HK1116278B - Device, method and system for controlling data exchange - Google Patents

Description

Device, method and system for controlling data exchange

Technical Field

The present invention relates to the control of data exchange between an entity such as a business organization and an item identification device such as an RFID tag by means of a data exchange device such as an RFID tag reader and/or writer device.

Background

Radio Frequency Identification (RFID) is currently viewed as a viable technology with great potential that can radically change the way information is processed. RFID tags are used primarily in the supply chain, automating the identification process as no line-of-sight (line-of-sight) is required in the read operation. Identity information has potential benefits in many application areas.

Generally, an RFID tag is composed of an integrated circuit having a small memory capacity and an antenna. Some tags, referred to as "active tags," have an internal power supply that is typically used to power any processing circuitry and produce an output signal. Other tags, referred to as "passive tags," do not have any internal power source. Passive tags typically harvest the energy required to respond to an input signal and generate an output signal by harvesting power from the electromagnetic field generated by the reader. Furthermore, there are tags known as "semi-active" (or sometimes "semi-passive") which typically have a small power supply that enables the tag's processing circuitry to be constantly powered. Thus, such tags do not need to collect power from the incoming signal before beginning any processing, which makes them generally able to provide a faster response than passive tags.

RFID tags typically hold identity information relating to an associated physical object (e.g., an item). When interrogated by a reader, the tag typically responds with identity information that may point to a unique location on the back-end database where detailed information about the object is stored (e.g., expiration date, manufacturing location, current location, etc.). The user may obtain this information in substantially real time.

Investigations have again shown that privacy is one of the most important concerns associated with the use of RFID technology for tagging goods. In short, if an object is tagged, anyone with an RFID reader can potentially discover information about the object, its owner, or its user without permission from the owner or user of the object. Individuals holding RFID tags may be subject to surreptitious tracking, and the tag information may be used to gather personal information and to summarize user preferences. Similarly, companies that own RFID tagged products are vulnerable to spy attacks. Competitors can track their products by simply monitoring the tag ID.

All RFID tags operate through the radio frequency spectrum that anyone within range can receive. Many of the current generation tags lack access control capability so that anyone, including malicious users, can read the information stored on the tag. A static "unique identifier" stored on the tag associates the tagged object with the individual or company that owns the object. Specific evidence of privacy concerns for RFID tags is mainly related to the following issues:

trackable capability: the unique identification number allows an unauthorized reader to track a product as it moves from one reader to another.

-information leakage: RFID tags carry information about the products associated with the RFID tags. A malicious hidden reader may collect product information without owner approval. (e.g., RFID tagged products owned by the user then provide potentially valuable information about the user's preferences.)

Researchers and industry-active molecules have studied different approaches to mitigate RFID privacy issues. Most approaches increase the cost of the tag by incorporating some additional functionality onto the tag, changing the reader-tag communication protocol, or adding new infrastructure (e.g., encryption units or application specific tags). Ideally, the solution should provide adequate privacy protection at the lowest cost.

Juels and Pappu [1] propose a method for enabling banknotes to utilize RFID. The euro's serial number is carried by the RFID tag and protected by an encryption scheme. The computing device re-encrypts the serial number making traceability of the note difficult. This approach requires a single authentication entity and, like in the supply chain case, is not compatible with multi-domain systems.

[1]A.Juels and R.Pappu.“Squealing Euros：Privacy-Protection inRFID-Enabled Banknotes”.In R.Wright，ed.，Financial Cryptography’03，pages 103-121.Springer-Verlag.2003.LNCS no.2742.

Weis, Sarma, Rivest, and Engels [2] propose several security mechanisms for improving security in RFID systems. They identify attack problems based on eavesdropping and recognize that the power of tag-to-reader communication is much weaker than that of reader-to-tag communication. The proposed scheme involves the use of a hash function and a pseudo-random number generator on the tag. The system is based on an inverse hash function query made on a back-end server.

Because of these properties, this solution is impractical for large retailers and can only be effective for owners of a relatively small number of tags. Furthermore, pseudo random number generators cannot be implemented in existing RFID tag technology.

[2]Sanjay E.Sarma，Stephen A.Weis，and Daniel W.Engels.“RFIDSystems and Security and Privacy Implications”.In Workshop onCryptographic Hardware and Embedded Systems，pages 454-470.LectureNotes in Computer Science，2002.

In "minimalist cryptography" [3a ], Juels proposes a method in which the labels contain different pre-programmed pseudonyms. By disclosing different pseudonyms in each read operation, tracking can be avoided. Authorized readers need to link to the database to associate the pseudonym to the correct ID. The main weakness of this approach is the need to update the set of pseudonyms in the tag. A more sophisticated method from NTT laboratories [3b ] involves the use of a secure hash chain table function for automatically updating the secret information contained in the tag. The basic principle of this method is that: the tag should not respond predictably to interrogation by the reader. The tag autonomously refreshes its identifier by using two hash (H and G) functions and outputs a different pseudonym at each read. The secure database may map the tag output with product information because it has access to the secret values used to generate the tag output sequence. This solution suffers from scalability issues, since it is costly to associate a pseudonym to the correct ID without a defined hierarchical naming structure.

[3a]A.Juels.“Minimalist Cryptography for RFID Tags”.In C.Blundo，ed.，Security of Communication Networks(SCN)，2004.

[3b]Miyako Ohkubo, Koutarou Suzuki and Shingo Kinoshita: for "Cryptographic Approach to" Privacy-Friendly "Tags", belived to have been found at MIT in November 2003, see:http://lasecwww.epfl.ch/ ～gavoine/download/papers/OhkuboSK-2003-mit-paper.pdf

these solutions incorporate some additional functionality onto the tag to address the lack of access control. However, the technical idea of these solutions is not clearly available. RFID tags, particularly those that are likely to be widely deployed, have several resource limitations and structural limitations.

(1) The proposal of "Juels and Pappu" requires the approach of a trusted third party and therefore can only be effective in very special situations.

(2) The "Weis et al" solution is limited by the limited amount of resources available in existing passive RFID tags.

(3) The pseudonym solution requires additional memory on the tag.

Two alternatives to the privacy and security issues encountered with RFID tags are outlined in Juels, Rivest, and Szydlo, the work on RFID Blocker tags (Blocker Tag) [4], and Juels and braiard, the work on Soft Blocking (Soft Blocking) methods [5 ]. Both of these approaches describe privacy-enhancing solutions that can mitigate some potential privacy issues.

A "blocker tag" is a destructive scheme that impedes read operations by simulating the presence of a large set of RFID tags. Which interact with a "tree-walking" or ALOHA scheme to work with a singulation process implemented in accordance with current tag reading standards. A blocker tag is a special device that a user carries around for privacy protection, which prevents the privacy tag from being read. The main drawback of this solution is the corruption of the read operation. This weakness undermines the utility of this solution.

[4]“The Blocker Tag：Selective Blocking of RFID Tags for ConsumerPrivacy”.In V.Atluri，ed.8th ACM Conference on Computer andCommunications Security，pp.103-111.ACM Press.2003.

The "Soft Blocker" method is a simple method that expresses to the reader the security preferences of the RFID tag. This requires a security agent to be set up on the reader and the tags to be sorted. For example, a tag classified as private causes a security agent on the reader to not disclose the value of the tag. In the same case, the privacy agent will filter out sensitive tag data if a tag classified by the blocker is read. The main advantage of this solution is its flexibility in policy implementation. A new privacy policy can be created arbitrarily for different situations. The main weakness is that a checking mechanism or a mandatory service is required to check whether the security agent implemented in the reader complies with the tag classification.

[5]A.Juels and J.Brainard：“Soft Blocking：Flexible Blocker Tags onthe Cheap”.In S.De Capitani di Vimercati and P.Syverson，eds.，Workshopon Privacy in the Electronic Society(WPES)，2004.

Another approach, known as the "Watchdog" tag, is discussed by Floerkemeier, Schneider and Langheinrich [6 ]. This is an active tag that overhears the communication between the reader and the tag. The watchdog tag may log identification information relating to the reader, the purpose of the read operation, and possibly the location of the reader. The collected data is then made available to the end user for inspection and verification purposes. The watchdog tag does not provide a privacy enhancement method, but may enhance the visibility of the reader-tag interaction.

[6]“Scanning with a Purpose-Supporting the Fair InformationPrinciples in RFID Protocols”，Christian Floerkemeier，Roland Schneider，Marc Langheinrich，Institute for Pervasive Computing ETH Zurich，Switzerland.

International patent application WO 2004/086290 relates to a method and system for authenticating transponders, such as transponders in RFID systems, using a device called a "verifier". An electronic "watermark" is computed for the transponder and written to the transponder. When read, the transponder provides its own data along with the watermark. The separate other device calculates the correct watermark. To authenticate the transponder, the two are compared by the verifier and the reader is informed, or the comparison is made by the reader itself.

Disclosure of Invention

According to the present invention there is provided a control device for controlling the exchange of data between a plurality of item identification devices associated therewith and a plurality of entities, each of the plurality of entities having data exchange means associated therewith for exchanging data with one or more of the plurality of item identification devices associated with the control device, the data exchange means being arranged to provide authentication data indicative of the entity with which they are associated or of a class of entities with which they are associated, the control device comprising: an access policy storage means for storing data indicative of an access policy for one or more entities or one or more classes of entities, the access policy relating to a range of entities or a class of entities permitted to exchange data with one or more of the plurality of item identification devices associated with the control means; communication receiving means for receiving authentication data from the data exchange means; authentication means for determining from the access policy storage means an access policy applicable to an entity or class of entities associated with the data exchange means in dependence on received authentication data; and communication providing means for providing to the data exchange means access data sufficient to enable data exchange between the plurality of item identification means and an entity associated with the data exchange means in accordance with an access policy applicable to the entity.

Also in accordance with the present invention, there is provided a method of controlling the exchange of data between a plurality of item identification devices associated with a control device and a plurality of entities, each of the plurality of entities having data exchange means associated therewith for exchanging data with one or more of the plurality of item identification devices associated with the control device, the data exchange means being arranged to provide authentication data indicative of the entity with which they are associated or of a class of entities with which they are associated, the method comprising the steps of: storing data indicative of an access policy for one or more entities or one or more types of entities, the access policy relating to a range of entities or a type of entities permitted to exchange data with one or more of a plurality of item identification devices associated with the control device; receiving authentication data from a data exchange device;

determining from the stored access policies an access policy applicable to an entity or class of entities associated with the data exchange device in dependence on the received authentication data; providing to the data exchange device access data sufficient to enable data exchange between the plurality of item identification devices and an entity associated with the data exchange device according to an access policy applicable to the entity.

Also in accordance with the present invention, there is provided a system for controlling the exchange of data between a plurality of entities and a plurality of item identification devices, the system comprising control means associated with the plurality of item identification devices, and one or more data exchange means associated with one or more entities or one or more classes of entities respectively; wherein the or each data exchange device comprises: means for exchanging data with one or more of a plurality of item identification devices associated with the control device; and means for providing authentication data indicative of an entity associated with the data exchange device or indicative of a class of entities associated with the data exchange device; and wherein the control device comprises: an access policy storage means for storing data indicative of an access policy for one or more entities or one or more classes of entities, the access policy relating to a range of entities or a class of entities permitted to exchange data with one or more of the plurality of item identification devices associated with the control means; communication receiving means for receiving authentication data from the data exchange means; authentication means for determining from the access policy storage means an access policy applicable to an entity or class of entities associated with the data exchange means in dependence on received authentication data; and communication providing means for providing to the data exchange means access data sufficient to enable data exchange between the plurality of item identification means and an entity associated with the data exchange means in accordance with an access policy applicable to that entity.

According to embodiments of the present invention, the necessary security and privacy requirements can be maintained without the disadvantages of the above-described prior art systems, and in particular without adding complexity to each item identification device. A system with a control device according to a preferred embodiment of the invention may have the advantage of being flexible and compatible with different RFID tag solutions. These systems can provide effective privacy protection during the transport (e.g., shipping) of products or transaction products between different areas, and can be particularly effective against surreptitious reads and product spying for large supply chain situations.

Although the preferred embodiments of the present invention relate to control devices for use in connection with RFID item identification devices (e.g., various RFID tags are known), it is contemplated that control devices according to some embodiments of the present invention may be used for use in connection with other types of item identification devices.

One of the disadvantages of existing RFID tags is that the cost of active tags that are capable of application-level processing is generally too high to apply them individually to a large number of low-cost items, whereas the available less expensive passive RFID tags are only capable of more basic functions, e.g., responding to a particular interrogation with a predetermined response. A particularly advantageous embodiment of the invention allows that the item identification means can be a simple and low-cost passive tag, but due to the function of the control means according to the invention, the level of security, privacy, etc. can be controlled and flexible as if the respective item identification means had the function of a more complex active tag.

For certain preferred embodiments, the control device may be the RFID tag itself, in which case it may be referred to as a control tag. According to such an embodiment, the control device is typically an active or at least semi-active tag in order to be able to perform the necessary functions of the control tag, but the invention is not intended to be limited to active or semi-active control devices.

It should be noted that although many of the problems of the above prior art systems are often termed privacy, in practice these problems can be considered control problems.

The control device according to the invention can be seen as implementing the "opt-in" method as opposed to the "opt-out" method used by the "stopper tag". These control devices may be viewed as providing access control so that entities just "opt-in" may access information contained in a large number of item identification devices (e.g., passive tags). These control means make it possible to transfer the access control function from a trusted third party system to the control means, which, unlike a trusted third party, can conveniently travel (actually) together with the item with which the item identification means is associated.

The role of the control device according to embodiments of the present invention may be to provide a method of securing an association between identity information stored in a set of passive tags attached to products and the real identities of these products or other information about them, possibly stored in a back-end database. The tag identity information may be protected by a security scheme such as encryption or pseudonym. The control device may first authenticate the reader device and then provide the reader with the protocol information needed to access the information contained in the passive tag.

A tag or other such item identification device may be considered to be classified as "private" or "public. This classification may enable the reader to determine which privacy policy applies to a particular tag. The public tag can send its own information to the reader without interaction with the control device. The private label may send the identity information in an encrypted format. The reader needs to authenticate itself to the control device before being allowed access to the encrypted information.

The following two cases are used to illustrate how embodiments of the present invention can be applied to two example cases, namely, the "shipping environment" and the "consumer environment".

Transportation environment

As an application example, a shelf with 100 products transported from company "a" to company "B" may be considered. Each product is labeled with an RFID tag. Company "a" classifies all tags contained on the shelf as private. It must be remembered that private tags only disclose information to authorized readers. The control device according to an embodiment of the present invention is actually mounted on the shelf. The primary function of the control means is to allow an authorized reader to access the information on the tag.

Company "a" programs the control device. Company "a" programs the control device with the certificate of company "B" and the data needed to access the identity of the product. When the shelf is delivered to company "B", the control device will authenticate the reader of company "B" with the certificate and disclose the security information. This action will provide company "B" with the information necessary to read the tags contained in the shelf. Tags classified as private during the transfer process can now be classified as public tags within the domain of company "B".

Of course, the behavior of the control device may be more complex than described above. For example, customs and transportation companies may access products or information related to such products for control as well as transportation information. This may require company "a" to delegate access to the partial information through the control device.

Consumer environment

With the exception of Juels's work [5], none of the previous privacy techniques provide any solution to the "opt-in" approach. The control means method makes it possible to block the tags at the time of sale (by encryption) and then unblock them when they enter the consumer domain. In this way, the originally blocked tag can be reused. The potential scope of new services may be enabled in a consumer environment.

Referring to fig. 1, a retail pharmaceutical environment may be considered. In a pharmaceutical environment, all tags may be private and used for inventory purposes. When a product is purchased, "ownership" of the tag may be transferred from the retailer to the consumer. The consumer's control device can then be updated with the information needed to access the tag. The user can then use the tag in healthcare applications and remote healthcare (telecare) applications.

In this case, the control apparatus can prevent disclosure of medical information and health records to an unauthorized party while maintaining the privacy of the user and the function of the tag.

In view of the above, it would be beneficial to review previous privacy enhancement techniques for RFID tags and understand the reasons for the failure of these techniques. These techniques often rely on features that are not practically feasible and solutions that assume a single control entity. Before better solutions can be more easily utilized, retailers must support the option of "canceling (kill)" tags at the time of sale. However, this option is costly, as it requires a cost in terms of technology to cancel the tag, and hinders opportunities for after-market applications. Furthermore, the user cannot manually verify whether the label has been cancelled, and may therefore prefer to have the option of controlling the product information.

When distributing products along the supply chain, multiple parties may wish to access and reuse product labels for inventory purposes or after-market applications. Companies may wish to tag their property with legacy identifiers that help them automatically associate specific products with inventory information. For example, a drug manufacturer may store a unique drug identifier in a label along with specific drug information. This information should only be accessible by certain parties (e.g., drugstores, health care services, end users, and clearing companies). Some parties (e.g., pharmacies, hospitals, etc.) may want to add more private inventory information to the label. The problem is how to ensure that the tag can only be accessed and read by authorized parties, and how to ensure that privacy is maintained?

The following evaluates which are achievable with existing solutions.

(1) One method may be: a new set of information is rewritten to the tag at each checkout and only the next owner can access the information. This is a promising solution, but is not applicable to libraries, rental industries and supply chains with rotating inventories. The manufacturing information is useful even for the recycling company and therefore should not be cleared.

(2) Another approach is to introduce a password that authenticates the reader, but unfortunately the password may be eavesdropped or collected. Cryptographic schemes also pose other problems: a single password for a labelset can be easily broken and is difficult to revoke.

For the above reasons, existing solutions are not suitable for transferring control of a tag between parties. Ownership of a product may change multiple times during the life cycle of the product, and security and privacy requirements for disclosing product information also change multiple times. To the extent necessary, the association between the owner and the tag must be secure. The privacy-preserving implementations disclosed above make it possible to view tags as having a combination of a "data set" that may contain ID and product information, and a "control set" that may contain a privacy policy that controls disclosure of the data set.

Embodiments of the present invention manage the privacy of RFID tags by a control device. The control means may upload a "control set" (access or privacy policy) and control the disclosure and/or interpretation of the tag information. When ownership of the tag and/or product is changed or temporarily transferred, the control device may associate the newly authorized reader with the tag. The model can be used in a variety of different situations and introduces a range of advantages over existing RFID privacy and security solutions.

The following paragraphs relate to security-related features of RFID tags, and how these features relate to embodiments of the present invention.

1、Association and data confidentiality. The tag should not reveal identity, product or inventory information to a reader in the dark or to an unauthorized reader. According to a preferred embodiment, the reader device must be authenticated by the control device before being able to access the tag information, and then be made to comply with the relevant privacy policy.

2、Economic feasibility. Most approaches increase the cost of the tag by incorporating some additional functionality onto the tag, changing the reader-tag communication protocol, or adding new infrastructure (e.g., encryption units or application specific tags). These solutions add significantly to the cost of passive tags. Ideally, a privacy solution should provide additional protection without adding additional cost. Two important features of the control device according to an embodiment of the invention are as follows:

(1) the control means may implement all security primitives (private) to provide access control functionality without adding technical complexity to the tag.

(2) The control device may "protect" a large number of passive tags. This feature maintains its economic advantage even if the control device is much more expensive than a normal passive tag.

(3) The control device may be removed at any point in the supply chain. When a reader is authorized to access a particular tag, the tag may be considered common to the reader.

3、Reliability of. Existing methods of incorporating an add-on or a particular tag (e.g., the "stopper tag" proposal discussed above) may be sensitive to tag orientation. The transmit power of the tag at the time of scanning depends on its area perpendicular to the antenna. If the privacy enhancing device (e.g., the stopper tag) is not well aligned, the deviceDevices sometimes fail and passive tags may reveal their identity information. The system using the control device according to the preferred embodiment of the present invention allows the tag to be "protected" without being in the field. If there is a scanning problem, the information is not disclosed. This approach protects privacy, but in some cases may prevent the use of "private" tags.

4、Flexible privacy policy. The tag information may be accessible to different participants (companies, users, etc.) during the product life cycle. In some applications, some readers may only be authorized to access a limited amount of tag information. The control means may be arranged to carry access policies for multiple parties simultaneously. According to some embodiments, when a control device is transferred from one participant to another participant, a new access policy may be uploaded. The system can be set up in the following way: so that a reader whose identity has been authenticated and whose access policy allows (for delegation purposes etc.) a write access policy can write an additional access policy to the controlling device.

The nature of RFID tag/reader communication often makes it difficult to create an effective privacy enhancing solution. One aspect of RFID interaction that is fundamentally different from online interaction is the lack of functionality such as access control, authentication, and key establishment. The RFID standard does not allow identification of the tag reader. Without an appropriate identification process, disclosure of the tag information cannot be controlled.

Typically, a reader can detect nearby tags and access plain text information on public tags, but cannot access information on private tags. The private label may contain encrypted and/or protected information. The tag typically stores a unique id (uid) and information about the product with which it is associated (physically or only nominally). Two methods can be generally distinguished:

(i) EPC method, in which a tag carries only a unique ID, and information about the manufacturer and the product type is encoded in the identifier; and

(ii) memory partitioning method in which a tag memory contains an ID identifying a product and an additional field for storing information about an object to which the tag is attached.

According to an embodiment of the invention, the reader establishes a secure communication with the control device, so that the private tag can be accessed ("read" access, "write" access, or even "read and write" access). The control device may then implement a role-based authentication scheme and verify the privacy policy. This may require storing information about the "RFID reader" identity and role. In the case of organization, a role may represent a set of functions. These functions may include the ability of a persona to read, write, add, or modify information in a tag, and depend on the privacy policy of the tag. For example, in a shipping situation, customs at a national border may be given the authority and ability to control product information and add information about taxes or taxes paid. The role of the carrier may include the ability to access the shipping information and destination information without being able to modify the information about the shipped package.

Thus, the control device may provide great flexibility in enabling the addition of functionality in the RFID system. For example, a privacy policy may require the controlling device to maintain log files of different organizations that have accessed the tag information. This allows the destination or checker to verify the shipment of the product and ensure that no unauthorized reader has access to the private information. This logging capability can help prevent and control scan operations that are in the dark given future rules and restrictions when tags are read.

As described above, role-based policies can provide different access rights to different roles as tagged products move along the supply chain. Further, when a product arrives at a new owner, new security policies may be added to the control device and new product information may be added to one or more product tags. This allows nested domains to have readers that can access tag information. This delegation feature is secure under the assumption that an authorized reader is authentic.

The control device or system administrator may grant or revoke access rights for a role directly when the product changes organization and consumer domains. In some cases, a reader may be required to be able to access the tag for a limited time. In this case, the control device may assign a special key that is valid for a limited time and will be discarded after several read operations.

Some of the main characteristics of the embodiments of the invention are summarized below:

the control means may extend the standard RFID tag-reader interaction and implement in the RFID tag the "opt-in" method as opposed to the "opt-out" method used for the "stopper tag" discussed above.

-secure transient association. Passive tags can be protected as they pass through an unauthorized domain, but can be easily associated with authorized readers through a role-based authentication process by the controlling device.

The control device may implement a role based authentication scheme. The act of granting access and specifying functions for a role (rather than a more discretionary access control method) makes it possible to manage access control rights more flexibly (scaleable). Roles can be associated with multiple organizations and multiple functions.

The control device may provide a basic security platform for implementing additional functionality (e.g., logging (described above)), disclosing additional information associated with the scanning process, and features to grant and revoke access to specific roles.

It should be noted that the concept of a control device according to the present invention can be applied to different applications involving wireless sensor networks and low resource devices. In a wireless sensor network consisting of a plurality of nodes that gather sensitive readings in military applications, for example, the control means may be used to ensure that the nodes deliver data only to the correct recipient and not to an enemy.

The reader needs to be authenticated by the control device before accessing the information on the sensor network. In the authentication phase, the control device delivers security information necessary for accessing information in the sensor network.

Drawings

FIG. 1 illustrates the concept of "data" and "control" information relating to an item, such as a pharmaceutical or other consumer product;

FIG. 2 illustrates the main elements and interactions in a system comprising a control tag, multiple ID tags, a reader and a back-end database;

FIG. 3 illustrates a possible use of control tags in a supply chain situation or a transportation environment;

FIG. 4 illustrates a system including a control device according to a preferred embodiment of the present invention;

FIG. 5 illustrates in more detail the process of interaction that may occur between a reader and a control tag and between a reader and multiple ID tags;

FIG. 6 illustrates possible characteristics of an RFID tag;

FIG. 7 illustrates a possible structure of the access policy stored on the control tag;

FIG. 8 illustrates a possible system for reader authentication and data disclosure using control tags according to an embodiment of the present invention;

fig. 9 illustrates the protection of a local domain with a local key.

Detailed Description

Preferred embodiments of the present invention will be described in more detail below with reference to the above drawings. According to embodiments to be described below, the control device will be referred to as a control tag and will be described with respect to the RFID system described below. A detailed description of the nature of the control tag and an explanation of how the access control process works is first provided. The second section relates to technical design.

FIG. 1 (discussed previously) illustrates the separation of two aspects: data and control. In general, an item identification tag may contain data or information relating to an item, relating to attributes such as: the identity of the item, characteristics of the item (e.g., price, date and place of production, destination, etc.), the current status of the item, historical data about the item, and the like. The tag reader may or may not access the item identification tag depending on whether the information is password protected, encoded, or otherwise protected. According to prior art systems, any reader with the correct password, decryption key or other access data will be able to read and/or decode/decrypt the information stored on the tag. In particular, identification tags, such as simple and inexpensive passive RFID tags, are generally not equipped with sufficient processing power to recognize or identify different tag readers or provide different responses to different tag readers. By associating a control device according to an embodiment of the invention with such a simple identification tag, such a control device enables management of the range within which different readers can exchange data (i.e. read and/or write) with the identification tag. The "range" may include: different readers are allowed to access different data levels, or to access data associated with different attributes or combinations of attributes. Alternatively, the "range" may include: different readers are allowed different types of rights, e.g. "read only", "read and write", "delegate" (see below), etc.

Details and characteristics of control tags

Referring to fig. 2, an RFID system is shown that is comprised of four elements:

(1) a plurality of radio frequency ID tags 10, each attached to or otherwise associated with a product (not shown), and each carrying a unique ID (uid) and information about the product. These ID tags are preferably inexpensive and therefore may be passive tags. These ID tags may maintain data confidentiality through encryption or pseudonymization schemes.

(2) The control tag 20, which is an active tag, functions to control access to data on the ID tag 10. The control tag 20 includes a cryptographic primitive for authenticating the reader 30 and is capable of selectively assigning a key that may enable read and/or write access to information on the passive tag.

(3) A reader or reader/writer 30 capable of reading and/or writing ID tag data and performing an appropriate authentication process using the control tag.

(4) The reader may be associated with a back end database 40 that can associate records with the ID tag information collected by the reader.

The control tag scheme extends the ID tag-reader interaction and enables access control capabilities required by low resource ID tags to protect their information. The reader 30 needs to establish secure communication with the control tag 20 to obtain authorization and receive enabling data or code for accessing private information on the ID tag.

The control tag 20 enables role-based authentication by storing information relating to the identity and role of the potential reader 30. When access is granted, the ID tag information may be accessed and/or decrypted.

Before further explaining how the control tag can implement and/or enhance the appropriate set of access policies, it is instructive to consider again the shipment of goods with reference to fig. 3, which shows a "supply chain situation".

In this embodiment, the control tag scheme allows for control of the issuance of product information as products move through multiple domains along with their associated ID tags. The access information is distributed along the supply chain in conjunction with the product. The rights to access the product information are controlled by the control tag using a role based authentication process. The control tag contains a set of rules relating to granting or denying access (which may include read and/or write access).

Referring now to fig. 4, a consignment 1 of an item (not separately shown), for example, a commodity shipped from an initial entity to a final entity via other entities (e.g., shipping organizations, warehouses, customs, etc.), is shown. Each item has an item identification device 10 (e.g., an RFID tag) attached thereto or otherwise associated therewith. Associated with shipping 1 is a control device 20. The entity (not shown) currently owning the consignment 1 has an RFID reader/writer or "data exchange device" 30, which "data exchange device" 30 has RF communication means 32 and data processing means 34. The communication device 32 includes a transmitter 321 and a receiver 322. The control device 20 also has an RF communication device 22 including a transmitter 221 and a receiver 222, and also has a data authenticator 26 and an access policy memory 28. The access policy store stores data indicating "access policies" for one or more entities, or possibly for one or more classes of entities, relating to the extent to which an entity (or class of entities) is permitted to exchange data with the item identification device 10 associated with the control device 20.

To "authenticate" itself, the transmitter 321 of the data exchange device 30 provides authentication data indicative of an entity associated with the data exchange device 30 to the control device 20. The receiver 222 of the control device 20 receives the authentication data. From this authentication data, the authenticator 26 refers to the access policy store to determine which access policy applies to the current entity (or class of entities). The transmitter 221 of the communication means 22 then provides the data exchange means 30 with access data sufficient to enable it to exchange data with the item identification device 10 on behalf of the entity with which it is associated, according to an access policy applicable to that entity. After having obtained access data suitable for enabling a desired range of access from its interaction with the control device 20, the data exchange device 30 is able to directly interact with the item identification device 10 within the permitted range, which may include sending read and/or write requests to the item identification device 10 or receiving responses from them, or other possible interactions.

The access data provided by the control device 20 may take the form of a "password" that is necessary to "trigger" a response from the item identification device 10 or unlock the item identification device 10, otherwise the item identification device 10 will not reveal their security data. In this case, the above interaction between the data exchange device 30 and the control device 20 will occur before the interaction between the data exchange device 30 and the article identification device 10. Alternatively, the access data provided by the control device 20 may take the form of a "key" that is necessary to decode the response from the item identification device 10, otherwise the data is only compromised in a form that is not meaningful to readers and/or entities that do not have the key. In this case, the above interaction between the data exchange device 30 and the control device 20 may occur before or after the interaction between the data exchange device 30 and the article identification device 10. For greater security, the access data may include both types of data, or may include other types that allow other forms of security protection.

Fig. 5 illustrates in more detail the process of interaction that may occur between the reader R and the control tag a and between the reader R and any of the plurality of ID tags T. According to this embodiment, the reader R may interact with the ID tag T before (rather than after) interacting with the control tag a.

Fig. 5a introduces the references S1, S2, S3 and S4 to be used below and shows how these interactions correspond to those described above in relation to fig. 4, respectively. Interactions S3 and S4 involve exchanges between reader R and control tag a. Interactions S1 and S2 involve an exchange between reader R and any one of a plurality of ID tags T associated with control tag a.

Fig. 5b shows a flow chart further illustrating fig. 5 a. The steps of the flow chart will be described below:

step Z1: a first connection S1 is established between the respective communication means of the reader R and the ID tag T.

Step Z2: an information codeword S2 is sent from the protected ID tag T to the reader R.

If the transmitted codeword is found to be protected by the security scheme, the process continues to the authorization step:

step Z3: in step Z3, an authorization request is generated, for example by associating the role certificate information of the reader R with the code word sent by the tag. However, only a portion of the codeword may need to be sent.

Step Z4: an authorization request is sent from the reader R to the control device a.

Step Z5: in the subsequent step, if the control device a finds that the information in step Z3 is valid, the control device a issues access data to the reader device R.

Step Z6: the reader R then performs this access to data or functions.

Fig. 5c illustrates a situation where the control device a has issued access data to the reader R.

Fig. 5d illustrates the operation required when the reader R wants to access one of the ID tags T more than once, or wants to access more than one of the ID tags.

In some embodiments, such as the embodiment shown in fig. 5d, the authentication process with control device a need only be performed the first time. In this case, the reader R does not need to contact the control device a multiple times, thus improving the efficiency of the reading operation.

Different levels of security may be selected or required for each interaction. For example, the following security levels may be used:

s1 connection and message in plain text form (without security measures).

-sending S2 codewords with the following security measures:

pseudonyms for ID information

Encryption of other data information

-sending S3 and S4 over a secure communication channel. The protocol used depends on the communication protocol of the control tag. The control tag may use: 802.11a, 802.11b, 802.11g, bluetooth, 802.15.4, or other protocols.

Control tag summary

First, the control tag gains control over the ID tag. The policy and common secret associated with the ID tag are uploaded in the control tag. Policy association causes the control tag to control the ID tag. The policy may be uploaded in different ways. For example, it may be assumed that the control tag is similar to a bluetooth device. It may be assumed that the control tag obtains the association through a radio communication channel. In which case a certificate exchange protocol is required. Then, a mechanism to associate the control tag to the ID tag is required. In a consumer situation application, the tag may be in the vicinity of a dedicated reader that verifies the ID tag and queries the database or previous control tags for the policy. The new control tag then acquires the correct information over the radio channel.

Second, the control tag delegates access. The main feature of the control tag is the ability to delegate access and manage access control. When a tag needs to be read by a reader, the reader may receive permission from a controlling tag to read the tag for a variable amount of time. For example, where the ID tag is protected by an access password or encryption, the control tag may delegate access to the password or key. This scheme supports the control tag and the reader to re-write the tag's access code each time the control tag is delegated to a new reader.

RFID tag characteristics

Before describing the control tag in more detail, some general features and characteristics of RFID tag technology will be discussed with reference to FIG. 6. In current applications, RFID systems in the UHF band (860MHz to 960MHz) may have a range of up to about 7 meters. In the HF band (13.56MHz), the range falls to 1 meter or 2 meters. Once a tag is in range of a reader, the tag may prepare to transmit the information contained in its memory. In the case where multiple tags are present, an anti-collision protocol may be required to allow read operations. Some prior art techniques use "Aloha" type methods or deterministic methods such as "binary tree walking" protocols.

As specified by the ISO/IEC 18000 standard, a tag may contain a register set that can be written to and read by an interrogator, and a tag set that can be used for special purposes (sleep, write _ err, write _ prot, etc.). The scanner may use the read command to access information stored in the tag.

One register may be assumed to contain "session id" (or policy id) information; this information may maintain the association between the item identification tag and the control tag. Other registers may contain the product information and the universal ID code in an encrypted format. The indicia may inform the reader whether the information is public or private.

The fields contained in the RFID tag may need to be combined with the control tag so that the information in the tag can be kept private until a secure association is established. As will be seen in the following section, different levels of security and privacy may be achieved depending on the mechanism implemented.

Controlling tag-privacy policy uploading

As described above, when a reader wants to access information on a tag, it is necessary to contact the control tag. Once the identity of the reader is authenticated, the reader may request security information for accessing the tag.

When the control tag and the owner of the ID tag wish to control the tag control ID tag, the control tag must acquire all the information necessary to perform the control operation. This information may contain a key for encryption/pseudonym, a password for access control, a kill password for kill command, and an access control policy for the reader, and should be transmitted in a secure manner.

A role-based authentication scheme may be used that manages access rights for reader applications. Each reader may be associated to one or more roles and each role may be assigned to read or write data related to one or more types or fields of information in an ID tag. The reader certificate may bring information about the identity of the reader, its role, and the actual operator (e.g., a company or other such entity). The certificate should be globally unique and allow the control tag to establish a secure relationship with the reader.

If sufficient battery power is available, communication between the reader and the control tag can be over a standard communication protocol for low power devices (e.g., Zigbee or Bluetooth or even 802.11 a/b/g). The communication channel security (confidentiality and authentication characteristics) is assumed.

The root certificate may need to be installed, for example, when creating or assigning control labels to consignments of goods. Such a root certificate may always need to be present for administrative purposes. The "owner" of the root certificate may be a trusted third party. It may then be necessary to upload different privacy policies and key information for different tags. A role requiring access to a particular RFID tag may need to upload and associate the certificate with the particular tag.

The control tag can be viewed as an object with a range of associated methods (i.e., rights to access the RFID tag). A role-based policy is a statement that specifies, for each of the available actions, which credentials the reader/scanner should provide to persuade the control tag to grant its access to the RFID tag information.

Delegation of

Referring to fig. 7, a role having rights associated with a particular ID tag and/or its information may be given the right to delegate some or all of these rights to another role. The ability to manage such delegation should be prudent. A role, when uploading a new policy, is typically only able to delegate access to information that it has access to itself, or to delegate rights it has. Thus, a trusted role is typically only granted access to the same (or a lesser) amount of rights or information than a trusted role. This approach enables interaction between peers and enhances the flexibility of the proposed solution.

For example, in the shipping environment described above with reference to FIG. 3, company "A" may upload privacy policies for ID tags on various products.

(1) Company "a" may upload company "B"'s credentials to the control tag in association with the "session id" information and security information of the access tag. If company "B" is the final destination, it can be assumed that company B is likely to have the same access rights as company A.

(2) Privacy policies may also grant access to the carrier. A role certificate specifying which information the carrier should access will be uploaded. The carrier may delegate the access to a third party carrier.

(3) The privacy policy may grant access rights to customs so that the product may be automatically checked as it passes through national boundaries. The role may, for example, provide the right to write information in the ID tag, for example to indicate that a tariff or tax has been paid.

Reader authentication and data publication

As mentioned above, the preferred embodiment of the system assumes that the tag information on each item tag is protected by a unique security key, with the control tag providing the correct key or password to the reader to access the correct data. Referring to fig. 8, the scheme may work as follows:

at initialization, each item tag is given a session ID, which is a number that is meaningless in inventory or product information, but which allows the control tag and the item tag to be associated. This solves the problem of knowing which key should be disclosed. The session ID may be used to maintain an association between the item tag and the control tag. Static session IDs may allow tracking. If tracking is considered a problem, a dynamic session ID that is refreshed at each read operation in a manner similar in some respects to the "pseudonym" approach outlined in [3] above may be used.

(1) During a read operation, an ID tag (e.g., an RFID item tag) sends a message (S _ ID, private) consisting of "session ID" information.

(2) The reader then interrogates the control tag with a "pair" (certificate, S _ ID) (i.e., two types of information: certificate corresponding to access policy and "session ID" information, S _ ID) over the secure communication channel. If the certificate is approved, the control tag discloses a key (S _ ID, K1, K2, K3.., Kn) that accesses the confidential information stored in the ID tag.

(3) The reader then interrogates the ID tag (S _ ID) to obtain the information contained in the different registers. This information is sent in encrypted form and is not disclosed at the time of the read operation (S _ ID, data-1, data-2, data-3.., data-n). Upon receiving the information, the reader decrypts the information using the key disclosed by the control tag.

In summary, the control tag according to the preferred embodiment allows the tag-reader interaction to be extended, implementing the "opt-in" method to protect the information stored in the ID tag. A method of establishing a secure transient association may thus be provided such that tag information is only accessible by authorized roles. A particular advantage of this solution is that no modifications of existing RFID technology are necessary. Suitable methods may be used to be compatible with RFID tag levels 0, 1, 2, etc.

There are still some problems that may warrant further attention. The tagged product can still be tracked by the static "session ID" field and the static data information stored in the register. Moreover, the revocation (revocation) problem has not been solved so far. When the control tag publishes the security key information, the ID tag may become common to the reader that receives it, and thus the right may not be revoked.

Local key method-for trace protection and revocation control

To address the above issues, some form of dynamic capability may be added to the scheme. This may require adding some basic security functions to the item ID tag. The tag can store an additional key and perform a simple encryption function.

Referring to fig. 9, one solution is to add a local key that is shared between the reader, the control tag, and the item tag. When an item label is transferred to a new domain (changing label ownership), the local key is changed. The basic idea of this method is to employ re-encryption such that the "encrypted text" of the label is superficially changed while the implied plain text remains unchanged. With this approach, tag information can only be disclosed to readers that share a local key.

The local key can be easily shared between the reader and the control tag via a secure communication channel. Sharing secrets with item tags, however, is a difficult problem.

One of the problems with sharing a "secret" is that a passive eavesdropper can eavesdrop on the key sharing operation. Two possible solutions to this problem are outlined here:

the reader writes the password on the read-only register of the tag by means of a very short-range protocol (surface contact reader). Therefore, the eavesdropper cannot eavesdrop on the communication.

Molnar and Wagner [7] propose a method that employs asymmetric communication between a tag and a reader. The tags initiate communication with a random number that can only be heard by the reader, and share a local key based on the random number.

The method may provide the following features:

(1) allowing one-to-one secure communication between the reader and the tag. Temporarily revoking access rights to other roles.

(2) Changing the local key may improve the prevention of tracking. Changing the local key more often reduces the likelihood of tracking.

Assume now that the local key X is shared between the reader, the item ID tag and the control tag. Store X in a local register and assume E is a simple low resource encryption function implemented on the ID tag.

The preceding protocol may be modified in the following manner:

a. during the reading operation, the ID tag sends a message (E (S _ ID), private) consisting of "ID" information encrypted with the local key X. The local key X has been shared between the reader and the ID tag using one of the above two methods.

b. The reader then interrogates the control tag with a pair (certificate, S _ ID) over a secure communication channel. The reader obtains (S _ ID, K1, K2, K3. It should be noted that K1, K2,.. and Kn are keys used to decrypt information contained in data-1, data-2,. and data-n.

c. The reader then interrogates the ID tag. The ID tag sends information that is re-encrypted with a local key so that a malicious reader cannot track the tag. The ID tag sends a message: (E (S _ ID), E (data-1), E (data-2), E (data-3),.., E (data-n)). Upon receiving the information, the reader decrypts the information using the key disclosed by the control tag.

[7]Privacy and Security in Library RFID，David Molnar，David Wagner，University of California of Berkeley.

Claims (20)

1. A control device for controlling the exchange of data between a plurality of item identification devices associated therewith and a plurality of entities, each of the plurality of entities having data exchange means associated therewith for exchanging data with one or more of the plurality of item identification devices associated with the control device, the data exchange means being arranged to provide authentication data indicative of the entity with which they are associated or of a class of entities with which they are associated, the control device comprising:

an access policy storage means for storing data indicative of an access policy for one or more entities or one or more classes of entities, the access policy relating to a range of entities or a class of entities permitted to exchange data with one or more of the plurality of item identification devices associated with the control means;

communication receiving means for receiving authentication data from the data exchange means;

authentication means for determining from the access policy storage means an access policy applicable to an entity or class of entities associated with the data exchange means in dependence on received authentication data; and

communication providing means for providing access data to the data exchange means sufficient to enable data exchange between the plurality of item identification means and an entity associated with the data exchange means in accordance with an access policy applicable to the entity.

2. A control device according to claim 1, arranged to provide and/or receive radio frequency data.

3. The control device according to claim 1 or 2, wherein the control device is an active RFID device.

4. The control device of claim 1, wherein the plurality of item identification devices are radio frequency devices.

5. The control device of claim 1, wherein the plurality of item identification devices are passive or semi-active RFID devices.

6. The control device of claim 1, the plurality of item identification devices being arranged to provide data regarding one or more items associated with the plurality of item identification devices.

7. A control apparatus according to claim 6, the plurality of item identification devices being arranged to provide item identification data.

8. A control apparatus according to claim 6, the plurality of item identification devices being arranged to provide item status data.

9. The control device of claim 1, the data exchange device being a radio frequency reader device.

10. The control device of claim 1, said data exchange device being a radio frequency writer device.

11. The control device of claim 1, said data exchange device being a radio frequency reader and writer device.

12. The control device of claim 1, wherein the access data provided is sufficient to enable decoding of encoded data provided by the plurality of item identification devices.

13. The control device of claim 1, wherein the access data provided is sufficient to enable the plurality of item identification devices to provide data.

14. The control device of claim 1, wherein the access data provided is sufficient to cause the plurality of item identification devices to store data.

15. The control device of claim 1, wherein the data exchanged between the plurality of item identification devices and the plurality of entities comprises data relating to one or more of a plurality of attributes.

16. A control device according to claim 15, wherein the access policy indicates an attribute or combination of attributes for which an entity or class of entities is permitted to exchange data with a plurality of item identification devices associated with the control device.

17. The control device of claim 15, wherein the access policy indicates whether an entity or class of entities is permitted read, write, or read and write access to data associated with the one or more attributes.

18. The control device of claim 1, wherein the access policy indicates whether an entity or a class of entities is granted delegate authority.

19. A method for controlling data exchange between a plurality of item identification devices associated with a control device and a plurality of entities, each of the plurality of entities having associated therewith a data exchange device for exchanging data with one or more of the plurality of item identification devices associated with the control device, the data exchange device being arranged to provide authentication data indicative of the entity with which they are associated or indicative of a class of entities with which they are associated, the method comprising the steps of:

storing data indicative of an access policy for one or more entities or one or more types of entities, the access policy relating to a range of entities or a type of entities permitted to exchange data with one or more of a plurality of item identification devices associated with the control device;

receiving authentication data from a data exchange device;

determining from the stored access policies an access policy applicable to an entity or class of entities associated with the data exchange device in dependence on the received authentication data;

providing to the data exchange device access data sufficient to enable data exchange between the plurality of item identification devices and an entity associated with the data exchange device according to an access policy applicable to the entity.

20. A system for controlling data exchange between a plurality of entities and a plurality of item identification devices, the system comprising a control device associated with the plurality of item identification devices, and one or more data exchange devices associated with one or more entities or one or more classes of entities, respectively; wherein the or each data exchange device comprises:

means for exchanging data with one or more of a plurality of item identification devices associated with the control device; and

means for providing authentication data indicative of an entity associated with the data exchange device or indicative of a class of entities associated with the data exchange device;

and wherein the control device comprises:

an access policy storage means for storing data indicative of an access policy for one or more entities or one or more classes of entities, the access policy relating to a range of entities or a class of entities permitted to exchange data with one or more of the plurality of item identification devices associated with the control means;

communication receiving means for receiving authentication data from the data exchange means;

authentication means for determining from the access policy storage means an access policy applicable to an entity or class of entities associated with the data exchange means in dependence on received authentication data; and

communication providing means for providing access data to the data exchange means sufficient to enable data exchange between the plurality of item identification means and an entity associated with the data exchange means in accordance with an access policy applicable to that entity.