Breeching the security of safety- or security-intensive products such as auto parts, set top boxes, military electronics, or smart batteries can be a lucrative business that is well worth the nominal investment required to create lookalike packaging and labeling, or to change the system firmware to allow unpaid access to licensed content. Because the counterfeiter does not incur any of the costs associated with product development, he quickly covers his capital investment at the expense of the authentic product manufacturer or service provider.

Figure 1. Challenge Response Sequence: Tag Updates Challenge after Every Successful Challenge Response.

Classic solutions to counterfeiting have been tamper resistant/evident packaging, and special label markings. However, any information that is visible on the product can be cloned and the clones can be used to make fake products appear authentic. RFID, which is typically viewed as a next-generation barcode technology for the automation of inventory control and product tracking, can also ensure the security of end-product firmware and protect against product counterfeiting, while also maintaining a secure record of a product's ingredients, chain of custody and environmental conditions from raw material acquisition all the way through to purchase by the end user.

RFID devices can be as small as a grain of rice, with enough memory to store encryption keys, algorithms and chain of ownership information. They do not require direct line-of-sight for access, allowing them to be embedded into virtually any product, including drug vials, cosmetics or jewelry.

On their own, RFID labels are not at all secure because the product information is broadcast over the air and can be intercepted easily using a sub-$100 RFID reader. However, there are RFID implementations that provide security that approaches that of a secure microcontroller.

Passwords and Encryption

The most common form of RFID security is password protection. Some manufacturers encrypt passwords using virtually uncrackable cryptographic algorithms. The problem with this approach is that the passwords, encrypted or not, are broadcast over the air and may be easily intercepted and used to label fake products. Counterfeiters do not need to decrypt passwords to duplicate them. A single encrypted password can be used to create hundreds of fake RFID labels that will pass with a host reader.

Figure 2. Double Challenge-Response Scheme

The only way to truly protect RFID tags from cloning is to prevent the identifying information from being accessed. This can be accomplished using a cryptographic process called authentication in which the host and/or RFID tag verify the authenticity of the other device by demonstrating knowledge of non-readable information within it. Both tag and host contain secret, inaccessible information that is used to create cryptographic challenges to one another. In this scheme, the tag uses secret, unreadable authentication keys and a random number to create a cryptographic challenge for the host to read. An authentic host will be able to use its own secret authentication keys and the random number to replicate the challenge. If the two challenges match, the tag recognizes the host as authentic. This is called challenge- response protection. A double challenge-response scheme has the host repeat the process to determine the authenticity of the RFID tag. Only after both devices have authenticated each other will the RFID tag allow its labeling information to be read or modified.

The key to this security scheme is that the information used to authenticate the product never leaves the device and is completely unreadable by anyone. The identifying information is used only to calculate the cryptographic challenge, which is authenticated when the complementary uses its own secret information to duplicate the challenge. The cryptographic challenge changes each time there is a new transaction, so capturing it during an RFID transaction is useless in terms of creating cloned labels. The challenge changes every time.

Since the interrogator (tag reader) initiates communications in most RFID protocols, the tag needs to have a challenge always ready (Figure 1). The tag reader reads the cryptographic challenge and generates a response for the tag to validate. The tag updates its challenge upon a successful response, so that no challenge is used twice. Counterfeiters, not possessing the proper response to a challenge will not be able to obtain the labeling information from the device and, therefore, will not be able to clone the label.

RFID devices come in a variety of shapes and sizes.

Not all RFID solutions support this challenge-response scheme, so security minded engineers should verify that the RFID tags have this capability.

Managing interrogator side secrets (keys) allows authentic manufacturers to prevent counterfeiters from reading their product information, thus preventing illegal cloning of their productís label. Cloned products with unauthentic labels will be identified as fakes.

The double- challenge- response scheme is similar to the challenge-response scheme with the additional ability for the interrogator to also challenge the tag (Figure 2). This scheme requires both interrogators and tags to independently store asymmetric secrets to use in the process. This mutual authentication scheme guarantees the identity of both the host and the RFID tag. This is particularly useful where authentic interrogators need to provide field updates to authentic tags. For example, interrogators in a mobile electronic application, like smart phone firmware upgrade equipment at a supplier location may need to ascertain the authenticity of the tag (product) before issuing a firmware upgrade.

Adding Optional Security for Data Protection

The challenge-response and double challenge-response RFID security schemes provide effective anti-counterfeiting solutions. These solutions by themselves, however, do not offer data protection for data communication between the interrogator and the tag. An eavesdropper, for instance, can wait until completion of the challenge-response process, and intercept information between interrogator and tag. Depending on the application, they may even modify the information to suit their needs.

For example, a malevolent competitor could intentionally inject errors into a firmware upgrade to a consumer electronic product to achieve a classic denial-of-service attack. Such eavesdroppers may also inject false information into the competitor's authentic consumables, be it electronic or not, to make them appear non-authentic. A more complete solution to RFID label security thus requires data protection in addition to authentication for most applications.

Most RFID tags can be write-protected to lock the data inside and to prevent future modification. This approach is well suited for pure labeling applications with static label information, such as pharmaceuticals, cosmetics, accessories, and apparel.

In situations where the data on the tag must be updated, tags that offer data encryption for traffic between the interrogator and the tag should be used. Encrypting data between the interrogator and tag assures the confidentiality of the data in transmission. Data confidentially may be useful both in protecting secrets or preventing man-in-the-middle attacks. This protection scheme is particularly useful in applications where field upgrades are necessary.

Message Authentication Codes

An added level of security can be provided by adding cryptographic digests, called message authentication codes (MAC), that allow the recipient of information to ascertain the authenticity of the source and integrity of the data content. MAC generation uses the same cryptographic keys used for mutual authentication that are stored within the tag reader and tag. For any given message, only an authentic interrogator or tag can issue the proper MAC. The sender of data generates a MAC that accompanies the data and the recipient of the data verifies the MAC by using its own keys to duplicate it. If the MAC does not checkout it means that the source of the message is not authentic, the integrity of the message is questionable (i.e. message has been modified since it left the source), or there were channel communication errors. The combination of data encryption and use of MAC provides powerful data protection to field updates like firmware upgrades to electronic products.

Choosing the Proper RFID Security Solution

Many RFID tags offer some level of security. To prevent product counterfeiting, the RFID tag minimally needs the ability to authenticate the interrogator prior to divulging labeling information. There are two things to consider when shopping for an RFID anti-counterfeiting solution:

The RFID tag should authenticate the reader prior to allowing access to label information stored within the tag. If validation is necessary only for the interrogator, then a challenge- response scheme is sufficient. If the information stored within the tag also needs to be updated by the host reader, a tag with a double challenge- response scheme (mutual authentication) should be used to also verity that the tag is authentic and not just some nefarious agent trying to steal information.

If the labeling information will remain fixed, simple write-protection should be adequate. However, in cases such as firmware upgrades, where source authenticity, data confidentiality and integrity are important, the RFID tags should have data encryption and MAC capability.

RFID technology can stop product counterfeiting. Depending on the application, a combination of the right authentication and data protection security schemes can provide complete product protection.

A Note on RF Protocols. Most RFID labels operate in the 13.56MHz band, using protocols like the ISO 14443-A and ISO 14443-B protocols. Both protocols operate in the high frequency (HF) band compared to the low frequency (LF) & ultra high frequency (UHF) RFID bands. HF and LF are more tolerant around liquids and metals compared to UHF, while HF supports the higher data rates required for cryptographic processes. UHF RFID technology is not as mature, has a less than 4 Kbit data capacity and does not support Crypto.

The RF performance of ISO 14443-A and ISO 14443-B is basically identical. However, for cost reasons the royalty free ISO 14443-B protocol may be preferable to ISO 14443-A which has a maintenance fee.

This article was written by Eustace Asanghanwa, Crypto Field Application Engineer, Atmel (San Jose, CA). For more information, contact Mr. Asanghanwa at This email address is being protected from spambots. You need JavaScript enabled to view it., or click here .

Embedded Technology Magazine

This article first appeared in the November, 2008 issue of Embedded Technology Magazine.

Read more articles from this issue here.

Read more articles from the archives here.