Quirks of RFID Memory Make for Cheap Security Scheme

18 March 2009—Radio frequency identification (RFID) chips are everywhere today: in credit cards, driver’s licenses, and passports, and stuck to pallets of inventory for big retailers like Wal-Mart. Yet some RFID tags—especially the smallest and cheapest—still have no means to prevent them from yielding up their data to any passerby with an RFID reader.

However, a soon-to-be-published report from a team of American computer scientists proposes a new RFID security measure that works by using the memory circuits already in many RFID chips.

The idea centers around the RFID chip’s intermittent operations. Lacking their own internal power, ”passive” RFIDs harvest energy from their reader’s radio waves. Because of the intermittent over-the-air power source, RFID chips power up and shut down frequently, sometimes multiple times per second, says Wayne Burleson, professor of electrical and computer engineering at the University of Massachusetts Amherst. And each time the chip powers up, its memory, in the form of static random-access memory (SRAM), resets to an assortment of zeros and ones.

Burleson’s group discovered that it could take advantage of a peculiarity of SRAM. Due to small imperfections in composition or in the manufacturing process, Burleson says, some bits will predictably become a one when powered up. Others will predictably become zeroes.

”You can exploit this by powering it up and reading out the zeroes and ones and getting a fingerprint—a unique label—for each different chip,” Burleson says.

Other bits, for the same reasons, predictably power up randomly: Essentially, a flip of the coin determines whether the bit will power up into its zero or one state.

”The unpredictable bits can be used for random-number generation,” he says. ”It turns out that a lot of cryptographic functions need ’true random numbers’—random numbers that are not reproducible.”

Armed with hundreds of bits of true random numbers and a unique numerical fingerprint coming from the other bits, an RFID chip would potentially have all the data it needs to conduct secure communications with an RFID reader, Burleson says. (Additional chips may be required to actually carry out a secure RFID system, he cautions.)

”It’s very much an accessible idea, which is the fun of it,” says Daniel Holcomb, who worked on the system for his master’s thesis. ”You can just turn on any [SRAM] chip, and there you have it.…Nearly every programmable chip has SRAM.” However, present-generation RFID price tags—the cheap end of the market—typically carry no SRAM.

”We’re looking a few years out when [supercheap RFID chips] do have SRAM,” says Holcomb, who is now a Ph.D. student at the University of California, Berkeley.

The group’s work will appear in an upcoming edition of the journal IEEE Transactions on Computers and has already been published in the online version of the journal.

For Brian Faull, lead integrated electronics engineer and an RFID expert at Mitre Corp.,  in Bedford, Mass., the attraction of the UMass group’s work is its simplicity. 

”Previous RFID [security] systems were extra additions to the system,” he says, noting that some secure RFID systems use an expensive process that writes unique identification numbers into each individual chip. The new technique, he says, just relies on the fundamental properties of SRAM. It doesn’t, of course, solve RFID security and privacy questions singlehandedly, he says. On the other hand, it’s not every day that something new can be squeezed out of nothing.