Approaching the time lower bound on cloned-tag identification for large RFID systems☆
Introduction
Tag cloning attacks threaten a variety of Radio Frequency Identification (RFID) applications but are hard to prevent. Launching a tag cloning attack, an attacker compromises genuine tags and produces their replicas, namely cloned tags[2], [3]. Cloned tags behave exactly the same as genuine tags and can pass any authentication as can genuine tags [2], [3], [4]. If left unidentified, cloned tags pose a substantial threat to RFID applications that use the genuineness of tags to validate the authenticity of tagged objects. For example, carrying cloned tags, products in an RFID-enabled supply chain lead to financial losses [5], RFID-embedded badges in buildings with RFID-based entrance control systems leak trade secrets [6], while healthcare facilities in RFID-aided hospitals jeopardize personal safety [7]. Of course, we need not worry about these threats if we could prevent tag cloning attacks. Unfortunately, most prevention techniques based on cryptography and encryption (e.g., proposals in [8], [9], [10]) are not affordable to low cost tags [11], [12], [13]. Specifically, we focus on tags for supply chain management that requires smallness and simplicity to control system cost. A recent breakthrough in preventing cloning low-cost tags adopts physically unclonable functions (PUF) [14], [15], [16], [17]. PUF-based methods generate tag profiles using their physical properties (e.g., hardware architecture) that are hard to crack and clone by attackers. Although PUF ignite the hope of defeating tag cloning attacks, we find it still very hard for PUF to generate physical profiles for all off-the-shelf tags.
To secure RFID applications, RFID systems are soliciting solutions that can expose unauthentic objects by identifying their attached cloned tags [18]. Although researchers have dedicated active efforts to RFID security and privacy and contributed exciting advances [2], [3], designing fast cloned-tag identification protocols for applications in large-scale RFID systems is yet not thoroughly investigated. In this paper, we concentrate on the application scenario where tagged objects are confined in the same RFID system [18]. Such applications include, for example, people tracking in buildings with RFID-based entrance control systems [6] and healthcare facilities monitoring in RFID-aided hospitals [7].
SYNChronized secret (SYNC) [18] is, to our knowledge, the only study on cloned-tag identification for applications that confine tagged objects in the same RFID system. SYNC identifies cloned tags in an RFID system as follows. Initially, SYNC assigns each tag a unique ID and a unique random number. A map of tag IDs and corresponding random numbers is stored on a backend server. Readers communicate with the server via a secure link and have granted access to the stored map. To identify cloned tags, a reader writes a random number to a tag’s memory each time it scans the tag and updates the map accordingly. The reader identifies a cloned ID if it scans a tag with the ID but with a different random number from the one in the map. (More discussion on SYNC is available in Section 2.2.)
Our observations on SYNC encourage us to pursue more time-efficient protocols for cloned-tag identification, especially in large-scale RFID systems. First, SYNC is broadcast-unfriendly when a genuine tag and its cloned peer(s) are within the interrogation region of a reader. Broadcast causes two cases of collision, in both of which SYNC fails to identify cloned tags. In one case, a reader broadcasts a query message that informs tags to reply with IDs and random numbers; all responses collide. In the other case, a reader broadcasts a query message containing an ID. If carrying the contained ID, a tag replies with its random number. When the contained ID is a cloned one, responses from the genuine tag and cloned tag(s) collide. In both cases, the reader cannot correctly receive random numbers due to collisions; SYNC thus fails to identify some or even all cloned tags. Second, SYNC needs to collect tag IDs as well as random numbers. In fact, collecting IDs from all tags in a large-scale RFID system is very time-consuming [19], [20], [21], [22], [23]. High time efficiency is a long-standing goal for scalable protocols in favor of the explosion of RFID applications [24]. As we will show in later sections, compared with SYNC, our protocols can reduce the execution time by nearly an order of magnitude. Third, another concern is that transmitting tag IDs in the air may leak identity information, which should be protected in some privacy-sensitive RFID applications [13], [25], [26].
RFID distance bounding protocols [27], [28], [29] can also benefit cloned-tag identification whereas we have similar concerns about its efficiency as we have about SYNC [18]. Distance bounding protocols initially aim to verify the authenticity of tags with limited operating ranges in the order of 10 cm to 1 m [6]. In essence, the reader authenticates a tag using cryptographic challenge-response exchange and, meanwhile, estimates the distance from the tag. A genuine tag should both pass the authentication and locate within an expected distance limit such as 1 m. We would like to refer interested readers to reference [27], [28], [29] for design specifics of RFID distance bounding protocols. Applying distance bounding protocols to cloned-tag identification, we could sequentially authenticate tags in different areas and detect cloned tags with the same IDs but at more than one area. However, similar to SYNC, its operation essence boils down to tag-wise scanning. Distance bounding protocols are, therefore, not feasible for automatic identification of tags with longer communication range in large RFID systems. Furthermore, keys, challenge nonces and challenge responses respectively are usually of length 80–256 bits [27]. Transmitting these bitstrings makes distance bounding protocols less time-efficient than SYNC. We thus do not prefer adopting distance bounding protocols for cloned-tag identification in large RFID systems.
Inspired by SYNC [18], we seek to design time-efficient cloned-tag identification protocols for securing applications that confine tagged objects in the same RFID system. We expect such protocols to identify all cloned tags in a large-scale RFID system as fast as possible. We summarize our approach and highlight its contributions to fast cloned-tag identification as follows:
- •
Identify all cloned tags rather than simply detect some of them. We can thus secure applications that confine all tagged objects in the same RFID system [6], [7], [18]. As to applications that distribute tagged objects across multiple places [5], [30], if we could locate the source where tagged objects are from, we can also leverage our approach to reject objects attached with cloned tags before they are distributed.
- •
Leverage broadcast and collisions to identify cloned tags. The idea is intuitive but efficient – when we specify only one tag with a certain ID to send a response, there exists its cloned peer(s) if a collision of multiple responses occurs. This idea relieves us from resorting to complex cryptography techniques. Moreover, in a large-scale RFID system accommodating tens of thousands of tagged objects, leveraging broadcast promises us more practical protocols than does tag-wise scanning in SYNC.
- •
Strive for time efficiency gains in the protocol design. We derive a time lower bound on cloned-tag identification and propose a series of protocols toward approaching it. Through eliminating ID broadcast and bypassing useless time slots, we propose ES-BID, a protocol with execution time of only 1.4 times the value of the time lower bound. Simulation results show that, compared with SYNC, ES-BID reduces the execution time by nearly an order of magnitude. Even better, we improve on [1] by further digging up AID, an adaptive protocol that can yield higher time efficiency under some scenarios and increase the computation efficiency.
The rest of the paper is organized as follows. Section 2 presents an overview of the cloned-tag identification problem, related work, and our approach. Section 3 and Section 4 present protocols of S-BID and ES-BID, which leverage broadcast and collisions to identify cloned tags and increase the time efficiency through eliminating ID broadcast and through bypassing useless time slots, respectively. Section 5 discusses an adaptive protocol called AID and scenarios where it digs up more time efficiency gains. Section 6 reports simulation results and discusses limitations. Finally, Section 7 concludes the paper and indicates future work.
Section snippets
Preliminaries
In this section, we formulate the cloned-tag identification problem and provide an overview of related work and our approach.
S-BID: Slotted BID
In this section, we propose Slotted BID (S-BID), a cloned-tag identification protocol that eliminates ID broadcast. Our analysis shows that S-BID is faster than both SYNC and BID.
ES-BID: Enhanced S-BID
In this section, we propose Enhanced S-BID (ES-BID), a protocol that bypasses useless time slots suffered by S-BID. Our analysis shows that ES-BID can at best push the execution time to 1.3 times the value of the time lower bound.
AID: adaptive cloned-tag identification protocol
In this section, we propose an Adaptive cloned-tag IDentification protocol (AID). Through a simple injection from tag IDs to slot indices, AID exploits efficiency gains under scenarios where an injection-based protocol outperforms ES-BID.
Performance evaluation
In this section, we evaluate the time efficiency of BID, S-BID, ES-BID, and AID through simulations, comparing against that of the most related protocol SYNC [18]. We first describe the simulation environment. We then report and discuss the simulation results.
Conclusion and future work
We have studied the cloned-tag identification problem that is of practical importance to secure RFID applications. We concentrate on the application scenario where all tagged objects are confined in the same RFID system. To meet the time efficiency requirement for large-scale RFID systems, we seek to design protocols that can identify cloned tags as fast as possible. We leverage broadcast and collisions to identify the cloned tags. This approach gets rid of more complex cryptography techniques
Acknowledgments
This work was supported in part by HK RGC PolyU 5286/12E. The authors would also like to sincerely thank Editors and Reviewers for their thoughtful, constructive suggestions and comments. Especially helpful are the suggestions for simplifying problem statement and for discussing distance bounding protocols and physical unclonable functions.
Kai Bu received the BSc and MSc degrees in computer science from the Nanjing University of Posts and Telecommunications, Nanjing, China, in 2006 and 2009, respectively, and the Ph.D. degree in computer science from The Hong Kong Polytechnic University, Hong Kong, in 2013. He is currently an Assistant Professor in the College of Computer Science and Technology at Zhejiang University, China. His research interests include RFID and wireless networks. He is a recipient of the Best Paper Award of
References (51)
- et al.
PUF-enhanced offline RFID security and privacy
Journal of Network and Computer Applications
(2012) - et al.
Public key cryptography based privacy preserving multi-context RFID infrastructure
Ad Hoc Networks
(2009) - et al.
Taxonomy and survey of RFID anti-collision protocols
Computer Communications
(2006) - et al.
Instant collision resolution for tag identification in RFID networks
Ad Hoc Networks
(2007) - K. Bu, X. Liu, B. Xiao, Fast cloned-tag identification protocols for large-scale RFID systems, in: IEEE/ACM IWQoS,...
RFID security and privacy: a research survey
IEEE Journal on Selected Areas in Communications
(2006)- et al.
Security and privacy aspects of low-cost radio frequency identification systems
Security in Pervasive Computing, Lecture Notes in Compute Science
(2004) - C. Fan, S. Huang, RFID authentication protocol in supply chains, in: The 3rd Joint Workshop on Information Security,...
- F. Kerschbaum, A. Sorniotti, RFID-based supply chain partner authentication and key agreement, in: ACM WiSec, 2009, pp....
RFID Handbook: Fundamentals and Applications in Contactless Smart Cards, Radio Frequency Identification and Near-Field Communication
(2010)
Information systems and health care-II: Back to the future with RFID: lessons learned-some old, some new
Communications of the Association for Information Systems
Securing RFID systems by detecting tag cloning
Pervasive Computing
Cited by (21)
Traceability in supply chains: A Cyber security analysis
2022, Computers and SecurityDetection of RFID cloning attacks: A spatiotemporal trajectory data stream-based practical approach
2021, Computer NetworksCitation Excerpt :Synchronization keys increase the communication traffic between the reader and the tag and increase the communication delay. Bu et al. have performed much work on the clone tag detection method based on collision detection [14–16]. The conflict caused by a genuine tag and a clone tag with the same ID is used for clone tag detection, which is driven by the Aloha communication protocol.
Efficient missing tag identification in blocker-enabled RFID systems
2019, Computer NetworksCitation Excerpt :In the tree-based protocols, the reader aims to progressively split a tag set into the smaller subsets by dynamically broadcasting the prefix of tag IDs. In recent years, many studies shift to severing functional applications, such as cardinality estimation [17,40,41], tag identification [39,42–45], searching a wanted tag set [9,10,46], unknown tag detection [29,30,47], tag grouping [25,48]. Missing tag identification is one of the most important research branches in RFID as it is able to detect the missing event and guard against theft [19,20,22–24].
A very fast tags polling protocol for single and multiple readers RFID systems, and its applications
2018, Ad Hoc NetworksCitation Excerpt :Several of these problems consist in a proper polling of all or a subset of tags. Among these last problems, special importance have the identification of missing objects [5–7,9–12,14,18], the detection of cloned tags [22–30,54–57], and the information collection from existent ones [8,59]. The first problem, consists in periodically monitoring the tags (and so the objects the tags are attached to) that are present in a given space, in order to detect which are missing (often due to a theft).
Who stole my cheese?: Verifying intactness of anonymous RFID systems
2016, Ad Hoc NetworksCitation Excerpt :We adopt a typical RFID system model comprising a server, a reader, and a set of tags. Findings based on this model have significantly benefited RFID research ranging from fundamentals (e.g., tag identification [25–27] and cardinality estimation [24]) to applications (e.g., information collection [28] and tag searching [29]). Under such model, each tag is attached to an object.
RFID and Counterfeiting: An Analysis of Current Trends in the Fashion Industry
2023, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Kai Bu received the BSc and MSc degrees in computer science from the Nanjing University of Posts and Telecommunications, Nanjing, China, in 2006 and 2009, respectively, and the Ph.D. degree in computer science from The Hong Kong Polytechnic University, Hong Kong, in 2013. He is currently an Assistant Professor in the College of Computer Science and Technology at Zhejiang University, China. His research interests include RFID and wireless networks. He is a recipient of the Best Paper Award of IEEE/IFIP EUC 2011. He is a member of the IEEE Communications Society.
Xuan Liu received the MSc degree from the School of Computer Science & Engineering, National University and Defense, China, in 2008. Currently, she is a PhD candidate in the Department of Computing at The Hong Kong Polytechnic University, Hong Kong. Her research interests include distributed computing systems, mobile computing, focusing on wireless sensor networks and RFID systems.
Bin Xiao received the BSc and MSc degrees in electronics engineering from Fudan University, China, in 1997 and 2000, respectively, and the PhD degree in computer science from the University of Texas at Dallas in 2003. Currently, he is an associate professor in the Department of Computing at The Hong Kong Polytechnic University, Hong Kong. His research interests include distributed computing systems, data management, and secured communication networks, focusing on wireless sensor networks and RFID systems. He is an associate editor for International Journal of Parallel, Emergent and Distributed Systems. He is a recipient of the Best Paper Award of IEEE/IFIP EUC 2011. He is a senior member of the IEEE.