As a solution to the problems a hardware description language (Verilog) model has been built and debugged. Standard RFID system´s algorithms and a new security element are implemented in the model. The security element represents an additional tag´s operation mode. When a tag is in this mode, it broadcasts the ID in a secret form that can be precisely identified only by authorized reader. This mode is named "Closed" tag´s state. A common operation state of a tag is called "Opened" mode respectively. Switching the states is performed by applying particular commands from reader that include the tag´s ID. As a response to a reader´s query, secret IDs of the tags in a closed state are broadcasted as specific cipher-vectors.
The cipher-vectors have the following form:
S = R | (DynamicHash(R,K) xor (ID | StaticHash(ID)))
where
R - random 32-bit vector generated by a tag "on-the-run";
K - a tag´s unique 32-bit secret key, that is written to the tag´s ROM during manufacture;
ID - a unique 96-bit identification number of a tag, that if written to its ROM during manufacture;
DynamicHash(R, K) - 128-разрядный результат вычисления некоторой хеш-функции от R и K(вычисляется «на лету» в процессе антиколлизии);
DynamicHash(R, K) - 128 bit result of some hash function calculation that takes R and K as arguments. The function is calculated "on-the-run" bit-by-bit during anticollision.
StaticHash(ID) - 32-bit result of a particular hash-function calculation that takes ID as an argument. The function is calculated during the manufacture and the result is written to the tag´s ROM as it is done with ID;
| - concatenation of vectors;
xor - bit-by-bit XOR.
Assume that a legal reader will be "aware" of DynamicHash and StaticHash forms. The reader´s memory will contain a list of secret keys {K1,...,Kn} of the supported tags´ group, or the reader will have an access to a database containing this list.
On reception of S a reader shell:
- separate R and DS = (DynamicHash(R,K) xor (ID | StaticHash(ID)));
- start sweeping all known tags´ keys Ki and evaluating Dyni = DynamicHash(R,Ki);
- during one sweep Dyni and DS shall be XORed (Stati = Dyni xor DS);
- the Stati shall be split into IDi and StHshi;
- the keys search shell stop as soon as the following identity becomes true:
- StHshi = StaticHash(IDi),
- thereafter IDi will represent a unique identifier of the tag that has sent the S sequence.
Hence it is clear that an ID of a tag can still be obtained by searching (this process can be quickened in the case that an adversary knows some bits of the needed ID), however this may take several minutes, which is unacceptable in the case of on-the-run analysis (for example when tags of passing by people are scanned). Besides, if K is "lengthened", every additional bit will lead to doubling the search time.
The model given represents a new, more secure under conditions of harsh radio-tag resource restrictions, alternative of RFID system description. It enables a virtual testing of the system given and, after appliance of some modifications, can be implemented in complete devices.