Elsevier

Ad Hoc Networks

Volume 13, Part B, February 2014, Pages 271-281
Ad Hoc Networks

Approaching the time lower bound on cloned-tag identification for large RFID systems

https://doi.org/10.1016/j.adhoc.2013.08.011Get rights and content

Abstract

Tag cloning attacks threaten a variety of Radio Frequency Identification (RFID) applications but are hard to prevent. To secure RFID applications that confine tagged objects in the same RFID system, this paper studies the cloned-tag identification problem. Although limited existing work has shed some light on the problem, designing fast cloned-tag identification protocols for applications in large-scale RFID systems is yet not thoroughly investigated. To this end, we propose leveraging broadcast and collisions to identify cloned tags. This approach relieves us from resorting to complex cryptography techniques and time-consuming transmission of tag IDs. Based on this approach, we derive a time lower bound on cloned-tag identification and propose a suite of time-efficient protocols toward approaching the time lower bound. The execution time of our protocol is only 1.4 times the value of the time lower bound, being over 91% less than that of the existing protocol. Even better, we further dig up an adaptive protocol that can yield higher time efficiency under some scenarios. The proposed protocols may benefit also RFID applications that distribute tagged objects across multiple places.

Introduction

Tag cloning attacks threaten a variety of Radio Frequency Identification (RFID) applications but are hard to prevent. Launching a tag cloning attack, an attacker compromises genuine tags and produces their replicas, namely cloned tags[2], [3]. Cloned tags behave exactly the same as genuine tags and can pass any authentication as can genuine tags [2], [3], [4]. If left unidentified, cloned tags pose a substantial threat to RFID applications that use the genuineness of tags to validate the authenticity of tagged objects. For example, carrying cloned tags, products in an RFID-enabled supply chain lead to financial losses [5], RFID-embedded badges in buildings with RFID-based entrance control systems leak trade secrets [6], while healthcare facilities in RFID-aided hospitals jeopardize personal safety [7]. Of course, we need not worry about these threats if we could prevent tag cloning attacks. Unfortunately, most prevention techniques based on cryptography and encryption (e.g., proposals in [8], [9], [10]) are not affordable to low cost tags [11], [12], [13]. Specifically, we focus on tags for supply chain management that requires smallness and simplicity to control system cost. A recent breakthrough in preventing cloning low-cost tags adopts physically unclonable functions (PUF) [14], [15], [16], [17]. PUF-based methods generate tag profiles using their physical properties (e.g., hardware architecture) that are hard to crack and clone by attackers. Although PUF ignite the hope of defeating tag cloning attacks, we find it still very hard for PUF to generate physical profiles for all off-the-shelf tags.

To secure RFID applications, RFID systems are soliciting solutions that can expose unauthentic objects by identifying their attached cloned tags [18]. Although researchers have dedicated active efforts to RFID security and privacy and contributed exciting advances [2], [3], designing fast cloned-tag identification protocols for applications in large-scale RFID systems is yet not thoroughly investigated. In this paper, we concentrate on the application scenario where tagged objects are confined in the same RFID system [18]. Such applications include, for example, people tracking in buildings with RFID-based entrance control systems [6] and healthcare facilities monitoring in RFID-aided hospitals [7].

SYNChronized secret (SYNC) [18] is, to our knowledge, the only study on cloned-tag identification for applications that confine tagged objects in the same RFID system. SYNC identifies cloned tags in an RFID system as follows. Initially, SYNC assigns each tag a unique ID and a unique random number. A map of tag IDs and corresponding random numbers is stored on a backend server. Readers communicate with the server via a secure link and have granted access to the stored map. To identify cloned tags, a reader writes a random number to a tag’s memory each time it scans the tag and updates the map accordingly. The reader identifies a cloned ID if it scans a tag with the ID but with a different random number from the one in the map. (More discussion on SYNC is available in Section 2.2.)

Our observations on SYNC encourage us to pursue more time-efficient protocols for cloned-tag identification, especially in large-scale RFID systems. First, SYNC is broadcast-unfriendly when a genuine tag and its cloned peer(s) are within the interrogation region of a reader. Broadcast causes two cases of collision, in both of which SYNC fails to identify cloned tags. In one case, a reader broadcasts a query message that informs tags to reply with IDs and random numbers; all responses collide. In the other case, a reader broadcasts a query message containing an ID. If carrying the contained ID, a tag replies with its random number. When the contained ID is a cloned one, responses from the genuine tag and cloned tag(s) collide. In both cases, the reader cannot correctly receive random numbers due to collisions; SYNC thus fails to identify some or even all cloned tags. Second, SYNC needs to collect tag IDs as well as random numbers. In fact, collecting IDs from all tags in a large-scale RFID system is very time-consuming [19], [20], [21], [22], [23]. High time efficiency is a long-standing goal for scalable protocols in favor of the explosion of RFID applications [24]. As we will show in later sections, compared with SYNC, our protocols can reduce the execution time by nearly an order of magnitude. Third, another concern is that transmitting tag IDs in the air may leak identity information, which should be protected in some privacy-sensitive RFID applications [13], [25], [26].

RFID distance bounding protocols [27], [28], [29] can also benefit cloned-tag identification whereas we have similar concerns about its efficiency as we have about SYNC [18]. Distance bounding protocols initially aim to verify the authenticity of tags with limited operating ranges in the order of 10 cm to 1 m [6]. In essence, the reader authenticates a tag using cryptographic challenge-response exchange and, meanwhile, estimates the distance from the tag. A genuine tag should both pass the authentication and locate within an expected distance limit such as 1 m. We would like to refer interested readers to reference [27], [28], [29] for design specifics of RFID distance bounding protocols. Applying distance bounding protocols to cloned-tag identification, we could sequentially authenticate tags in different areas and detect cloned tags with the same IDs but at more than one area. However, similar to SYNC, its operation essence boils down to tag-wise scanning. Distance bounding protocols are, therefore, not feasible for automatic identification of tags with longer communication range in large RFID systems. Furthermore, keys, challenge nonces and challenge responses respectively are usually of length 80–256 bits [27]. Transmitting these bitstrings makes distance bounding protocols less time-efficient than SYNC. We thus do not prefer adopting distance bounding protocols for cloned-tag identification in large RFID systems.

Inspired by SYNC [18], we seek to design time-efficient cloned-tag identification protocols for securing applications that confine tagged objects in the same RFID system. We expect such protocols to identify all cloned tags in a large-scale RFID system as fast as possible. We summarize our approach and highlight its contributions to fast cloned-tag identification as follows:

  • Identify all cloned tags rather than simply detect some of them. We can thus secure applications that confine all tagged objects in the same RFID system [6], [7], [18]. As to applications that distribute tagged objects across multiple places [5], [30], if we could locate the source where tagged objects are from, we can also leverage our approach to reject objects attached with cloned tags before they are distributed.

  • Leverage broadcast and collisions to identify cloned tags. The idea is intuitive but efficient – when we specify only one tag with a certain ID to send a response, there exists its cloned peer(s) if a collision of multiple responses occurs. This idea relieves us from resorting to complex cryptography techniques. Moreover, in a large-scale RFID system accommodating tens of thousands of tagged objects, leveraging broadcast promises us more practical protocols than does tag-wise scanning in SYNC.

  • Strive for time efficiency gains in the protocol design. We derive a time lower bound on cloned-tag identification and propose a series of protocols toward approaching it. Through eliminating ID broadcast and bypassing useless time slots, we propose ES-BID, a protocol with execution time of only 1.4 times the value of the time lower bound. Simulation results show that, compared with SYNC, ES-BID reduces the execution time by nearly an order of magnitude. Even better, we improve on [1] by further digging up AID, an adaptive protocol that can yield higher time efficiency under some scenarios and increase the computation efficiency.

The rest of the paper is organized as follows. Section 2 presents an overview of the cloned-tag identification problem, related work, and our approach. Section 3 and Section 4 present protocols of S-BID and ES-BID, which leverage broadcast and collisions to identify cloned tags and increase the time efficiency through eliminating ID broadcast and through bypassing useless time slots, respectively. Section 5 discusses an adaptive protocol called AID and scenarios where it digs up more time efficiency gains. Section 6 reports simulation results and discusses limitations. Finally, Section 7 concludes the paper and indicates future work.

Section snippets

Preliminaries

In this section, we formulate the cloned-tag identification problem and provide an overview of related work and our approach.

S-BID: Slotted BID

In this section, we propose Slotted BID (S-BID), a cloned-tag identification protocol that eliminates ID broadcast. Our analysis shows that S-BID is faster than both SYNC and BID.

ES-BID: Enhanced S-BID

In this section, we propose Enhanced S-BID (ES-BID), a protocol that bypasses useless time slots suffered by S-BID. Our analysis shows that ES-BID can at best push the execution time to 1.3 times the value of the time lower bound.

AID: adaptive cloned-tag identification protocol

In this section, we propose an Adaptive cloned-tag IDentification protocol (AID). Through a simple injection from tag IDs to slot indices, AID exploits efficiency gains under scenarios where an injection-based protocol outperforms ES-BID.

Performance evaluation

In this section, we evaluate the time efficiency of BID, S-BID, ES-BID, and AID through simulations, comparing against that of the most related protocol SYNC [18]. We first describe the simulation environment. We then report and discuss the simulation results.

Conclusion and future work

We have studied the cloned-tag identification problem that is of practical importance to secure RFID applications. We concentrate on the application scenario where all tagged objects are confined in the same RFID system. To meet the time efficiency requirement for large-scale RFID systems, we seek to design protocols that can identify cloned tags as fast as possible. We leverage broadcast and collisions to identify the cloned tags. This approach gets rid of more complex cryptography techniques

Acknowledgments

This work was supported in part by HK RGC PolyU 5286/12E. The authors would also like to sincerely thank Editors and Reviewers for their thoughtful, constructive suggestions and comments. Especially helpful are the suggestions for simplifying problem statement and for discussing distance bounding protocols and physical unclonable functions.

Kai Bu received the BSc and MSc degrees in computer science from the Nanjing University of Posts and Telecommunications, Nanjing, China, in 2006 and 2009, respectively, and the Ph.D. degree in computer science from The Hong Kong Polytechnic University, Hong Kong, in 2013. He is currently an Assistant Professor in the College of Computer Science and Technology at Zhejiang University, China. His research interests include RFID and wireless networks. He is a recipient of the Best Paper Award of

References (51)

  • B. Janz et al.

    Information systems and health care-II: Back to the future with RFID: lessons learned-some old, some new

    Communications of the Association for Information Systems

    (2005)
  • J. Abawajy, Enhancing RFID tag resistance against cloning attack, in: IEEE NSS, 2009, pp....
  • T. Dimitriou, A lightweight RFID protocol to protect against traceability and cloning attacks, in: IEEE SecureComm,...
  • A. Juels, Strengthening EPC tags against cloning, in: ACM WiSe, 2005, pp....
  • L. Lu, Y. Liu, X. Li, Refresh: weak privacy model for RFID systems, in: IEEE INFOCOM, 2010, pp....
  • S. Sarma, Introductory talk: some issues related to RFID and security, in: Workshop on RFID Security,...
  • S. Spiekermann, S. Evdokimov, Privacy enhancing technologies for RFID – a critical investigation of state of the art...
  • L. Bolotnyy, G. Robins, Physically unclonable function-based security and privacy in RFID systems, in: IEEE PerCom,...
  • S. Devadas, E. Suh, S. Paral, R. Sowell, T. Ziola, V. Khandelwal, Design and implementation of PUF-based unclonable...
  • A.-R. Sadeghi, I. Visconti, C. Wachsmann, PUF-enhanced RFID security and privacy, in: Workshop on Secure Component and...
  • M. Lehtonen et al.

    Securing RFID systems by detecting tag cloning

    Pervasive Computing

    (2009)
  • K. Bu, B. Xiao, Q. Xiao, S. Chen, Efficient pinpointing of misplaced tags in large RFID systems, in: IEEE SECON, 2011,...
  • S. Chen, M. Zhang, B. Xiao, Efficient information collection protocols for sensor-augmented RFID networks, in: IEEE...
  • M. Kodialam, T. Nandagopal, Fast and reliable estimation schemes in RFID systems, in: ACM MobiCom, 2006, pp....
  • R. Zhang, Y. Liu, Y. Zhang, J. Sun, Fast identification of the missing tags in a large RFID system, in: IEEE SECON,...
  • Cited by (21)

    • Detection of RFID cloning attacks: A spatiotemporal trajectory data stream-based practical approach

      2021, Computer Networks
      Citation Excerpt :

      Synchronization keys increase the communication traffic between the reader and the tag and increase the communication delay. Bu et al. have performed much work on the clone tag detection method based on collision detection [14–16]. The conflict caused by a genuine tag and a clone tag with the same ID is used for clone tag detection, which is driven by the Aloha communication protocol.

    • Efficient missing tag identification in blocker-enabled RFID systems

      2019, Computer Networks
      Citation Excerpt :

      In the tree-based protocols, the reader aims to progressively split a tag set into the smaller subsets by dynamically broadcasting the prefix of tag IDs. In recent years, many studies shift to severing functional applications, such as cardinality estimation [17,40,41], tag identification [39,42–45], searching a wanted tag set [9,10,46], unknown tag detection [29,30,47], tag grouping [25,48]. Missing tag identification is one of the most important research branches in RFID as it is able to detect the missing event and guard against theft [19,20,22–24].

    • A very fast tags polling protocol for single and multiple readers RFID systems, and its applications

      2018, Ad Hoc Networks
      Citation Excerpt :

      Several of these problems consist in a proper polling of all or a subset of tags. Among these last problems, special importance have the identification of missing objects [5–7,9–12,14,18], the detection of cloned tags [22–30,54–57], and the information collection from existent ones [8,59]. The first problem, consists in periodically monitoring the tags (and so the objects the tags are attached to) that are present in a given space, in order to detect which are missing (often due to a theft).

    • Who stole my cheese?: Verifying intactness of anonymous RFID systems

      2016, Ad Hoc Networks
      Citation Excerpt :

      We adopt a typical RFID system model comprising a server, a reader, and a set of tags. Findings based on this model have significantly benefited RFID research ranging from fundamentals (e.g., tag identification [25–27] and cardinality estimation [24]) to applications (e.g., information collection [28] and tag searching [29]). Under such model, each tag is attached to an object.

    • RFID and Counterfeiting: An Analysis of Current Trends in the Fashion Industry

      2023, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    View all citing articles on Scopus

    Kai Bu received the BSc and MSc degrees in computer science from the Nanjing University of Posts and Telecommunications, Nanjing, China, in 2006 and 2009, respectively, and the Ph.D. degree in computer science from The Hong Kong Polytechnic University, Hong Kong, in 2013. He is currently an Assistant Professor in the College of Computer Science and Technology at Zhejiang University, China. His research interests include RFID and wireless networks. He is a recipient of the Best Paper Award of IEEE/IFIP EUC 2011. He is a member of the IEEE Communications Society.

    Xuan Liu received the MSc degree from the School of Computer Science & Engineering, National University and Defense, China, in 2008. Currently, she is a PhD candidate in the Department of Computing at The Hong Kong Polytechnic University, Hong Kong. Her research interests include distributed computing systems, mobile computing, focusing on wireless sensor networks and RFID systems.

    Bin Xiao received the BSc and MSc degrees in electronics engineering from Fudan University, China, in 1997 and 2000, respectively, and the PhD degree in computer science from the University of Texas at Dallas in 2003. Currently, he is an associate professor in the Department of Computing at The Hong Kong Polytechnic University, Hong Kong. His research interests include distributed computing systems, data management, and secured communication networks, focusing on wireless sensor networks and RFID systems. He is an associate editor for International Journal of Parallel, Emergent and Distributed Systems. He is a recipient of the Best Paper Award of IEEE/IFIP EUC 2011. He is a senior member of the IEEE.

    A preliminary version of the manuscript has been published in the Proc. of 20th International Workshop on Quality of Service (IEEE/ACM IWQoS 2012) as a short paper [1].

    View full text