

RF Antenna: The radio interface between the reader and the tag.

Reader: A device which communicates with the tag in order to read or write the stored data onto the tag.

Host Computer: Consists of one or more computers including a database system which is connected to one or more reader devices. The reader passes the tag value to the processing unit which retrieves more information about the tag from the database of tag information.

In a typical RFID system, individual objects are equipped with a small, inexpensive tag which contains a digital memory chip that is given a unique electronic product code. The interrogator, an antenna packaged with a transceiver and decoder, emits a signal that activates the RFID tag so it can data read from and written to it. When an RFID tagged item passes through the electromagnetic zone, it detects the reader's activation signal. The reader decodes the data encoded in the tag's integrated circuit (silicon chip) and the data is passed on to the host computer for processing. For example, the host computer can deduct the item from inventory or add the price of the item to the customer receipt.

Telephone cards and bank cards are two common examples of RFID technology in everyday life which stores data in a silicon chip in a contact-base fashion. RFID systems are useful when the mechanical contact used by a chip card is often impractical. RFID tags are often envisioned as a replacement for UPC or bar-codes, having a number of important advantages over the older technology:

• While UPC codes are limited to a single code for all instances of a particular product. RFID codes are long enough that every RFID tag may have a

R

2

unique code. • The uniqueness of RFID tags means that a product

may be individually tracked as it moves from location to location, finally ending up in the consumer's hands.

• For reading a bar-code the tag should be in line-of-sight of the reader and can be read one by one. In contrast the RFID reader doesn’t need the tag to be visible and can read many tags in less than a second.

In general, there are two main areas of application, defined broadly as proximity or short range, and vicinity or long range. Long range or vicinity applications can be described as track and trace applications, but the technology provides additional functionality and benefits for product authentication. Typical end-uses include, but are not limited to supply chain management, parcel and post, garment tags, library and rental sectors and baggage tagging. Short range or proximity applications are typically access control applications and mass transit ticketing.

The use of RFID technology has generated considerable controversy and even product boycotts. The four main privacy concerns regarding RFID are:

1. The purchaser of an item will not necessarily be aware of the presence of the tag or be able to remove it.

2. The tag can be read at a distance without the knowledge of the individual. In everyday life, people are prone to carrying various objects around with them. Some of them are quite personal, and provide information that the user does not want anyone to know about. Examples include money, expensive products, medicine (which may indicate a particular disease), or books (which mirror personal consciousness and avocation). If such items are tagged, various personal details can be acquired without the knowledge of the owner.

3. If a tagged item is paid for by credit card or in conjunction with the use of a loyalty card, then it would be possible to tie the unique ID of that item to the identity of the purchaser. An adversary can link the credit card details with that purchased tagged item, the identity and movements of the consumer can be traced by tracking the ID of the tag. This problem is especially severe if the items are kept for a long time. To stretch the point a bit, this situation is similar to forcing the user to carry a tracking device [21].

4. Tags create, or are proposed to create, globally unique serial numbers for all products, even though this creates privacy concerns and is completely unnecessary for most applications. Most concerns revolve around the fact that RFID tags affixed to products remain functional even after the products have been purchased and taken home, and thus can be used for surveillance, and other nefarious purposes unrelated to their supply chain inventory functions. For solving this problem some

protesters suggest that the consumer should remove the tag or if it’s not removable item should be put in microwave oven to kill the tag!!

[39], [14] are two activist sites devoted to exposing privacy problems with RFID.

II. RFID BACKGROUND Perhaps the first work exploring RFID is the landmark 1948

paper by Harry Stockman, entitled "Communication by Means of Reflected Power" [17]. Stockman predicted that "...considerable research and development work has to be done before the remaining basic problems in reflected-power communication are solved, and before the field of useful applications is explored." It required thirty years of advances in many different fields before RFID became a reality.

The use of RFID in tracking and access applications first appeared during the 1980s. RFID quickly gained attention because of its ability to track moving objects. Founded in 1999, the Auto-ID Center [7] was a unique partnership between almost 100 global companies and six of the world's leading research universities; the Massachusetts Institute of Technology the US, the University of Cambridge in the UK, the University of Adelaide in Australia, Keio University in Japan, the University of St. Gallen in Switzerland and Fudan University in China. Together, they were creating the standards and assembling the building blocks needed to create an "internet of things." The Auto-ID Center officially closed on October 26th, 2003. The final board meeting was held in Tokyo, Japan. The Center completed its work and transferred its technology to EPCglobal (www.epcglobalinc.org), which is now responsible for administering and developing EPC standards going forward. The university labs of the former Auto-ID Center are now referred to as Auto-ID Labs (www.autoidlabs.org).

As the technology is refined, more pervasive—and invasive—uses for RFID tags are in the works [47]. Nowadays, private companies are injecting RFID to their products. For example, in January 2003, Michelin announced that it has begun testing RFID transponders embedded into tires [28]. After a testing period that is expected to last 18 months, the manufacturer will offer RFID-enabled tires to car-makers. Their primary purpose is tire-tracking in compliance with the United States Transportation, Recall, Enhancement, Accountability and Documentation Act (TREAD Act). Wal-Mart is pushing its suppliers to start using RFID to track inventory by 2005 and the Gillette Company conducted a "smart shelf" test at a Tesco in Cambridge [27]. They automatically photographed shoppers taking RFID-tagged safety razors off the shelf, to see if the technology could be used to deter shoplifting.

On the government side, a number of countries have proposed to embed RFID devices in new passports to facilitate efficient machine reading of biometric data. The US state of Virginia has considered putting RFID tags into drivers' licenses in order to make lookups faster for Police Officers

3

and other government officials [47]. The Virginia General Assembly also hopes that by including the tags fake identity documents would become much harder to obtain. The European Central Bank is working with technology partners on a project to embed RFID tags into the very fibers of euro bank notes by 2005 [33].

III. RFID TAGS RFID tags can be either active or passive. Passive RFID

tags do not have their own power supply; the minute electrical current induced in the antenna by the incoming radio-frequency scan provides enough power for the tag to send a response. Due to power and cost concerns, the response of a passive RFID tag is necessarily brief, typically just an ID number (GUID). Lack of its own power supply makes the device quite small; commercially available products exist that can be embedded under the skin. As of 2004, the smallest such devices commercially available measured 0.4 mm × 0.4 mm, and thinner than a sheet of paper making such devices practically invisible. Passive tags have practical read ranges that vary from about 10 mm up to about 5 meters.

Active RFID tags, on the other hand, must have a power source, and may have longer ranges and larger memories than passive tags, as well as the ability to store additional information sent by the transceiver. At present, the smallest active tags are about the size of a coin. Many active tags have practical ranges of tens of meters, and a battery life of up to several years. Active RFID tags are out of the scope of this project and from now on any reference to RFID tag means passive RFID tag otherwise the type will be explicitly mentioned.

Table 1: Frequency ranges for RFID-Systems [19]

Frequency range

Comment

< 135 kHz low frequency, inductive coupling 6.765-

6.795 MHz medium frequency (ISM), inductive coupling

7.400-8.800 MHz

medium frequency, used for EAS (electronic article surveillance) only

13.553-13.567 MHz

Medium frequency (13.56 MHz, ISM), inductive coupling, wide spread usage for contactless smartcards (ISO 14443, MIFARE, LEGIC), smart labels (ISO 15693, Tag-It, I-Code, ...) and item management (ISO 18000-3).

26.957-27.283 MHz

medium frequency (ISM), inductive coupling, special applications only

433 MHz UHF (ISM), backscatter coupling, rarely used for RFID 868-870 MHz UHF (SRD), backscatter coupling, new frequency,

systems under development 902-928 MHz UHF (SRD), backscatter coupling, several systems 2.400-2.483 GHz

SHF (ISM), backscatter coupling, several systems, (vehicle identification: 2.446 .. 2.454 GHz) 4 W - spread spectrum, USA/Canada only,

5.725-5.875 GHz

SHF (ISM), backscatter coupling, rarely used for RFID 4 W USA/Canada,

There are four different kinds of tags commonly in use,

their differences are based on the level of their radio

frequency: Low frequency tags (between 125 to 134 kilohertz), High frequency tags (13.56 megahertz), UHF tags (868 to 956 megahertz), and Microwave tags (2.45 gigahertz and above). Table 1 shows the complete list of RFID frequency ranges.

As passive tags are much cheaper to manufacture, the vast majority of RFID tags in existence are of the passive variety. As of 2004 tags cost about $0.25 and the current aim is to produce tags for less than $0.05 to make widespread RFID tagging commercially viable.

An RFID tag is powered only when within range of a reader. Because a reader is little more than a radio transceiver, this means that a tag can be read from various distances depending on the power of radio wave. Table 2 shows typical read range for different readers made by Texas Instruments. Table 2 easily shows that the typical read range is not related to the frequency.

Table 2: Read range, Frequency and price of RFID readers from Texas Instrument.

Typical Read Range (cm) Frequency Cost

40 134.2 kHz $595.00

15 134.2 kHz $245.00

18 13.56 MHz $645.00

15 13.56 MHz $595.00

91 13.56 MHz $2,550.00

91 134.2 kHz $748.54

IV. ATMEL TK5552 Here, we review a very powerful passive tag and its reader

device. Later when we review an algorithm introduced by RSA Security Inc. [3] for adding cryptography to low-cost RFID tags we see how adding some simple functions to TK5552 can solve the RFID security problems.

The TK5552 [4] is a complete programmable R/W passive RFID transponder which works in the 125 KHz frequency range and implements all of the important functions for identification systems.

The TK5552 can be used to adjust and modify the ID-Code or any other stored data. The chip has a 992-bit EEPROM (32 blocks of 33 bits block) which can be write-protected by lock bits. The 7 blocks can be read one by one or in a block. The 8th block works as a password for the rest of the blocks. If the reader sends the correct value for block 8, then it can read blocks 9 through 32.

TK5552 is suitable for industrial asset management, process control and automation and it can be purchased from Digi-key.com for $2.35 each but the price drops significantly if purchased in high quantity.

The CY8C0105-B5 Chip Module [36], Picture 2, is a 28 pin DIP (600 mil) package type RFID module that includes all

4

necessary components for an RFID Reader except the inductor. It demodulates the Manchester RF 32 / 64 signal and decodes it automatically. The data written in the transponder is ready to be processed or sent. A user never needs to know about decoder algorithms or the RFID concept.

The PSoC (Programmable System on Chip) used on the Chip Module eliminates the use of some external components such as filters, amplifiers and even microcontroller.

Picture 2: CY8C0105-B5 Chip Module (photo from [36])

The TK5552 reader device on the market, SM2005-B5 [37]

chipset from SonMicro (www.sonmicro.com), shown in picture 3, is both a Development Kit for the CY8C0105 Chip Module and an RFID Programmer. With this $66.00 device a user can create, develop or evaluate specific applications. The device can either be connected to a PC or some other peripheral device (e.g. microcontroller). The Development Kit provides Input/Output for a Chip Module as well as other features like UART pins and PC connectivity. SM2005-B5 also acts as an RFID Programmer. It programs most ATMEL/Temic tags (e.g. T55xx, TK55xx series) and can communicate with a PC by RS232 (DB9) serial port at 19200 bps.

SMRFID is downloadable software from SonMicro which makes it easier to start with this kit. It provides RFID Programmer/Writer and RFID Reader features as well as calibrating and programming the CY8C0105 RFID module with custom user assembler code.

Picture 3: SM2005-B5 from SonMicro (photo from [36])

The maximum distance between the base station and the

TK5552 depends mainly on the base station, the coil geometries and the modulation options chosen. With demo equipment, 5 cm range can be achieved but the exact measuring of maximum distance should be carried out with the TK5552 being integrated into the specific application. For longer distance used in industrial applications, specific solutions like two or more reader coils should be used [4].

V. ATTACK ON TAGS An adversary may gain access to the backend database. In

such a case no mechanism can ensure security as the attacker is able to compromise the integrity and confidentiality of the entire system. We do assume that the adversary only has access to an RFID reader and can perform passive eavesdropping or active attacks.

Because a reader is little more than a radio transceiver, this means that attackers will be able to obtain illegitimate readers that can be used to query RFID tags from some distance. For example 13.56 MHz RFID tag vendors claim that their readers can interact with tags from a distance of 2 feet and hand-held readers might work up to 8 inches away from the tags. These distances are limited primarily by regulation on reader power and antenna size; thus, it should be possible for illegal readers to have a read range several times larger.

Vendors usually put vendor-ID on these tags to distinguish their products from other vendors’ products. Most of these tags are static with no access control mechanism. The ability of attackers to monitor this type of tag raises the privacy issue among the consumers. An adversary can begin profiling a person by scanning the person and his/her belongings because a few feet of read range is sufficient for scanning people passing through doorways and other close spaces.

Because the communication between reader and tag is wireless, there is a possibility for third parties to eavesdrop on these signals. One unusual aspect of RFID communication is an asymmetry in signal strength: because tags respond by passively modulating a carrier wave broadcast by the reader, it will be much easier for attackers to eavesdrop on signals from reader to tag than on data from tag to reader.

Regarding the fact that many RFIDs may be in range of a reader at the same time, collision-avoidance protocols must be used. The details of these protocols are often kept secret in proprietary tags. The ISO 18000 standard, however, specifies collision-avoidance protocols for each of its two modes, as does the EPCGlobal suite of tag protocols. These protocols require a separate identifier, which we will call a collision-avoidance ID that may be independent of the data stored on the tag. An adversary can easily issue a read request to a group of anti-collision tags and by harvesting the results, calculate the number of specific items in an inventory.

Even if RFID tags were upgraded to control access to bar codes by using read passwords or some other form of access control, many tags could still be identified uniquely by their radio behavior. In particular, many tags use a globally unique and static collision ID as part of their collision-avoidance

5

protocol. This typically will allow unauthorized readers to determine the tag's identity merely through its collision-avoidance behavior. For example, In EPC 915 MHz tags, there are three different modes for collision avoidance, one of which uses the globally unique Electronic Product Code (EPC) ID. The choice of modes is controlled by the reader. An adversarial reader can simply ask the tag to use its EPC ID; because there is no authentication of this command, the tag will obey. As a consequence, any system using one of these tags will be vulnerable to user tracking. The collision-avoidance behavior is hard-coded at such a low-level layer of the tag that no matter what higher layers do privacy will be unachievable. This is unfortunate, because it means that much of today's RFID hardware is simply incompatible with privacy for library patrons. It is also dangerous, as vendors and libraries may implement privacy-enhancing methods that focus on tag data and be unaware that tags are not private.

In deployments with rewritable tags, some method must be used to prevent adversaries from writing to the tag. Otherwise, an adversary can commit acts of vandalism such as erasing tag data, switching two pieces of merchandise’s RFID data. Unfortunately, several current specifications with write protection in their architectures are problematic in many applications. The EPC 13.56 MHz tag specification, as well as the ISO 18000-3 MODE 1 specification, includes a “write" and a “lock" command but no “unlock" command. In addition, write commands are not protected by a password. This is consistent with a supply chain application that writes a unique serial number to a tag, and then never needs to re-write the number. While the lock command is only an optional part of the ISO 18000-3 MODE 1 standard, it is supported by many tags.

In ISO 18000-3 MODE 2 locking is also irrevocable, but is protected by a 48-bit password. Once locked, a page of memory cannot be unlocked by any reader. A page containing a security bit needs to be unlocked or else the status of the bit can not be changed. An adversary can change the security bit and then lock that page of memory. The resulting tag is then unusable, as the memory cannot be unlocked; in this case physical replacement of the tag is required. Irrevocable locking of the security bit is known as a security bit denial of service.

TAGSYS C220 tags avoid security bit denial of service by having a special area of memory dedicated to the security bit built into the tag, separate from regular data storage. Checkpoint tags, in contrast, do not implement security bits, but rely on backend database.

The ISO 18000 standard and EPC specifications only allow for static passwords sent in the clear from reader to tag. Current deployments do not seem to use read passwords, but write passwords are employed. If a single password is used for all tags, then a compromise of any tag compromises the entire system. In deployments that use writable security bits, the write password is used on every transaction; in systems with read passwords, exit sensors must use the read password every time an item leaves the store. In either case, passwords are

available to a passive eavesdropper. Consequently, eavesdropping on a single communication reveals the password used by every tag in the system, a serious security failure. Once learned by a single adversary, a password can be posted on the Internet. Then, anyone with a reader can mount the attacks we have discussed. If different passwords per tag are used, then some mechanism is required to allow the reader to determine which password should be used for which tag. Unfortunately, most obvious mechanisms for doing so, such as having a tag send an index into a table of shared secrets to the reader; provide tags with static, globally unique IDs. These globally unique IDs allow tracking of tags, which defeat the entire purpose of read access control. Thus, privacy appears incompatible with prudent password management.

For minimizing the cost, Class I tags [16] have no access control function. Thus, any reader can freely obtain information from a tag. Since communication between a tag and a reader is by radio, anyone can access the tag and obtain its output. Moreover, attackers can eavesdrop on the communications between tags and readers, which is a cause of much consumer apprehension. It can be seen that all the tags are suffering from one or more security and privacy issues:

• Security issue: Lack of password protection for read and write

• Security issue: Unencrypted communication between reader and the tag

• Privacy issue: Having a constant value on the tag which makes it easy for eavesdropper to track a particular tag.

VI. RELATED WORKS ON SECURITY OF NON-SECURE TAGS As mentioned before, an RFID tag is powered only when

within range of a reader. This means that the tag only has a limited amount of time to carry out computation, and pre-computation of results is impossible during times when the tag is out of range. Also, an RFID only has a few gates and many of these are taken up by logic required for basic operation. It’s estimated as few as 500-5000 gates total in a typical RFID design exists, leaving little for extras such as security. In particular, symmetric encryption schemes such as AES, hash functions such as SHA1, or pseudo-random functions are not possible on today's RFID tags. While some low-end smart cards and tags have incorporated constructions based on stream cipher designs, no standardized low-gate primitive exists. Simple password comparisons and XOR operations are all that can be expected on most current generation RFID tags [13].

There are lots of work on RFID security and privacy. The very first works have been done by Auto-ID center [6]. They propose using a KILL command to deactivate a tag. The Auto-ID center supported tags have a unique 8-bit password, and upon receiving the password, the tag erases itself. This function is useful in protecting the user’s privacy, but a conscious decision is required to initiate the procedure and it is difficult to ensure that the kill command was properly

6

executed. Moreover, tag suicide prevents any subsequent usefulness such as special services for each client. This property actually diminishes the benefits of RFID tags. Moreover, each password is only 8 bits long, so a malicious attacker may be able to determine some passwords in approximately 28 computations, and use this command abusively. This feature should be used with other protection schemes.

Using hash function is another way of securing tags in a low cost way [38]. The reader has key k for each tag, and each tag holds the resultant metaID where metaID = hash(k) of a hash function. A tag receives a request for ID access and sends metaID in response. The reader sends a key that is related to metaID received from the tag. The tag then calculates the hash function from the received key and checks whether the result of the hash function corresponds to the metaID held in the tag. Only if both data sets agree does the tag send its own ID to the reader. Although this scheme offers good reliability at low cost, since metaID is fixed, the adversary can track the tag via metaID. To avoid this, the metaID should be changed repeatedly; however, operating the system in a way that satisfies this requirement in practice is difficult.

A randomized hash lock scheme [38] is an extension of the hash lock type scheme. It requires the tag to have a hash function and a pseudo-random generator. Each tag calculates the hash function based on the input from pseudo-random generated, r and id, i.e., c = hash(idjr). The tag then sends c and r to the reader. The reader sends the data to the back-end database. The back-end database calculates the hash function using the input as the received r and id for each ID stored in the back end database. The back-end database then identifies the id that is related to the received c and sends the id to the reader. The tag output changes with each access, so this scheme deters tracking. However, this scheme allows the location history of the RFID tag to be traced if the secret information in the tag is revealed, i.e., this scheme cannot satisfy the forward security requirement. Additionally it is said that a hash function can be achieved at low cost, however, a pseudo-random generator may be difficult to incorporate at low cost.

In the Anonymous ID scheme proposed by NTT [33], the tag output is an anonymous ID; the adversary can never know the real ID of the tag. This is realized by using public-key encryption schemes, symmetric-encryption schemes or a random value linked to tag’s ID on external computation units. Since the tags only use RAM to hold the anonymous ID as sent from the reader, they are relatively inexpensive. To use this scheme in practice, an authentication or secure channel must be established between the reader and the back-end database. Because the anonymous ID is fixed, tracking again becomes possible. Thus, it is necessary to change consciously the anonymous ID. It will be difficult to operate this system in practice.

The external re-encryption scheme, by RSA Lab [1] uses public-key encryption. Tag data are rewritten at the request of

the user using data sent from an external unit. This unit is necessary because public key encryption imposes heavy calculation loads that are beyond the ability of the tag. This task is usually done by the reader. The tags output seems random in each rewrite period, so an adversary who eavesdrops only on the tag output cannot trace the tag over long periods of time. This method in practice considers a purported plan by the European Central Bank to embed RFID tags in Euro banknotes [1]. They propose a privacy-protecting scheme in which RFID tags carry ciphertexts on the serial numbers of banknotes. These ciphertexts are subject to re-encryption by computational devices in shops, thereby rendering multiple appearances of a given RFID tag unlikable. This scheme, however, assumes a single verifying entity – namely a law-enforcement organization – and is not obviously extensible to the multi-verifier systems likely in commercial and consumer environments. The difficulty of this method is that the data of each tag must be rewritten often, because the encrypted ID is constant.

VII. SECURE TAGS Lots of companies are producing RFID equipments with

different specifications. Among them we review secure tags from Texas Instruments and ATMEL. Texas Instruments is chosen because of its big role in the IC industry and its wide range of products. AMTEL is attractive for us because we are going to discuss a security algorithm for a virtual tag which has many similarities with one of ATMEL’s non-secure tags.

Texas Instruments offers a wide range of RFID tags and readers including encrypted transponders. RI-TRP-BRHP [40], a 23mm Glass Capsule Transponder Digital Signature transponder (DST), is an authenticating device using a challenge/response (uni-directional) encryption method which makes the transponder response secure. Other features include a fixed, unique read-only code and optional password protection. The device is ideally suited for applications which demand the most secure authentication techniques in the smallest available package (such as vehicle immobilizers and locks). Picture 4 shows this transponder in 2 different sizes.

Picture 4: RI-TRP-BRHP in 2 sizes

The transponder works in 134.2 KHz frequency and has

memory of 88 bits which has been organized in 4 pages: • Page 1: 8 bits Password (user programmable and

lockable), • Page 2: 8 bits Identification “ID“ (user

programmable and lockable), • Page 3: 32 bits Serial Number and Manufacturing

Code (Factory programmed and locked), • Page 4: 40 bits Encryption Key (user

programmable and lockable)

7

Beside 88 bits of memory, the chip has 40 bits random Challenge, 24 bits Response 24 bits and 24 bits of SN with Cyclic Redundancy Check (CRC) on data.

The Digital Signature Transponder (DST) is a crypto device which offers the challenge/response functionality. During initialization, the vehicle security system and the transponder exchange a secret encryption key. The key cannot be read out; only the transponder response to a challenge sent by the transceiver can be read. In a typical application, the vehicle security system generates a 40 bit random number (the challenge), and sends it to the transponder using Pulse Width Modulation (PWM). In the transponder the challenge is shifted into the challenge register. For a short period of time, energy is provided by the transceiver and the encryption logic generates a 24 bit response (signature). The response R is a function of the encryption key Ke, the challenge RAND and the cryptographic algorithm Fc .R = f (Fc, RAND, Ke ) The response is returned to the transceiver using Frequency Shift Keying (FSK). The security system calculates the expected response using the same algorithm and the same encryption key and compares the response received from the transponder to the calculated one. The calculation of the expected response can be done simultaneously to the communication between transponder and reader or after reception of the transponder response. If the expected and the calculated response are equal, the information is sent to the engine management computer. In time critical applications, the challenge and the response can be generated after immobilization and stored for the next cycle [20].

Texas Instruments has a new generation of secure RFID transponder, RI-TRP-V9WK [41], which provides additional levels of security. In addition to the proven TI encryption known from the DST transponder, mutual authentication increases security and sophisticated diagnostic features allow fraud prevention and after-theft diagnosis. RI-TRP-V9WK offers 50Byte of EEPROM memory from which 26Byte are free for user data. The DST+ can be operated in DST mode in which it is functional compatible to the DST. The company claims that transponder has a compact and robust construction which has a built-in notch for precise fixture in secondary packages. Picture 5 shows the RI-TRP-V9WK.

Picture 5: RI-TRP-V9WK from Texas Instrument, a secure

RFID Tag (the photo doesn’t show the actual size) Currently ATMEL provides 9 transponders in 2 different

frequencies [45]. Table 3 summarizes these products. As can be seen, among all, only two, e5561 and TK5561A-PP, provide security mechanism. The e5561, which is the core of TK5561-A-PP as well, uses password restricted access and challenge/response mechanisms for reader-to-tag and tag-to reader authentication [44].

Table 3: RFID tags from ATMEL [45] 125/134 kHz Read-Only

Device Description e5530 Read-only transponder IC for contactless RF

identification TK5530 Read-only transponder for contactless RF

identification 125/134 kHz Read/Write (OTP)

Device Description e5561 Read/Write transponder IC for contactless

RF identification for highly sophisticated security applications.

T5552 Transponder module with 1-Kbit memory, includes the IDIC(TM) e5552 plus 425-pF capacitor

T5554 Standard R/W IDIC (264 Bit) with Integrated Capacitance

T5557 Read/write transponder IC for contactless RF identification with on-chip 75-pF capacitor

TK5551 Standard Read/Write ID Transponder with Anti-collision

TK5552 125 kHz read/write transponder, Manchester RF/16, RF/32

TK5561A-PP Read/Write Crypto Transponder for Short Cycle Time

As said before, a challenge/response mechanism might be a good solution for securing tags but it is sensitive to the population of the tags. This method is widely used for automotive anti-theft systems which a reader (one per car) handles two or three keys. With challenge/response mechanism tag and reader authenticate but still the communication, if there is any, is in clear text and vulnerable to unauthorized hearing. For the immobilizer solution which uses a low frequency and short distance communication it might not be a problem but other applications which need longer distance will suffer from this security problem.

There is a lot of talk about using NTRU [23] as a light-weight public-key cryptosystem for RFID. For this purpose a new version of NTRU, NTRU GenuID, has been adapted which is claimed that can eliminate expensive co-processors on high-end RFID devices as well as contactless Smart Cards. The website of the company [23] claims that on Feb 2002, NTRU has presented a demonstration of its security mechanism on RFID technology at the RSA Conference in San Jose but there is no further information there. ATMEL AVR [5], The NTRU GenuID chip from ATMEL, uses an 8-bit RISC processor to implement an NRTU public key cryptosystem on the labels [19]. Hence, the NTRU implementation is able to harness all the advantages of a public key cryptosystem. However, the hardware implementation is resource intensive and the RFID label produced from the GenuID chip is an active label that stands at the more expensive end of the RFID label scale [10].

8

VIII. SMART CARD AND RFID A smart card is typically in a "credit card" sized form factor

with a small-embedded computer chip. This card-computer can be programmed to perform tasks and store information.

It seems functionality of RFID and smart cards are merging together so rapidly. On Oct. 2002, a French company announced its plan for producing an RFID tag with a 16-bit microprocessor and new encryption technology [26] and just recently, Matsushita, best known for its Panasonic brand products, developed the industry’s first SD Memory Card with contactless smart card capabilities [30].

Moore's Law tells us that the number of transistors per unit silicon doubles every 18 months [16]. These extra transistors might be used to enable cryptographic primitives on tags of equal cost as today's tags and making them more similar to smart cards.

There are different types of smart cards: memory cards, processor cards, electronic purse cards, security cards, and JavaCards. A smart card that has a processor is inserted into a smart card reader (commonly called a card terminal) and is available for use. The software wishing to communicate with the reader needs to send some commands to manage the reader, things like power up and transfer command to card. The commands sent to cards can be custom, but we prefer to use the standard ISO 7816 specifications, which define command formats in great detail. Many different types of readers exist and soon we hope to see them shipped as standard equipment on PCs. JavaCard is a smart card that is capable of running Java byte codes [22].

Smart Cards have a rich security background and security mechanisms like access control, password protection and provisions for physical security have been embedded to it. Because of the on-board computing power of the smart card, it is possible to achieve off-line transactions and verifications. For instance, a smart card and a card acceptor device (CAD) can identify each other by using the mutual active authentication method. Moreover, using computational scrambling encryption, data and codes stored on the card are encrypted by the chip manufacturer, which makes the circuit chip almost impossible to be forged.

One of the security features provided by most of the smart card operating systems is the cryptographic facilities. They provide encryption and decryption of data for the card; some of them can even be used to generate cryptographic keys [8].

Because smart cards are often used in security-critical situations, they have undergone a fair amount of scrutiny from security researchers. Two main results are worth considering: 1) the terminal problem, and 2) physical attacks on the card. The terminal problem is really a trust issue. How is a card user to be sure that the card is doing what it is supposed to be doing during a transaction? How can a card user check to see whether account balances (for example) have been properly debited or credited? The problem is that cards are very much black boxes.

The terminal problem shows itself in RFID systems with a

higher magnitude. Not only does the trust issue exist, but the tag can also be read at a distance without the knowledge of the individual. Another privacy issue is due to RFID's support for an anti-collision protocol. This is the means by which a reader enumerates all the tags responding to it without them mutually interfering. The structure of the most common version of this protocol is such that all but the last bit of each tag's serial number can be deduced by passively eavesdropping on just the reader's part of the protocol. Because of this, whenever RFID tags are near to readers, the distance at which a tag's signal can be eavesdropped is irrelevant; what counts is the distance at which the much more powerful reader can be received. Just how far this can be depends on the type of the reader, but in the extreme case some readers have a maximum power output that could be received from tens of kilometers away.

The most obvious and direct attack on a smart card is a physical attack on the card itself. In the case of a stored-value card, this sort of attack may even be carried out by the owner of a card. Physical attacks attempt to reverse engineer the card and determine the secret key(s). Such attacks have been demonstrated in practice against commercial secure smart card chips, most notably by three groups of researchers [8].

These problems are Non-Java-related problems which have a real impact on card security and that they are not solved by Card Java. Instead, Card Java itself presents an intriguing new set of risks in terms of security [15].

Can be assumed that RFID and smart cards are virtually vulnerable to the same type of physical attacks but as RFID is lagging in more basic security subjects, it is not surprising that no physical attack has been reported for RFID.

IX. CONTACTLESS RFID/SMART CARD ISO/IEC 14443 [18] was initiated in 1994 to standardize

contactless proximity cards and finalized in 2001. To date, approximately 250 to 300 million contactless smart cards have been shipped based on the ISO/IEC 14443 standard [32]. The majority of these cards are used in transportation applications for automatic fare collection, with the largest installations in Asia. ISO/IEC 14443 cards are supplied by the largest base of semiconductor suppliers and card manufacturers.

SmarTrip is the Washington Metropolitan Area Transit Authority’s (WMATA) [43] [25] contactless smart card that is used for paying fares in the rail system and fees at parking facilities. Use of the card will be expanded to Metrobus and other regional transit operators in the near future. The WMATA smart card automatic fare collection system links both the rail and parking operations with a single fare medium, the SmarTrip card. Picture 6 shows the SmarTrip card itself and Picture 7 the X-Ray of the same card is shown.

9

Picture 6: Smartrip card

Picture 7: X-Ray of a Smartrip card

A number of different ISO/IEC 14443-compliant card

products are available, offering a range of characteristics at a number of price points. These characteristics include compliance to different levels of the standards, differing encryption and authentication schemes, and differences in processing power and card resources. Readers are available that can interoperate with the range of available card products, allowing an issuer to provide a choice of solutions and a migration path to more powerful devices if required [35].

ISO/IEC 14443 does not specify a standard for contactless link encryption or card-to-reader authentication. However, virtually every semiconductor vendor provides options to provide these security services. A common encryption/authentication protocol used with ISO/IEC 14443 Type A is the MIFARE [24] protocol. An independent certification institute offers MIFARE compliance testing, ensuring that certified products from multiple vendors will work together. The 10 centimeter operational range of ISO/IEC 14443 may be an advantage since the act of payment is more intentional and close proximity of the card to the reader helps limit unintended communication. The 106 Kbps data rate of ISO/IEC 14443 cards are also considered an advantage in that more bandwidth is available for stronger security, a larger amount of application data and reduced time in field.

Contactless microcontroller (MCU) cards that comply with ISO/IEC 14443 offer an excellent combination of interoperability and security. New dual-interface or contactless MCU cards fully comply with ISO/IEC 14443 (through part 4 of the standard). As a result, contactless and dual-interface smart cards have the same level of interoperability as contact smart cards. For example, dual-interface cards made available by Visa can execute the same financial applications in either ISO/IEC 7816 contact or

ISO/IEC 14443 contactless mode. ISO/IEC 14443 MCU-based smart cards offer security features equivalent to those offered by contact smart cards. Features such as memory firewalls that separate applications on the card, encryption, sensors, tamper-resistance, and crypto coprocessors provide robust security for transactions [35].

Contactless wired logic technologies are also available in the market and can comply through Part 3 of the ISO/IEC 14443 specification. While these products cannot support the ISO/IEC 7816-like Part 4 protocol layer, they do offer a lower price point and faster performance. Depending upon the needs of the issuer and the products or applications to be supported, these could be a cost-effective choice.

The financial industry is supporting contactless payment solutions based on ISO/IEC 14443. Visa International has endorsed a global payment specification for contactless cards based on ISO/IEC 14443, and a number of trials in Asia are already underway or planned. MasterCard International has also implemented contactless technology based on ISO/IEC 14443 for use by its members and in the PayPass pilot in Orlando, Florida [42]. In 2002 Visa introduced the dual-interface GlobalPlatform (GP) card, based on Philips technology. Unlike previous dual-interface cards, the new GP cards allow applications to be downloaded, modified, and deleted after the card has been issued. The cards also support VSDC and Visa multi-functionality. Three major districts in South Korea, (City of Daejon, City of Gwangju, and Chungnam Province) have adopted these dual-interface GP cards. Issuance began in 2003, with a target of up to 2 million cards. In addition to the ISO/IEC 14443 and MIFARE-based transit application, the card will also carry VSDC (EMV credit and debit), digital ID, Visa Cash e-purse, and loyalty applications. Other cities that have been issuing proprietary transit cards and are planning to migrate to Visa’s dual-interface Global Platform cards.

The most widely used contactless chip is the MIFARE A chip, developed by Philips, who has licensed many suppliers to produce both chips and readers. Used in hundreds of diverse applications - such as road tolling, airline ticketing, access control and phone cards, the MIFARE interface platform consists of chip solutions for contactless and dual interface smart cards and reader devices. It has become the industry standard for contactless and dual interface applications where convenience, flexibility and speed are key requirements. The chips are usually embedded into cards, although other forms are available (e.g. key fobs). A long aerial is also embedded into the card, which powers the chip when the card is held in the electromagnetic field emitted by a card reader [24].

ISO/IEC 14443-compliant readers are available from multiple vendors. In addition, several readers are capable of reading both ISO/IEC 14443- and ISO/IEC 15693-compliant cards, with a few supporting an even broader range of technologies [9].

When powered, the chip can respond to the reader e.g. to provide data to a door access-control application. The chip has

10

16 data sectors, the first of which contains a unique id set at manufacture and unchangeable thereafter. Applications may use this id, or may write their own information into one of the other sectors.

Each sector has two keys and configurable access conditions controlling read, write, increment and decrement. This allows, for example, one key with limited rights to be widely circulated, while the other key is given greater rights and kept private.

Security is an improvement over the existing magnetic strip system for two reasons. First, it is much more difficult to forge a MIFARE card than it is to forge a swipe strip. Second, communication between chip and reader is encrypted, although with a proprietary algorithm, rather than a simple encoding of the number. However, the encryption will use a key that is likely to be known to a large number of readers.

To provide a very high security level a three pass authentication, based on ISO-9798-2, takes place between MIFARE card and the reader station as following:

a) The reader specifies the sector to be accessed and chooses key A or B.

b) The card reads the secret key and the access conditions from the secret trailer and then the cards send a random number to the reader as challenge.

c) The reader calculates the response using the secret key and additional input. The response, with a random challenge from the reader is then transmitted to the card

d) the card verifies the response by comparing it to its challenge and then it calculates the response to the challenge and sends it to the reader.

e) The reader compares the response with its own challenge.

After transmission of the first random challenge the communication between card and the reader is encrypted.

MIFARE cards are working in 13.56 MHz frequency which

is also used by RFID tags. Powered by the energy of radio frequency signal, MIFARE cards can run a secret key encryption program which may need thousands of gates so it won’t be surprise if RFID tags in the same frequency or lower can computer a basic function like XOR.

X. AN ALGORITHM FOR SECRECY OF LOW-COST TAG In this part we outline a security model for privacy and

authentication in low-cost RFID tags based on a paper from RSA Security [3]. The model supposes that the tag has a limited computing ability but still the tag remains in the category of low-end RFID tags.

Let k be some value stored in the tag, i.e. k={α, β, γ} and suppose m be a parameter governing the resistance of the

protocol against attacks. For every value of k, we keep ∆k = {δk

(1), δk(2), δk

(3),…. δk(m)} of one-time pads on tag. To update k,

pad(k, ∆k), the tag computes k← δk(1) XOR k.

After updating the value of k, δk(i)← δk

(i+1) for 1≤i≤m-1, δk

(m) ←0 and the pads in ∆k are updated with new padding material received from the verifier. We call this function update(∆k ,∆’k). Let ∆’k = {δ’k

(1), δ’k(2), δ’k

(3),…. δ'k(m)} be a vector of newly generated one-time pads received from the verifier in our protocol, the vector ∆k is updated as δk

(i)← δk(i) XOR δ’k

(i) for 1≤i≤m. As the result of these manipulations, the vector ∆k consists of a set of m one-time pads with decreasing level of backward secrecy. The δk

(1)

which is called live pad, consists of the successfully completed XOR operation of past m independent pads.

In this scheme, before any data read or write, the verifier and the tag go to an authentication phase based on a challenge-response protocol. In the following the protocol is provided. Tag Verifier Initialization to k={α, β, γ} ∆k = {δk

(1), δk(2), δk

(3),…. δk

(m)}

k= pad(k, ∆k) k={α’, β’, γ’}

Store the value of k={α’, β’, γ’} and ∆k = {δk

(1), δk(2), δk

(3),…. δk(m)}

in the database ← read← k={α’, β’, γ’} → α’→ If α’ is valid αx for some tag Tx

then tag←x extract kx={αx, βx, γx} from database

← βx ← If β’≠ βx then output(“reject”) and abort

Else → γ’→ If γ’≠ γx then output(“reject”)

and abort Else Output(“accepted”)

prepare the random set of ∆’k = {δ’k

(1), δ’k(2), δ’k

(3),…. δ'k(m)} ← ∆’k ← update(∆k ,∆’k) Update(∆k ,∆’k) k= pad(k, ∆k) k= pad(k, ∆k)

The security model imposes two restrictions on adversarial interaction with tags between refreshes:

• An adversary may interact with targeted RFID tags only a relatively small number of times in rapid succession

• The ability of an adversary to mount man-in-the-middle attacks between tags and legitimate reader is restricted.

For enforcing the first assumption an RFID tag should only permit reading once every several seconds. Given that an RFID-tag typically has a read range of at most a few meters, a rogue reader would have difficulty in harvesting more than, say, one or two pseudonyms from most passersby; tags might easily store half-a-dozen or so pseudonyms, however. An attacker bringing a reader into a monitored environment like a shop or warehouse might similarly face difficulties in

11

attempting prolonged intelligence gathering. Assumption about the ability of adversary to mount man-in-

the-middle attack is a very realistic one. In many cases, it is operationally inconvenient for an adversary to interact for an extended period of time with tags in the vicinity of legitimate readers. For example, if a reader were stationed so as to regulate physical access to a building or to permit automated checkout at a supermarket, then the mobility of users (and consequently of tags) would help ensure only a limited number of protocol flows for attack by the adversary.

XI. ALGORITHM ANALYSIS Before we mentioned that, all the tags are suffering from

three security and privacy issues. Now let’s see how this new algorithm addresses the mentioned concerns:

• Lack of password protection for read and write: The tag is password protected by β. If the reader cannot provide a correct value for β the value of γ won’t be accessible. Furthermore no operation will be done on ∆k.

• Unencrypted communication between reader and the tag: The algorithm provides an encrypted communication between tag and reader based on one-time pad scheme. Beside that the aired value never will be used because after each successful read the tag will be updated by updating the one-time pads and updating the stored values accordingly.

• Having a constant value on the tag which makes it easy for eavesdropper to track a particular tag: As result of pad and update function, the value store on the tag is always changing so tracking this tag will be virtually impossible.

Compared to the structure of ATMEL TK5552, α can be the

first 7 block of the tag memory which can be read without any restriction. The block 8 of TK5552 acts as β which gives access to the rest of blocks which can store γ and ∆k values. But this algorithm needs XOR gates, shift capability and a read delay function to enforce the other restrictions.

This algorithm assumes that all the data on the tag is changing dynamically so the lock bit associated with every 32 bit block of memory in TK5552 can easily be used for any other purpose. Also if the current technology can not perform shift and XOR with a 125 KHz radio frequency wave, then this algorithm may need to be considered for a higher range like 134 KHz or even the 6.765-6.795 MHz range. This will have an immediate impact on the price of tag and reader.

The scheme assumes no collision among the identifiers. To begin with the real-world deployments, the moderate security afforded by relatively short β and γ but α key must be considerably longer to permit unique identification of tags and avoid collision. This approach has the advantage of backward compatibility with existing RFID systems employing just a static identifier or challenge-response. In other words, a reader

does not have to have awareness of the fact that the identifier is in fact a pseudonym and only the verifier application on the back-end need to.

As was mentioned before, the radio frequency can provide enough power for MIFARE cards to perform a DES operation so having an XOR function in RFID tag shouldn’t be technically impossible, even though right now there is not such a tag in the market.

Depending on some parameters, this algorithm may suffer from a high volume of data transactions. To compare this algorithm with a non-secure RFID system, let’s consider γ, a 32 bit value, as a value that RFID tag carries. Always there is a record associated with the RFID tag value on database server which keeps more information about the item it can be any thing like production date, weight, price, color, etc. Suppose on database server this record occupies k byte per item. A one million tag system, consumes k MB memory space. By considering 128 bit for α and 32 bit for β, and having m items in ∆k = {δk(1), δk (2)… δk (m)}, database needs ((m+1) * 24 + k) MB to store the system data. The higher the value of m is, the more secure system can be, but by increasing the value of m, we have to store more data in the database. The value of m can be considered as a tuning parameter which can be set based on the level of required security.

In a non-secure RFID system, if the host computer or database goes down, some types of readers [31] can store up to 200 tag values. In contrast, the database in this algorithm is an essential part of system and without it the communication of reader and tag won’t take place.

In the real world, a tag might be read by several readers connected to loosely connected verifier databases. In such a system, a tag may migrate among different verifiers as it moves from one physical location to another location. As long as all verifiers are connected to the same database the algorithm works fine. However, in case of distributed database a tag verified by one reader can not be verified with another one if two verifiers are connected to different back-end databases.

It seems that for solving this problem the previous verifier should be located. The current verifier needs to locate the previous verifier and then retrieve the value of k and ∆k from its associated database. Then the record of tag can be transferred to the database of current verifier or a remote authentication against previous database can take place. Usually verifier has a very limited time to communicate with the tag, so any record migration or remote authentication should take place very quick.

Locating the previous verifier is not easy. Adding any field to the tag, Verifier-ID, can be considered a constant value on the tag which makes the tag traceable. Also it’s not possible to encrypt Verifier-ID as we do for other values on the tag because there is no way to decrypt it as it is needed. Using multicast to query other databases for a specific value of α can be considered as a practical solution for finding the previous verifier.

12

XII. IMPLEMENTATION In the project definition, two paths for the implementation

of the mentioned algorithm have been proposed: using actual RFID devices or simulation

At that point, I was not clear about TK5552 functionality and also because of some ambiguity in the algorithm; I thought the algorithm could be implemented using ATMEL TK5552. It was after the second progress report that I realized that we need XOR capability on the tag and TK5552 is not capable enough for the purpose of the algorithm. By contacting the author of the algorithm it became clear that there is no RFID tag with XOR capability in the market.

Following the second implementation option, the functionality of tag and reader has been implemented using RPC under the Linux platform. In the implementation, an RPC server simulates the RFID tag and responds to an RPC client which works as reader, host system and database.

The RPC server which simulates the tag defines 3 procedures:

• Read (alpha): returns the value of α to verifier (RPC client)

• Validate (beta, gama): verifier sends the value of β to tag and receives the value of γ in return

• Update (delata): by calling this function verifier sends the value of ∆ to the tag.

Implementation β and γ are 32 bit values and α is a 128 bit

variable. Also m has been considered 4 which makes the length of ∆ equal to 4 * 192 bit. So the total capacity of tag will be 960 bit which is comparable to TK5552.

The algorithm says: “An adversary may interact with targeted RFID tags only

a relatively small number of times in rapid succession” To satisfy this restriction, the tag replies to the requests with one second interleaving delay.

And finally the database is a binary sequential file which stores the values of α, β, γ and ∆.

XIII. CONCLUSION RFID tags are often envisioned as a replacement for UPC or

bar-codes, having a number of important advantages over the older technology. However, the use of RFID technology has engendered considerable controversy and even product boycotts. Considering the potential use of RFID in business, it seems move toward this new technology is unavoidable and in this regard many big companies have announced their commitment to use of this technology.

There are lots of researches on RFID security but it seems the executive body of RFID technology is rapidly developing different application regardless of the security and privacy concerns.

In this project we have reviewed the RFID technology and its challenges. In brief RFID security is lacking 3 basic components: password protection, unencrypted communication between reader and the tag, and having a

constant value on the tag which makes the tag traceable. There are some ways to enhance the security of RFID:

using secure tags which have embedded challenge/response mechanism, storing an encrypted value on the tag, etc. but none of them can provide a universal solution to the RFID security problem. The main obstacle which makes a full-blown security mechanism on RFID unreachable is the very limited computational power of the tag. The tag is powered only by the energy of the radio wave sent by the reader and in low frequencies this amount of energy is not sufficient for execution of an algorithm like DES or AES.

There is a lot of similarity between RFID tags and Wireless Smart Cards and it seems the functionality of these two is merging so rapidly. The 13.66 MHz radio frequency can provide enough power for a wireless smart card to execute a secure key encryption. As some RFID tags are sharing this frequency with wireless cards, we can expect that by increasing demand for RFID tags and dropping the price, RFID tags will be able to provide the same level of security very soon.

An algorithm proposed by RSA Security Inc. uses simple XOR in conjunction with a one-time pad mechanism and some other basic operations like shift to overcome RFID security issues. By comparing the hardware requirements of this algorithm with characteristics of one of available RFID tags we show that with current level of technology it is possible to adopt the algorithm in a low-price RFID tag.

REFERENCES [1] A. Juels and R. Pappu. “Squealing Euros: Privacy protection in RFID-

enabled banknotes. “ In R. Wright, editor, Financial Cryptography ’03, pages 103–121. Springer-Verlag, 2003. LNCS no. 2742.

[2] Alain Berthon, Texas Instruments and Michael Guillory, Intermec Technologies, "Security in RFID", www.nepc.sanc.org.sg/html/techReport/N327.doc

[3] Ari Jules, “Minimalist Cryptography for Low-Cost RFID tags”, RSA Labs, White paper, http://www.rsasecurity.com/rsalabs/staff/bios/ajuels/publications/minimalist/Minimalist.pdf

[4] ATMEL Corporation, TK5552 Datasheet, updated 4/2003, http://www.atmel.com/dyn/resources/prod_documents/doc4698.pdf

[5] ATMEL Home Page, http://www.atmel.com/products/AVR/ [6] Auto-ID Center, “860MHz-960MHz Class I Radio Frequency

Identification Tag Radio Frequency & Logical communication Interface Specification Proposed Recommendation Version 1.0.0”, Technical Report MIT-AUTOID-TR-007, Nov. 2002

[7] Auto-ID Center, Web site, http://www.autoidcenter.org/ [8] CHAN, Siu-cheung Charles, "An Overview of Smart Card

Security",http://home.hkstar.com/~alanchan/papers/smartCardSecurity/index.html

[9] Contactless News, "Texas Instruments RFid Systems Supports ISO/IEC 14443 Type B With New Contactless Payment Platform", NEWS, Feb 24 2003, http://www.contactlessnews.com/news/2003/02/24/texas-instruments-rfid-systems-supports-isoiec-14443-type-b-with-new-contactless-payment-platform/

[10] Damith C. Ranasinghe 1, Daniel W. Engels2, Peter H. Cole3, “Security and Privacy: Modest Proposals for Low-Cost RFID Systems”, http://www.mlab.ch/autoid/SwissReWorkshop/papers/SecurityAndPrivacy-ModestProposalsForLowCostRFIDsystems.pdf

[11] Datasheet TK5552, ATMEL Corp. web site, http://www.atmel.com/dyn/products/product_card.asp?part_id=2375

[12] Datasheet TK5561A-PP, ATMEL Corp web site, http://www.atmel.com/dyn/products/product_card.asp?part_id=3052

13

[13] David Molnar, David Wagne, "Privacy and Security in Library RFID Issues, Practices, and Architectures", http:// www.cs.berkeley.edu/~dmolnar/library.pdf

[14] Electronic Frontier Foundation, Defending Freedom in Digital World, Website, http://www.eff.org/Privacy/Surveillance/RFID/

[15] Gary McGraw, Edward W. Felten , "Securing Java: Getting Down to Business with Mobile Code, 2nd Edition"

[16] Gordon E. Moore. Cramming more components onto integrated circuits. Electronics, 38(8), April 1965.

[17] Harry Stockman, "Communication by Means of Reflected Power", Proceedings of the IRE, pp1196-1204, October 1948

[18] ISO 14443, http://www.jayacard.org/14443/ISO14443-2.pdf [19] Klaus Finkenzeller, RFID-Handbook, 2nd edition, "Fundamentals and

Applications in Contactless Smart Cards and Identification", ISBN: 0-470-84402-7

[20] Michael Knebelkamp, Herbert Meier, “Latest Generation Technology for Immobilizer Systems”, Texas Instruments, White paper - doc center, http://www.ti.com/tiris/docs/manuals/whtPapers/immobilizer.pdf

[21] Miyako Ohkubo, Koutarou Suzuki and Shingo Kinoshita , “Cryptographic Approach to ‘Privacy-Friendly’ Tags”, NTT Laboratories, http://www.rfidprivacy.org/2003/papers/ohkubo.pdf

[22] National Institute of Standards and Technology (NIST), Smart Card Standard and research, Smart Card FAQ, http://smartcard.nist.gov/faq.html

[23] NTRU Home page, http://www.ntru.com/products [24] Philips Website, "MIFARE sets contactless interface standard", White

Paper,http://www.semiconductors.philips.com/markets/identification/articles/articles/a49/

[25] Press release, Smart Card Alliance, Washington Metropolitan Area Transit Authority Wins OSCA Award http://www.smartcardalliance.org/about_alliance/press_051401.cfm

[26] RFID Journal, "Inside's Next-Gen Smart Card", Oct. 29 2002, http://www.rfidjournal.com/article/view/101/1/1/

[27] RFID Journal, “Gillette Confirms RFID Pur”, Jan 7 2003, http://www.rfidjournal.com/article/articleview/258/1/1/

[28] RFID Journal, “Michelin Embeds RFID Tags in Tires”, NEWS, Jan 17, 2003, http://www.rfidjournal.com/article/articleview/269/1/1/

[29] RFID Journal, “VeriSign to Run EPC Directory”, http://www.rfidjournal.com/article/articleview/735/1/1/

[30] RFIDNews, "Matsushita Develops RFID SD Memory Card", Oct. 5 2004, http://www.rfidnews.org/news/2004/10/05/matsushita-develops-rfid-sd-memory-card/

[31] RightTag Co. Website, Products, http://www.righttag.com/products.html [32] Rob Regan, "Make Contact With Contactless",

http://www.greensheet.com/PriorIssues-/040401-/8.htm [33] Shingo Kinosita, Fumitaka Hoshino, Tomoyuki Komuro, Akiko

Fujimura and Miyako Ohkubo, “Nonidentifiable Anonymous-ID Scheme for RFID Privacy Protection”, CSS 2003, Japanese.

[34] Sinjay E. Sarma, Daniel W. Engles, White Paper, RFID Systems, Security & Privacy implications, Auto-ID Cneter, Nov. 1 2002

[35] Smart Card Alliance, "Contactless Payment and the Retail Point of Sale: Applications, Technologies and Transaction Model", White Paper, March 11 2003, http://www.itsecurity.com/papers/sca1.htm

[36] Sonmicro Inc. Web site, http://www.sonmicro.com/1.php [37] Sonmicron Inc. Web site, http://www.sonmicro.com/2.php [38] Stephen A. Weis, Sanjay E.Sarma, Ronald L. Rivest and Daiel W.

Engels, “Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems”, First International Conference on Security in Pervasive Computing, 2003. http://theory.lcs.mit.edu/sweis/spc-rfid.pdf

[39] Stop RFID, Web site, http://www.spychips.com/index.html [40] Texas Instrument, RI-TRP-BRHP, Data Sheet and specification,

http://www.ti.com/tiris/docs/products/transponders/RI-TRP-BRHP.shtml [41] Texas Instrument, RI-TRP-V9WK , Data Sheet and specification,

http://www.ti.com/tiris/docs/products/transponders/RI-TRP-V9WK.shtml

[42] Visa Website, "Visa Financial Messaging Profile for Contactless Payment", www.corporate.visa.com /mc/press/press112.html

[43] Washington Metropolitan Area Transit Authority Website, http://www.wmata.com/

[44] Website of ATMEL Corporation , e5561 Description and data sheet, http://www.atmel.com/dyn/products/product_card.asp?part_id=2373

[45] Website of ATMEL Corporation, RFID Identification – Device, Nov. 2004, http://www.atmel.com/dyn/products/devices.asp?family_id=644

[46] Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/RFID