IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 2, FEBRUARY 2006 381
RFID Security and Privacy: A Research Survey
Ari Juels
Invited Paper
Abstract—This paper surveys recent technical research on the
problems of privacy and security for radio frequency identification
(RFID).
RFID tags are small, wireless devices that help identify objects
and people. Thanks to dropping cost, they are likely to proliferate
into the billions in the next several years—and eventually into the
trillions. RFID tags track objects in supply chains, and are working
their way into the pockets, belongings, and even the bodies of con-
sumers. This survey examines approaches proposed by scientists
for privacy protection and integrity assurance in RFID systems,
and treats the social and technical context of their work. While
geared toward the nonspecialist, the survey may also serve as a ref-
erence for specialist readers.
Index Terms—Authentication, cloning, counterfeiting, elec-
tronic product code (EPC), privacy, radio frequency identification
(RFID), security.
I. INTRODUCTION
R
ADIO FREQUENCY IDENTIFICATION (RFID) is a
technology for automated identification of objects and
people. Human beings are skillful at identifying objects under
a variety of challenge circumstances. A bleary-eyed person can
easily pick out a cup of coffee on a cluttered breakfast table in
the morning, for example. Computer vision, though, performs
such tasks poorly. RFID may be viewed as a means of explicitly
labeling objects to facilitate their “perception” by computing
devices.
An RFID device—frequently just called an RFID tag—is a
small microchip designed for wireless data transmission. It is
generally attached to an antenna in a package that resembles an
ordinary adhesive sticker. The microchip itself can be as small
as a grain of sand, some 0.4 mm
[65]. An RFID tag transmits
data over the air in response to interrogation by an RFID reader.
In both the popular press and academic circles, RFID has seen
a swirl of attention in the past few years. One important reason
for this is the effort of large organizations, such as Wal-Mart,
Procter and Gamble, and the U.S. Department of Defense, to
deploy RFID as a tool for automated oversight of their supply
chains. Thanks to a combination of dropping tag costs and vig-
orous RFID standardization, we are on the brink of an explosion
in RFID use.
Advocates of RFID see it as a successor to the optical bar-
code familiarly printed on consumer products, with two distinct
advantages.
Manuscript received September 1, 2005; revised October 1, 2005.
The author is with RSA Laboratories, Bedford, MA 01730 USA (e-mail:
ajuels@rsasecurity.com).
Digital Object Identifier 10.1109/JSAC.2005.861395
1)
Unique identification: A barcode indicates the type of
object on which it is printed, e.g., “this is a 100 g bar of
ABC brand 70% chocolate.” An RFID tag goes a step
further. It emits a unique serial number that distinguishes
among many millions of identically manufactured ob-
jects; it might indicate, e.g., that “this is 100 g bar of
ABC brand 70% chocolate, serial no. 897 348 738.”
1
The
unique identifiers in RFID tags can act as pointers to a
database entries containing rich transaction histories for
individual items.
2)
Automation: Barcodes, being optically scanned, require
line-of-sight contact with readers, and thus careful phys-
ical positioning of scanned objects. Except in the most
rigorously controlled environments, barcode scanning
requires human intervention. In contrast, RFID tags are
readable without line-of-sight contact and without pre-
cise positioning. RFID readers can scan tags at rates of
hundreds per second. For example, an RFID reader by a
warehouse dock door can today scan stacks of passing
crates with high accuracy. In the future, point-of-sale
terminals may be able to scan all of the items in passing
shopping carts [72].
Due to tag cost and a hodgepodge of logistical complica-
tions—like the ubiquity of metal shelving, which interferes with
RFID scanning—RFID tags are unlikely to appear regularly on
consumer items for some years. Retailers have expressed in-
terest, though, in ultimately tagging individual items. Such tag-
ging would, for instance, address the perennial problem of item
depletion on retail shelves, which is costly in terms of lost sales.
Today, RFID is seeing fruition in the tagging of crates and
pallets, that is, discrete bulk quantities of items. RFID tagging
improves the accuracy and timeliness of information about the
movement of goods in supply chains.
The main form of barcode-type RFID device is known as an
electronic product code (EPC) tag. An organization known as
EPCglobal Inc. [18] oversees the development of the standards
for these tags. Not surprisingly, EPCglobal is a joint venture of
the UCC and EAN, the bodies that regulate barcode use in the
United States and the rest of the world respectively.
EPC tags cost less than 13 U.S. cents apiece in large quantities
at present [1]. Manufacturers and users hope to see per-tag costs
drop to five cents in the next few years [60]. RFID readers cost
several thousand dollars each, but it is likely that their cost will
soon drop dramatically.
1
In principle, barcodes can uniquely identify objects, of course; two-dimen-
sional barcodes on shipped packages do so, for instance. In practice—particu-
larly, in retail environments—unique barcoding has proven impractical.
0733-8716/$20.00 © 2006 IEEE
382 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 2, FEBRUARY 2006
In the quest for low cost, EPC tags adhere to a minimalist
design. They carry little data in on-board memory. The unique
index of an EPC tag, known as an EPC code, includes informa-
tion like that in an ordinary barcode, but serves also as a pointer
to database records for the tag. An EPC code today can be up
to 96 bits in length [33].
2
Database entries for tags, of course,
can have effectively unlimited size, so that the recorded history
of a tag and its associated object can be quite rich. EPCglobal
has developed a public lookup system for EPC tags called the
Object Name Service (ONS), analogous in name and operation
with the Domain Name System (DNS). The purpose of the ONS
is to route general tag queries to the databases of tag owners and
managers.
In general, small and inexpensive RFID tags are
passive.
They have no on-board power source; they derive their trans-
mission power from the signal of an interrogating reader.
Passive tags can operate in any of a number of different fre-
quency bands. Low-frequency (LF) tags, which operate in the
124–135 kHz range, have nominal read ranges of up to half
a meter. High-frequency (HF) tags, operating at 13.56 MHz,
have ranges up to a meter or more (but typically on the order
of tens of centimeters). Ultra high-frequency (UHF) tags,
which operate at frequencies of 860–960 MHz (and sometimes
2.45 GHz), have the longest range—up to tens of meters. UHF
tags, though, are subject to more ambient interference than
lower-frequency types. Later in this survey, we enumerate the
major standards for passive RFID devices.
Some RFID tags contain batteries. There are two such types:
semi-passive tags, whose batteries power their circuitry when
they are interrogated, and active tags, whose batteries power
their transmissions. Active tags can initiate communication, and
have read ranges of 100 m or more. Naturally, they are expen-
sive, costing some $20 or more.
A. RFID Today and Tomorrow
Many of us already use RFID tags routinely. Examples in-
clude proximity cards, automated toll-payment transponders,
and payment tokens. The ignition keys of many millions of au-
tomobiles, moreover, include RFID tags as a theft-deterrent.
In a world where everyday objects carried RFID tags, re-
markable things would be possible. Here are a few possibilities
(among the myriad that the reader might dream up).
•
Smart appliances: By exploiting RFID tags in garments
and packages of food, home appliances could operate in
much more sophisticated ways. Washing machines might
automatically choose an appropriate wash cycle, for in-
stance, to avoid damage to delicate fabrics. Your refriger-
ator might warn you when the milk has expired or you
have only one remaining carton of yogurt—and could
even transmit a shopping list automatically to a home de-
livery service.
3
•
Shopping: In retail shops, consumers could check out by
rolling shopping carts past point-of-sale terminals. These
terminals would automatically tally the items, compute
the total cost, and perhaps even charge the consumers’
2
The expectation at the time of writing is that the EPC codes will soon expand
to a minimum of 128 bits in length—with extensions for 256 bits or more.
3
The company Merloni has built prototype RFID-enabled appliances [4].
RFID-enabled payment devices and transmit receipts
to their mobile phones. Consumers could return items
without receipts. RFID tags would act as indices into
database payment records, and help retailers track the
pedigrees of defective or contaminated items.
•
Medication compliance: Research at Intel and the Uni-
versity of Washington [22] exploits RFID to facilitate
medication compliance and home navigation for the
elderly and cognitively impaired. As researchers have
demonstrated, for example, an RFID-enabled medicine
cabinet could help verify that medications are taken in a
timely fashion. More generally, RFID promises to bring
tremendous benefits to hospitals [20].
B. But What, Really, is “RFID”?
In this paper, we use “RFID” to denote any RF device whose
main function is identification of an object or person. At the
rudimentary end of the functional spectrum, this definition
excludes simple devices like retail inventory tags, which merely
indicate their presence and on/off status. It also excludes
portable devices like mobile phones, which do more than
merely identify themselves or their bearers. A broad definition
for “RFID” is appropriate because the technical capabilities
and distinctions among RF devices will drift over time, and
the privacy and authentication concerns that we highlight in
this paper apply broadly to RF identification devices great and
small. Most importantly, though, the names of standards like
“ISO 14443” or “EPC Class-1 Gen-2” do not trip off the tongue
or inhere well in the mind. The term “RFID” will unquestion-
ably remain the popular one, and the term according to which
most people frame debate and policies—a fact it behooves
technologists to remember.
Of course, standards precisely define classes of RF devices.
It is worth briefly mentioning the major ones. ISO 18000 is a
multipart standard that specifies protocols for a number of dif-
ferent frequencies, including LF, HF, and UHF bands. For UHF
tags, the dominant standard will very likely be the recently rati-
fied EPCglobal Class-1 Gen-2. For HF tags, there are two main
standards apart from ISO 18000. ISO 14443 (types A and B)
is a standard for “proximity” RFID devices; it has a nominal
10 cm operating range. ISO 15693 is a more recent HF stan-
dard for “vicinity” RFID devices; it can achieve longer nominal
ranges—up to 1 m for large antenna setups. (Mode 1 of ISO
18000 Part 3 is based on ISO 15693.)
Also of note is the Near-Field Consortium (NFC) standard
(NFCIP-1/ECMA340, ISO 18092). Compatible with ISO 14443
and ISO 15693, this HF standard transcends the fixed tag-reader
model, in that an NFC device can operate as either a reader or a
tag, and thus either transmit or receive. Some mobile phones
today support NFC; many portable devices may well in the
future.
C. Security and Privacy Problems
1) Privacy: RFID raises two main privacy concerns for
users: clandestine tracking and inventorying.
RFID tags respond to reader interrogation without alerting
their owners or bearers. Thus, where read range permits, clan-
destine scanning of tags is a plausible threat. As discussed
above, most RFID tags emit unique identifiers, even tags that
JUELS: RFID SECURITY AND PRIVACY: A RESEARCH SURVEY 383
protect data with cryptographic algorithms (as we discuss
below). In consequence, a person carrying an RFID tag ef-
fectively broadcasts a fixed serial number to nearby readers,
providing a ready vehicle for clandestine physical tracking.
Such tracking is possible even if a fixed tag serial number is
random and carries no intrinsic data.
The threat to privacy grows when a tag serial number is com-
bined with personal information. For example, when a consumer
makes a purchase with a credit card, a shop can establish a
link between her identity and the serial numbers of the tags
on her person. Marketers can then identify and profile the con-
sumer using networks of RFID readers—both inside shops and
without. The problem of clandestine tracking is not unique to
RFID, of course. It affects many other wireless devices, such as
Bluetooth-enabled ones [37].
In addition to their unique serial numbers, certain tags—EPC
tags in particular—carry information about the items to which
they are attached. EPC tags include a field for the “General
Manager,” typically the manufacturer of the object, and an “ob-
ject class,” typically a product code, known formally as a stock
keeping unit (SKU).
4
(See [33] for details.) Thus, a person car-
rying EPC tags is subject to clandestine inventorying. A reader
can silently determine what objects she has on her person, and
harvest important personal information: What types of medica-
tions she is carrying and, therefore, what illnesses she may suffer
from; the RFID-enabled loyalty cards she carries and, therefore,
where she shops; her clothing sizes and accessory preferences,
and so forth. This problem of inventorying is largely particular
to RFID.
Today the problems of clandestine RFID tracking and in-
ventorying are of limited concern, since RFID infrastructure
is scarce and fragmentary. As explained above, the tagging
of individual retail items is probably some years away. Once
RFID becomes pervasive, however, as is almost inevitable, the
privacy problem will assume more formidable dimensions. One
harbinger of the emerging RFID infrastructure is Verisign’s
EPC Discovery Service [34]. It creates a unified view of sight-
ings of individual EPC tags across organizations.
RFID privacy is already of concern in several areas of ev-
eryday life.
•
Toll-payment transponders: Automated toll-payment
transponders—small plaques positioned in windshield
corners—are commonplace worldwide. In at least one
celebrated instance, a court subpoenaed the data gath-
ered from such a transponder for use in a divorce case,
undercutting the alibi of the defendant [64].
•
Libraries: Some libraries have implemented RFID sys-
tems to facilitate book checkout and inventory control and
to reduce repetitive stress injuries in librarians. Concerns
about monitoring of book selections, stimulated in part by
the USA Patriot Act, have fueled privacy concerns around
RFID [55].
4
These fields are short numerical codes that are meaningful, like barcodes,
only upon translation. Services like the ONS will publicly translate Gen-
eral-Manager codes into human-readable form. Manufacturers may or may not
choose to make their object-class codes publicly available. These codes will
be easy to determine, however, with or without reference to the manufacturer:
Scanning one instance of a given product type will reveal its object class.
•
Passports: An international organization known as the
International Civil Aviation Organization (ICAO) has
promulgated guidelines for RFID-enabled passports and
other travel documents [32], [43]. The United States has
mandated the adoption of these standards by 27 “visa
waiver” countries as a condition of entry for their citi-
zens. The mandate has seen delays due to its technical
challenges and changes in its technical parameters, partly
in response to lobbying by privacy advocates [73].
5
•
Human implantation: Few other RFID systems have in-
flamed the passions of privacy advocates like the VeriChip
system [67]. VeriChip is a human-implantable RFID tag,
much like the variety for house pets. One intended ap-
plication is medical-record indexing; by scanning a pa-
tient’s tag, a hospital can locate her medical record. In-
deed, hospitals have begun experimentation with these de-
vices [28]. Physical access control is another application
in view for the VeriChip.
a) Read ranges: Tag read ranges are an important factor
in discussions about privacy. Different operating frequencies for
tags induce different ranges, thanks to their distinctive physical
properties. Under ideal conditions, for instance, UHF tags have
read ranges of over ten meters; for HF tags, the maximum ef-
fective read distance is just a couple of meters. Additionally,
environmental conditions impact RFID efficacy. The proximity
of radio-reflective materials, e.g., metals, and radio-absorbing
materials, like liquids, as well as ambient radio noise, affect
scanning distances. At least one manufacturer, Avery Dennison,
has devised RFID tags specially for application to metal objects.
Liquids—like beverages and liquid detergents—have hampered
the scanning of UHF tags in industry RFID pilots. Protocol and
hardware-design choices also affect read ranges.
The human body, consisting as it does primarily of liquid, im-
pedes the scanning of UHF tags, a fact consequential to RFID
privacy. If in the future you find yourself worried about clandes-
tine scanning of the RFID tag in your sweater, the most effective
countermeasure may be to wear it!
Sometimes RFID tags can foul systems by reason of
excessively long range. In prototypes of automated super-
market-checkout trials run by NCR Corporation, some (exper-
imental) patrons found themselves paying for the groceries of
the people behind them in line [72].
Certainly, the RFID industry will overcome many of these
impediments, so it would be a mistake to extrapolate tag capa-
bilities too far into the future. It is important, however, to keep
the limitations of physics in mind.
For the study of RFID privacy in passive tags, it is more
accurate to speak not of the read range of a tag, but of the
read ranges of a tag. Loosely speaking, there are four different
ranges to consider. In roughly increasing distance, they are the
following.
•
Nominal read range: RFID standards and product spec-
ifications generally indicate the read ranges at which they
5
The U.S. State Department has recently indicated that: 1) U.S. passport
covers will include metallic material to limit RF penetration, and thus prevent
long-range scanning of closed passports and 2) the U.S. may adopt a key ICAO
privacy-protecting mechanism called basic access control (BAC). Under BAC,
passport contents are encrypted; optical scanning is required to obtain the
decryption key from a passport.
384 IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL. 24, NO. 2, FEBRUARY 2006
intend tags to operate. These ranges represent the max-
imum distances at which a normally operating reader,
with an ordinary antenna and power output, can reliably
scan tag data. ISO 14443, for example, specifies a nom-
inal range of 10 cm for contactless smartcards.
•
Rogue scanning range: The range of a sensitive
reader equipped with a powerful antenna—or antenna
array—can exceed the nominal read range. High-power
output further amplifies read ranges. A rogue reader
may even output power exceeding legal limits. For ex-
ample, Kfir and Wool [51] suggest that a battery-powered
reading device can potentially scan ISO 14443 tags at a
range of as much as 50 cm, i.e., five times the nominal
range. The rogue scanning range is the maximum range
at which a reader can power and read a tag.
•
Tag-to-reader eavesdropping range: Read-range limita-
tions for passive RFID result primarily from the require-
ment that the reader power the tag. Once a reader has pow-
ered a tag, a second reader can monitor resulting tag emis-
sions without itself outputting a signal, i.e., it can eaves-
drop. The maximum distance of such a second, eavesdrop-
ping reader may be larger than its rogue scanning range.
•
Reader-to-tag eavesdropping range: In some RFID
protocols, a reader transmits tag-specific information
to the tag. Because readers transmit at much higher
power than tags, they are subject to eavesdropping at
much greater distances than tag-to-reader communica-
tions—perhaps even kilometers away.
6
Also of concern in some special cases are detection ranges,
i.e., the distance at which an adversary can detect the presence
of tags or readers. In military scenarios, tag-detecting munitions
or reader-seeking missiles could pose a threat.
b) Privacy from cradle to grave: The importance of
RFID privacy in military operations reinforces an oft-ne-
glected point: Privacy is not just a consumer concern. The
enhanced supply-chain visibility that makes RFID so attrac-
tive to industry can also, in another guise, betray competitive
intelligence. Enemy forces monitoring or harvesting RFID
communications in a military supply chain could learn about
troop movements. In civilian applications, similar risks apply.
For example, many retailers see item-level RFID tagging as
a means to monitor stock levels on retail shelves and avoid
out-of-stock products. Individually tagged objects could also
make it easier for competitors to learn about stock turnover
rates; corporate spies could walk through shops surreptitiously
scanning items [63]. Many of the privacy-enhancing techniques
we discuss in this survey aim to protect consumers, or at least
human bearers of RFID tags. It is useful to keep in mind the
full scope of the privacy problem, though. In a recent survey
paper, Garfinkel et al. [42] offer a taxonomy of threats across
the different stages of a typical industrial supply chain.
2) Authentication: Privacy is a hobbyhorse in media cov-
erage of RFID. To some extent, it has overshadowed the equally
6
The EPC Class-1 Gen-2 standard exploits the gap between tag-to-reader and
reader-to-tag eavesdropping ranges to achieve stronger data secrecy. When a
reader is to transmit a sensitive value like a PIN
P
to a tag, the tag first transmits
a random bit-string
R
to the reader. The reader transmits
PXORR
, rather than
P
directly. Eavesdropping on the more vulnerable reader-to-tag channel alone,
therefore, does not reveal
P
. A version of this idea directed at tree-walking, an
anticollision protocol we described, first appeared in [69].
significant problem of authentication.
7
Loosely speaking, RFID
privacy concerns the problem of misbehaving readers harvesting
information from well-behaving tags. RFID authentication,on
the other hand, concerns the problem of well-behaving readers
harvesting information from misbehaving tags, particularly
counterfeit ones.
Asked what uses they foresee for RFID, ordinary U.S. con-
sumers most frequently mention recovery of stolen goods [57].
In the popular imagination, RFID tags serve as a trustworthy
label for the objects to which they are attached. Belief in tag
authenticity will inevitably come to underpin many RFID ap-
plications. But it is in some measure an illusion.
Basic RFID tags are vulnerable to simple counterfeiting
attacks. Scanning and replicating such tags requires little
money or expertise. In [71], Westhues, an undergraduate
student, describes how he constructed what is effectively an
RF tape-recorder. This device can read commercial proximity
cards—even through walls—and simulate their signals to
compromise building entry systems.
EPC tags will be vulnerable to similar attacks. An EPC,
after all, is just a bit string, copyable like any other. Basic EPC
tags offer no real access-control mechanisms. It is possible
that “blank,” i.e., fully field-programmable EPC tags, will be
readily available on the market.
8
More importantly, elementary
RFID simulation devices will be easy to come by or create.
Such devices need not even resemble RFID tags in order to
deceive RFID readers. As a result, EPC tags may carry no real
guarantee of authenticity.
Yet plans are afoot for use of such tags as anticounterfeiting
devices. In the United States, the Food and Drug Administra-
tion (FDA) has called for the pharmaceutical industry to apply
RFID tags to pallets and cases by 2007, with the aim of com-
batting counterfeit pharmaceuticals [24]. Two companies, Texas
Instruments and VeriSign Inc., have proposed a “chain-of-cus-
tody” approach in support of this effort [36]. Their model in-
volves digital signing of tag data to provide integrity assurance.
Digital signatures do not confer cloning resistance to tags, how-
ever. They prevent forging of data, but not copying of data.
To be fair, even in the absence of resistance to tag cloning,
unique numbering of objects can be a powerful anticounter-
feiting tool. If two RFID-tagged crates turn up in a warehouse
with identical serial numbers, it is clear that a problem has
arisen. Such detection does not require tag authentication. The
FDA has noted that simply by furnishing better data on item
pedigrees in supply chains, RFID tags can help identify sources
of counterfeit goods.
Nonetheless, scenarios abound in which counterfeiters can
exploit the vulnerability of RFID tags to cloning. Detection of
duplicates ultimately requires consistent and centralized data
collection; where this is lacking, physical and digital anticoun-
terfeiting mechanisms become more important. (See, e.g., [40]
for examples.)
Some RFID devices, such as the American Express Ex-
pressPay and the Mastercard PayPass credit cards, and the
7
In fact, RFID was first invented as a “friend-or-foe” authenticator for fighter
planes during WW II.
8
Field-programmable Class-1 Gen-2 EPC tags are available today [3]; they
contain factory-programmed identifiers, however, in addition to user-pro-
grammable bits.
JUELS: RFID SECURITY AND PRIVACY: A RESEARCH SURVEY 385
active RFID tags that will secure shipping containers, can per-
form cryptographic operations. Bar reverse-engineering (and
side-channel attacks), these devices offer very good resistance
to cloning. As we explain below, however, some popular RFID
devices perform cryptographic operations that are too weak to
afford protection against determined attackers.
What about RFID as an antitheft mechanism? Certainly,
RFID tags can help prevent theft in retail shops. They will serve
as an alternative to the electronic article surveillance (EAS) tags
that today detect stolen articles of clothing and other, relatively
high-value items. RFID tags will not, however, prove very
effective against determined thieves. A thief wishing to steal
and repurpose an RFID-tagged object can disable its existing
tag and even, with enough sophistication, even replace it with a
tag carrying data of her choice.
9
There is another aspect of authentication that is specificto
RFID, namely, authentication of distance. Thanks to the rela-
tively short range of some RFID devices, users can authorize
commercial transactions with RFID devices by placing them ex-
plicitly in proximity to readers. RFID-enabled payment tokens
like credit cards work this way. As we shall see, however, tag
distance is difficult to authenticate. Researchers have already
demonstrated spoofing attacks.
D. Attack Models
In order to define the notions of “secure” and “private” for
RFID tags in a rigorous way, we must first ask: “Secure” and
“private” against what? The best answer is a formal model that
characterizes the capabilities of potential adversaries. In cryp-
tography, such a model usually takes the form of an “experi-
ment,” a program that intermediates communications between a
model adversary, characterized as a probabilistic algorithm (or
Turing machine), and a model runtime environment containing
system components (often called oracles). In the model for an
RFID system, for example, the adversary would have access to
system components representing tags and readers.
In most cryptographic models, the adversary is assumed to
have more-or-less unfettered access to system components in
the runtime environment. In security models for the Internet,
this makes sense: An adversary can more or less access any net-
worked computing device at any time. A server, for instance,
is always online, and responds freely to queries from around
the world. For RFID systems, however, around-the-clock access
by adversaries to tags is usually too strong an assumption. In
order to scan a tag, an adversary must have physical proximity
to it—a sporadic event in most environments. It is important
to adapt RFID security models to such realities. Because low-
cost RFID tags cannot execute standard cryptographic func-
tions, they cannot provide meaningful security in models that
are too strong.
An important research challenge, therefore, is the formulation
of weakened security models that accurately reflect real-world
threats and real-world tag capabilities. Juels [38], for example,
proposes a so-called “minimalist” security model and accompa-
nying protocols for low-cost tags. This model supposes that an
adversary only comes into scanning range of a tag on a periodic
9
Thieves today commonly bypass EAS systems by hiding items in foil-lined
bags that prevent the penetration of radio waves needed to read inventory tags.
basis (and also that tags release their data at a limited rate). More
precisely, the minimalist model assumes a cap on the number of
times that an adversary can scan a given tag or try to spoof a valid
reader; once this cap is reached, it is assumed that the tag inter-
acts in private with a valid reader. The minimalist model might
assume, for example, that an adversary can scan a target prox-
imity card or try to gain unauthorized entrance to a building only
ten times before the legitimate owner of the card achieves valid
building entry outside the eavesdropping range of the adversary.
Many cryptographic models of security fail to express impor-
tant features of RFID systems. A simple cryptographic model,
for example, captures the top-layer communication protocol be-
tween a tag and reader. At the lower layers are anticollision
protocols and other basic RF protocols. Avoine and Oechslin
(AO) [10] importantly enumerate the security issues present at
multiple communication layers in RFID systems. Among other
issues, they highlight the risks of inadequate random-number
generation in RFID tags. (As remarked in a footnote above, for
example, the EPC Class-1 Gen-2 standard relies on randomness
to protect sensitive data transmitted from the reader to the tag.)
They observe the tracking threats that can arise from many com-
peting RFID standards: A tag’s underlying standard could serve
as a short, identifying piece of information. AO also note poten-
tial risks at the physical level in RFID systems. For example,
due to manufacturing variations, it is conceivable that an adver-
sary could identify tags based on physical quirks in the signals
they emit. Even the best cryptographic privacy-preserving pro-
tocol may be of little avail if an RFID tag has a distinct “radio
fingerprint”!
There is, however, a flip side to the presence of multiple com-
munication layers in tags. If tags have distinct radio fingerprints
that are sufficiently difficult to reproduce in convincing form
factors, then these fingerprints could help strengthen device au-
thentication [15]. Moreover, as we shall discuss, some proposed
RFID protocols actually exploit the presence of multiple pro-
tocol layers to improve tag privacy.
E. Nomenclature and Organization
For the remainder of this survey, we classify RFID tags
according to their computational resources. In Section II, we
consider basic tags, meaning those that cannot execute standard
cryptographic operations like encryption, strong pseudorandom
number generation, and hashing. We turn our attention in
Section III to what we call symmetric-key tags. This category
includes tags that cost more than basic RFID tags, and can
perform symmetric-key cryptographic operations.
Our categorization is a rough one, of course, as it neglects
many other tag features and resources, like memory, communi-
cation speed, random-number generation, power, and so forth.
It serves our purposes, however, in demarcating available secu-
rity tools. We separately consider the problems of privacy and
authentication protocols within each of the two categories.
Devices like RFID tags for shipping-container security,
high-security contactless smartcards, and RFID-enabled pass-
ports
10
can often perform public-key operations. While our
10
Most such passports will probably not perform public-key cryptography in
their first generation. But the ICAO guidelines provide for public-key challenge-
response protocols.