Improved security

Scientists at the University of Massachusetts Amherst have devised a way to improve the security of radio-frequency identification tags.

Three scientists at the University of Massachusetts Amherst have devised a way to improve the security of radio-frequency identification (RFID) tags, the wireless devices that ,amongst other things, allow consumers to access buildings without pulling out their wallets.

Their work is part of a multi-disciplinary collaboration among cryptographers and engineers, called the RFID Consortium for Security and Privacy (RFID-CUSP), a research initiative funded by a $1.1m grant from the National Science Foundation to improve security for the wireless “smart tag” industry.

‘We believe we’re the first to show how a common existing circuit can both identify specific tags and protect their data,’ said university researcher Wayne Burleson.

Embedded in RFID tags are passive systems that respond automatically to electromagnetic fields produced by radio antennas trying to read the tags’ memory. This technology, while convenient, can be susceptible to breaches in security. Credit cards that use RFID technology are vulnerable to thieves who, with the appropriate equipment, can read information from the card without the victim ever taking it out of a pocket.

The team’s new security method relies on the fact that the memory cells within an RFID tag lose all the information stored in them when a power supply is removed. But when a tag is powered up, some of its memory cells fluctuate randomly between two binary states before settling onto a stable value, creating a string of unique numbers that can be used to uniquely identify the tag. Furthermore, since each tag varies slightly from all the others in some ways, due to minor dissimilarities in hardware, the variations in each tag’s memory cells can also be used for identification purposes. The tag’s producer can use these properties to distinguish between tags and detect illicitly cloned tags.

‘There’s enough complexity in each one that can give it a unique fingerprint,’ said Burleson. ‘An RFID tag has the unusual property that it’s powered up and down by an external source because it doesn’t have a battery,’ he added. ‘We exploit the powering up process and allow the tag’s physical properties to do the work.’

Burleson emphasised that the work is still in its early stages and that some issues remain unresolved, including the effects of temperature, noise and data retention on the ability to generate quality random numbers and tag identifications.

A collaboration called Trusted Reliable Embedded Networked Devices and Systems (TRENDS) will explore these issues further.

Researchers Burleson, Kevin Fu and computer engineering graduate student Dan Holcomb presented the results of their work at the annual Conference on RFID Security, which were later published in the society’s proceedings.