1
A novel design of secure RFID tag baseband Yu YU, Yuqing YANG, Na YAN, Hao MIN
Abstract—A challenge to implement tag's security is its power and cost performance. A feasible way to carry out a secure scheme on tag is to choose a tiny crypto algorithm and a secure protocol. In this paper, a secure UHF RFID tag baseband is designed. This baseband is integrated with TEA, which is one of the acceptable algorithms through estimation of hardware resource on tag and some performance analysis. To improve security, authentication procedure is added in the EPC Class 1 Gen 2 protocol. To support the flexible protocol and supply a good power management, an application specific micro-processor is designed in the structure. From the simulation results, this secure RFID tag baseband proves a feasible way to actualize security on tag. Index Terms—RFID tag, EPC Class1 Gen2, security, baseband
implementation of a secure circuit. Some common cryptography is too large in circuit to fit in a small tag. For security on tag, the biggest challenge is to find an appropriate cryptography and implement it in circuit to meet power and cost requirement. How large the encryption cipher is the tag can hold with and whether a micro-processor can be accepted in a tag. This baseband performs a trial and gives out an example of a feasible secure tag. The structure of the paper is organized as follow: hardware resource on tag is estimated first and some common crypto algorithms are analyzed from an implementation view; to give a practical evaluation, a security protocol based on EPC Class 1 Gen 2 or EPC C1G2 [3] is described; the improved protocol with security is implemented in circuit; architecture of the baseband is proposed and simulation result is given out.
I. INTRODUCTION
II. RESTRICTION OF THE HARDWARE RESOURCE ON TAG
Rivacy and security of RFID has become a very serious problem blocking its development [1]. Every member in RFID system should be solid enough to avoid the illegal attacks. A RFID system is made up of tag, reader, database and EPC network. Communication between tag and reader is the weakest point among all the channels because of the indigent hardware resource on chip of tag. Tag suffers with unauthenticated access, tracing, eavesdropping and counterfeit [2]. Since small area, low cost and power are required for tag's application; these features restrict its
Cost, reading distance and reaction speed are the three main conditions restricting RFID tag. Reading distance is related with chip's power. These three conditions affect each other at the same time. Under the same area, speeding up reaction time will increase chip's power, which leads to reading distance reduction. While the reading distance is constant, decreasing chip's area will make reaction speed slow down. In the protocol of EPC C1G2, there are some specific speed requirements for RFID tag. When working under 640KHz link frequency, time from reader transmission to tag response should be 15~30 micro second. To take the place of barcode, cost of the tag should reach 0.05 dollar [4], which means the chip size should reach 0.4mm x 0.4mm. As using SMIC0.18 process, supposing the utilization ratio gets 80% and 1/3 area is used by analog circuit, from the expression (1) to estimate the scale of the baseband, the there are only about 8000 gates left for logic.
P
Yu YU is with ASIC & System state key lab, Fudan university, and with Auto-ID lab of Fudan university, Shanghai, China (e-mail:
[email protected], phone: +86-21-51355331). Yuqing YANG is with ASIC & system state key lab, Fudan university and nd with Auto-ID lab of Fudan university, Shanghai, China (e-mail:
[email protected]). Na YAN is with ASIC & system state key lab, Fudan university and with Auto-ID lab of Fudan university, Shanghai, China. (e-mail:
[email protected]) Hao MIN is the corresponding author, with ASIC & System state key lab, Fudan university, and with Auto-ID lab of Fudan university, Shanghai, China (e-mail:
[email protected]).
0.4mm × 0.4mm ×80%× 2 ÷ (5.04µm ×1.98µm) ≈ 8552 (1) 3
2 In this expression, the area of a standard NAND gate with 2 input pins is 5.04um x 1.98um [5]. More than 5000 gates are needed to process protocol; as a result about 3000 gates are left for security. Power consumption relates with the tags' identification distance directly. It is another problem restricting tag's performance. The power should be restricted in 50uW as a tag works at 3 meters, and 10uW at 5 meters. Most of the power will be consumed by analog circuit so the digital circuit should consume even less power at the mean time. III. COMMON CRYPTOGRAPHIES ANALYSIS The symmetrical crypto algorithm and the public key crypto algorithm in the same secure level have different key lengths and plaintext data widths. NIST recommends different crypto-key lengths according to alternative algorithms in the same security level, which is shown in table 1 [6]. Table 1 NIST Guidelines for the equivalent strengths of various cryptographic algorithms
From the table, we can see in the same security capability, public key cryptography will have longer key length than symmetrical crypto algorithm. The extra key bits and its complicate control logic usually bring more logic in implementation. As a result of its size, public key cryptography does not suit much in RFID tag. In generally speaking, the security of symmetrical crypto algorithm is determined by its key length. The longer the key length, the more secure the algorithm is. To make an evaluation of feasible algorithms, a comparison is made between some small algorithms in the view of security, speed, gates and average power. Small crypto algorithms' performance under the main clock of 100 KHz frequency is listed in table 2. Table 2 Performance of some small crypto algorithms
To make a fair comparison, algorithms except AES which is referred in [7] are made in small scale and integrated in a tag baseband to have an evaluation. Here we count the clock from the beginning of cipher’s calculation, supposing data to be encrypted have been ready for ciphers. Design Compiler of synopsys is utilized to obtain the equipment gate number of every module. Netlist with transistor converted from gate level netlist, is fed into HSPICE, running with test vector to acquire the power results. These evaluation results are compared in the table with AES referred in [7] at the same time. From the table, we can see: AES costs too many cycles finishing data encryption. Hash occupies more area than the others. TEA [8] and stream-cipher are both acceptable in RFID tag and can be used in different applications according to their performances. IV. SECURITY IMPROVEMENT OF EPC C1G2 WITH TEA TEA or Tiny Encryption Algorithm is proposed by research from Cambridge [8]. It is an algorithm based on the number of iterations rather than a complicated program. ADD and XOR are used to provide nonlinearity. A suggested number of iteration is 32. TEA routine is showed below: Void code(long* v, long*k) {unsigned long y=v[0], z=v[1], delta=0x9e3779b9, n=32; While (n - - >0) {sum+=delta; y +=(z5)+k[1]; z +=(y5)+k[3]; } V[0]=y; v[1]=z; }
sum=0,
3 EPC C1G2 is vulnerable to unauthenticated access and backward channel eavesdropping. To resist these attacks, authentication procedure is added and TEA cryptography is used to protect the backward data transmission. In the authentication procedure, a random number generated by tag can be used as a share key to protect later data transmission. The original protocol procedure and the authentication procedure are demonstrated in fig 1.
{
ti = Req_RN; ri = Random _ num; ti +1 = Random _ num ⊕ Tpltxti +1 ; …} In the improved secure protocol, TEA is introduced to protect data. When tag prepares to transmit data, it will use this random number as its crypto key to make sure the same data will be of different value in channel every time. Receiving read command, tag use TEA to encrypt the data directly. Since the random number generated by tag has been transmitted in authentication procedure before, reader can decrypt the data through the random number key. Because not all the users have the right to write in a tag, there is a write password to verify tag's administrator. When performing write operation, reader sends the password joined with the write command. Tag verifies this password before replying. If the one is correct, it will send out a random number to indicate "pass". Otherwise, it will give out an error signal. The procedure of read and write is expressed below: If (Read operation) {
ti = {write _ command}
ri = tea (Tpltxti , RN t ) ; } Else If (Write operation) {
t i = { w rite _ c o m m a n d , P W D ⊕ R N r } t i = { w rite _ c o m m a n d }
;
If (PWD=Valid) { ri +1 = RN 16 ; Fig 1 Procedure of the original protocol and the improved protocol
The original data transmission procedure is unsecured: when reading data out, reader will receive the plain text directly from tag. When writing in data, reader sends the command to require a random number first, and then uses the random number to XOR plain text which is about to transmit to tag. If the attacker is close to tag enough he will obtain the data easily. The expression to describe the procedure is shown below: If (Read operation) ri = Tpltxti ; Else If (Write operation)
ti +1 = tea (Tpltxti , KEY ) ; ri + 2 = Preamble, {0, handle, CRC-16} ; } else
ri +1 = Error ;
}; V. IMPLEMENTATION OF SECURITY RFID TAG A. Hardware architecture EPC C1G2 is a kind of complicated protocol in RFID field, which defines many instructions and some special procedures such as anti-collision, one-pad cover transmission, secure state access, and kill procedure. The improved security RFID protocol
4 even adds authentication and data encryption procedures. These complex tasks bring long developing period and redundant logic to a routine baseband with some simple finite state machine architecture. A baseband of processor architecture is designed in order to support functional flexibility and developing facility. In addition, logic modularization brings a better power control. The architecture of the baseband is shown in fig 2. micro-processor is a custom-made module in this architecture, which is responsible for the data-path control. Main functional modules share a common internal bus to transmit data. Power manager is an ever-working module, which switches on or off the other modules when they work or sleep. Data received by analog front end is transmitted to DEMODU to get a channel demodulation. Serial data is transferred to parallel one to feed into a two port ram. At the same time CRC works to get data checked. Micro-processor controls data operations among all the modules which are connected with the bus. Transmitted data is changed from parallel to serial format in P2S and passed to modulation (MODU). Data path control is performed by programs. Once a protocol is modified, reload programs will give a quick change to the update of hardware control.
Fig 3 Data path structure of TEA
Signal "mode" is the select signal to determine encryption or decryption procedure. Every data processing round will cost 2 clock periods to complete, as a result, 64 clock periods are consumed to finish 64 bits data decrypted or encrypted. B. Power performance To test performance, a RFID tag baseband of EPC C1G2 with improved secure protocol is designed. TEA algorithm is used to deal with data protection. Because of the data encryption introduced in baseband, reader can send a long length of encrypted data to tag at a time when writing data in. The time of intercommunication is reduced. So in most time, the modules not working in tag can be in a sleep state to save power. Although when TEA is running it consumes more power, since it is switched on for not a long time, the total average power does will not be affected much by it. The power features of the original EPC C1G2 and the secure improved one can be obtained form fig 4 (a) and (b). In most time, the instant power of secure EPC C1G2 is lower than the original protocol. When TEA is running, it gives a high tower in the power diagram.
Fig 2 Architecture of the proposed baseband
TEA is one of the critical modules in the baseband whose algorithm can be found in [8]. Since it has a similar encryption and decryption data order, its data path can be shared by these two procedures. Its data path structure is shown in fig 3.
(a). Simulation diagram of baseband with original EPC C1G2
5
(b). Simulation diagram of baseband with secured EPC C1G2 Fig 4 Power simulation diagram of baseband
SMIC 0.18 process is adopted to compose the baseband. Nanosim of synopsys is used to get the power analysis. Design Compiler of Synopsys calculates baseband's equivalent gate number. To decrease the average power of baseband, supply voltage is reduced to get various power performances. Table 3 shows the power results under different voltages. To compare with the general baseband of EPC C1G2 protocol, area and average power are given in table 4. Baseband in [9] without secure measures costs less gates than the proposed secure one. Because of a good working-time control, only working modules stay in a switch-on state. The proposed security baseband consumes less power than [9] when under the same voltage. Table 3 Power simulation results under different voltage
ciphers are not feasible in tag. From our trials, TEA is one of the acceptable encryption algorithms to implement in tag. A secure baseband with improved EPC C1G2 protocol and TEA algorithm is designed. Authentication and data crypto protection are adopted to improve protocol. This baseband is implemented by integrated circuit. Power is simulated in transistor level under various supply voltages. From results of this baseband, we can see a feasible secure scheme of RFID tag is to choose a tiny crypto algorithm first. The protocol is another efficient way to avoid some attacks. From the view of implementation, there is still some margin between the predicted one and the realized one. There is still work to optimize the logic and circuit in the future. REFERENCES [1]
[2] [3] [4] [5] [6] [7]
Table 4 Comparison between security baseband and general baseband
[8]
[9]
VI. CONCLUSION Since RFID tag is restricted by its area, power and communication speed, how to make a security scheme is really a challenge in tag's implementation. To make an understanding of its exiguous circuit resource, an estimation of the resource is made. From the estimation, supposing SMIC0.18 process is used, only about nine thousands equivalent gates are acceptable. As the smaller process is used, more equivalent gates are expected in the baseband of tag. Because of the requirements of area and speed, the common
Juels, A. RFID security and privacy: a research survey, Selected Area in Communications, IEEE Journal on Volume 24, Issue 2, Feb. 2006 Page(s):351-394 Digital Object Identifier 10.1109/JSAC.2005.861395 S. A. Weis, Security and Privacy in Radio-Frequency Identification Devices, Master's thesis, Massachusetts Institute of Technology, Cambridge, MA 02139, May 2003. EPCTM Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communications at 860MHz - 960MHz Version 1.0.9 (2005, Jan. 30). S.E.Sarma, Towards the five-cent tag. Technical Report MIT-AUTOID-WH-006, Auto-ID Labs, 2001. www.autoidlabs.org SMIC 0.18 Logic 18 Process 1.8-Volt SAGE-XTM Standard Cell Library Databook, Release 1.0, March 2004 “Code & Cipher” vol.1,no.1, Certicom's Bulletin of Security and Cryptography, www.certicom.com Marc Joye, Jean-Jacques Quisquater, Strong Authentication for RFID Systems Using the AES Algorithm, CHES 2004, LNCS 3156, pp. 357-370, 2004 David J. Wheeler and Roger M. Needham, "TEA, a tiny encryption algorithm", Proc. Fast Software Encryption: Second International Workshop, Lecture Notes in Computer Science, vol. 1008, pp.363-366, December 1994 He Yan, Hu Jianyun, Li Qiang, Min Hao, Design of low-power baseband-processor for RFID tag, Applications and Internet Workshops, 2006. SAINT Workshops 2006. International Symposium; Digital Object Identifier 10.1109/SAINT-W.2006.15
