Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Because of computational constraints on many RFID tags, classical cryptographic primitives such as block ciphers and asymmetric cryptography were thought to be unrealistic on a low-resource tag [8]. To this end, many lightweight cryptographic protocols have been proposed [3, 5, 1416, 18, 19]. However, many such protocols have serious vulnerabilities [6, 10, 11]. Moreover, the lack of a development platform makes it difficult to determine the feasibility of proposed cryptographic schemes. Thus, a popular approach is to minimize cryptographic operations to ensure feasibility on an RFID tag. This minimalist approach [8] can leave spare computational resources unused. An open question is then how to best maximize the security on an RFID tag to fully utilize available computational resources.

Our approach to maximizing security relies on low-power microcontrollers. Continuous improvements in efficiency of microelectronics (i.e., required energy per instruction) now enable wirelessly powered, general-purpose microcontrollers—infeasible at any reasonable range a few years ago. Such microcontrollers make traditional cryptographic methods more feasible on RFID tags.

Using a maximalist approach to cryptography, our results show that an RF-powered UHF tag can perform strong encryption. We provide preliminary experimental results of implementing RC5-32/18/16 [23] on WISP (Wireless Identification and Sensing Platform) [26]—a battery-free platform powered and read by a standards compliant UHF RFID reader running the EPC Class 1 Gen 2 protocol. Our contributions include:

  1. 1.

    We provide preliminary experimental data on how much computation is available on a microcontroller-based RFID tag.

  2. 2.

    We show that symmetric cryptography is feasible on an RF-powered, general-purpose RFID tag. To the best of our knowledge, this is the first implementation of conventional cryptography on an RF-powered UHF RFID tag.

This book chapter is based on a paper [4] presented in RFIDsec 2007 Conference. The paper gives measurements based on an earlier version of the WISP which uses MSP430F1232. Having only 256 bytes of RAM available, the older WISP would allow only 12 rounds of RC5. The platform used in this book chapter is the new WISP 4.1 which has more RAM available and allows more rounds of RC5 (up to 51).

2 Background on WISP Architecture

This section provides a condensed background on the WISP, more fully described in [25, 26]. The WISP and its block diagram appear in Fig. 1. An antenna and impedance matching circuit precede the analog front end. The power harvester block rectifies incoming RF energy into DC voltage to power the system. The demodulator follows the envelope of the RF carrier wave to extract the Amplitude-Shift-Keyed (ASK) data. This extracted baseband waveform is read by the MSP430 microcontroller to receive downlink data from the reader. Uplink data is sent via the modulator circuit, which functions by changing the antenna impedance. The WISP is made of a two-layer FR4 PCB with components limited to the top side. A dipole antenna made of 22 gauge (0.6 mm diameter) copper magnet wire is visible. Small header pins expose all ports of the microcontroller for expansion to daughter boards, external sensors, and peripherals.

Fig. 1
figure 1

WISP [25, 26] is a batteryless, microcontroller-based UHF tag that implements RFID protocols in software. WISP uses a TI MSP430 microcontroller and minimal analog circuitry to function as a UHF RFID tag

Full size image

2.1 Analog Front End and Tuning

Due to the relatively high power consumption of WISP, its rectifier is designed to supply more current than ordinary tags. This circuit is excited by commercial, EPC Class 1 Generation 2 compliant readers operating at 902–928 MHz with an allowable transmission power of 4W EIRP (Effective Isotropic Radiated Power).

Efficient conversion of the incoming RF energy to DC power for the tag maximizes range. A matching network provides maximum power transfer from the antenna to the rectifier, and a five-stage voltage doubling circuit converts the incoming power to voltage. Low threshold RF Schottky diodes maximize the voltage output of the rectifier. Finally, this rectified DC voltage is stored in a large capacitor and supplied to a 1.8 V regulator to power the WISP.

2.2 Demodulation and Modulation

To encode reader-to-tag data, the reader amplitude-modulates the 915 MHz RF carrier wave it emits. Normally the carrier waveform remains at a constant amplitude; when bits are transmitted, the amplitude of the carrier drops to approximately ten percent of its normal value. The duration of the low “break” indicates a logical “one” or a “zero.” A short break (1.78 uS) indicates a “zero,” and a long break (5.34 uS) indicates a “one.” To decode this data, the RF signal is fed through a small (two-stage) voltage doubling rectifier in parallel with the main (five-stage) harvester. We call the two-stage harvester the “mini-harvester.” The time constant of the mini-harvester is much smaller than that of the main harvester, allowing it to track the dynamic range of the incoming bits. The first two voltage doubling stages of the mini-harvester, in conjunction with a lowpass filter, effectively demodulate the 915 MHz carrier, and leave a baseband data signal on the order of 70 kHz. A final “extra” diode performs an additional rectification step, removing the 70 kHz data signal and leaving a slowly varying average power level (i.e., just fast enough so that it can change on the timescale that the tag moves in space, say 10 Hz) that provides a dynamic reference for bit detection.

The 70 kHz data signal is fed through a Schmitt trigger inverter that thresholds this waveform to remove noise and glitches. Finally, a level shifter converts the relative magnitude of the incoming data waveform into a 1.8 V logic level for the MSP430. The slowly varying average power signal serves as the power supply for the Schmitt trigger and level shifter.

RFID tags do not actively transmit radio signals. Instead they modulate the impedance of their antenna which causes a change in the amount of energy reflected back to the reader. This modulated reflection is typically called backscatter radiation. In order to change the impedance of the antenna, a transistor is placed between the two branches of the dipole antenna. When the transistor conducts current, it short circuits the two branches of the antenna together, changing the antenna impedance; in the non-conducting state, the transistor has no effect on the antenna, and thus the power harvesting and data downlink functions occur as if it were not present. This impedance modulation is currently implemented with a 5 GHz RF bipolar junction transistor which allows for effective shunting of the 915 MHz carrier wave.

2.3 Digital Section and Power Conditioning

The WISP’s general-purpose computation capabilities are provided by an ultra-low-power microcontroller, the TI MSP430F2132. This 16-bit device has just over 8 KBytes of flash memory, 512 bytes of RAM, and a 10-bit, 200 kilo-samples per second Analog to Digital Converter (ADC). The WISP 4.1 runs TI MSP430 at 6 MHZ with a 1.8 V supply voltage.

In active operation at 1.8 V, the microcontroller consumes approximately 690 uA to 1.4 mA. Erasing and writing flash both require approximately 1mA. Reading from flash requires no additional power (above ordinary active-mode operation). The flash in the MSP430’s information memory must be erased in 64-byte blocks; its main memory is erased in 512-byte blocks. Bytes are individually writable. Erasing the flash memory takes more time and therefore more energy than writing or reading flash. Erasing a block requires 1.24 ms; writing a byte takes 7.7 us; reading a byte from flash requires no more time than accessing RAM.

The MSP430 has various low-power modes that are very useful for wirelessly powered operation. Its lowest-power mode, “RAM-retention mode,” which stops all computation but maintains state, requires only 0.1 uA at 1.6 V. The low-power consumption of this relatively new device is a critical factor in enabling use of a general-purpose microcontroller in RF-powered RFID systems.

3 Related Work

Because of the resource-constrained nature of nodes in sensor networks, many of the design criteria for security coincide with that for security of RFID tags. SPINS [17] and TinySec [9] both present experimental data on implementation of security protocols in sensor networks. Both works implemented RC5 for their block ciphers because of its small code size and high efficiency, and they show that RC5 provides a balance between security and performance for sensor networks. Although sensor nodes have limited resources, general-purpose RFID tags are even more limited in memory, power, and computing capabilities. Sensor nodes like the Mica2 platform have their own power source onboard, and they have orders of magnitude more storage. Table 1 provides side-by-side comparison of different devices with RF interfaces. WISP is most comparable to general-purpose RFID tags such as EPC Gen1 and Gen2.

Table 1 Comparison of WISP with other RFID devices
Full size table

There are many HF tags capable of cryptography because of their common usage in building access control and authentication applications [12]. HF tags can afford to be more expensive in terms of manufacture cost and therefore provide stronger cryptography because of the demand for tags with built-in security and privacy mechanisms, which is usually achieved with a separate cryptographic engine. Israsena proposes the Tiny Encryption Algorithm (TEA) as a suitable encryption engine for low-cost RFID applications [7]. Three different architectures for the TEA encryption algorithm are presented that fit within the budget of a five-cent per tag cost. Aigner and Feldhofer discuss their results on an implementation of Tiny AES (TINA) as an ASIC [2]. Although both systems comply with stringent requirements for low-cost RFID systems (average current consumption below 10 uA), they depend on separate special-purpose circuitry. While ASICs are efficient in terms of power consumption and cost, they are inflexible and limited to a narrow set of applications. Because of this inflexibility, the cost for prototyping and development is relatively high—making it difficult and time-consuming to realize in actual applications. To the best of our knowledge, our system provides the first UHF RFID tag using general-purpose microcontroller to provide cryptographic capabilities under nontrivial computational constraints.

Despite the extreme resource limitations of UHF tags, mementos [21] make energy and/or time-intensive computations possible on programmable RFID tags by dividing the workload among life cycles. Mementos system opens the door for conventional cryptography algorithms with no requirement for software modifications. On the other hand, systems like CCCP [24] show that employing the already developed security schemes in WISP is possible if the capacity of the tags is fully exploited and the cryptography algorithms are chosen carefully.

4 Measurements and Estimates of Computation and Power Consumption

In this section, we demonstrate that symmetric cryptography is feasible on microcontroller-based RFID tags through an empirical study of RC5-32/18/16 on the WISP. Experimental data shows how much computation is available on WISP with varying workloads. Although WISP is relatively power inefficient compared to ASIC designs, the logic gate count of WISP is comparable to an EPC UHF tag—enabling a reasonable measurement of computational capabilities and limitations of an RFID tag.

4.1 Measurements of Computation and Symmetric Cryptography

To show the feasibility of classical cryptography on a general-purpose RFID tag, we present experimental results of implementing RC5 on WISP. We have chosen RC5 because of its simplicity and relatively small memory requirements. RC5 is implemented with 32-bit word, 18 rounds, and 16 bytes of secret key. The 16-byte secret key is stored in flash. Even with careful choices of block cipher parameters, there exist practical challenges in implementing RC5 on such a resource-constrained platform. Because of the extremely limited RAM memory (512 bytes), minimizing stack size is crucial. For instance, our first implementation resulted in an immediate stack overflow upon running the key scheduler. Since RC5 requires expanded key table of size 2(r + 1) words, where r is the number of rounds, careful memory planning is required to reduce any unnecessary memory writes. The current implementation fully utilizes all of its RAM memory so that expanded key table (2(r + 1)*4 bytes = 104 bytes) is kept in RAM along with just enough room for the stack. One of the approaches to remedy possible stack overflow would be to use a precomputed expanded key table. It can be precomputed and stored in ROM or flash as long as the secret key remains the same without hurting the performance since reading from flash or ROM takes the same amount of power and cycles as reading from RAM. In our implementation, we compute the extended key table once in every hardware reset. In other words, the key table is computed during the first active cycle and kept in RAM unless WISP reaches a brownout voltage. This decision is based on the assumption that it is unlikely for the secret key to be changed while an RFID reader is polling.

All three major functions of RC5—setupKey(), encrypt(), and decrypt()— have been implemented and measured on WISP. Our data comes from running WISP at 3 MHZ at 1.8 V. setupKey() is executed once after hardware reset, and the 64-bit ID value is encrypted or decrypted once every duty cycle (e.g., during “Generate Packet” stage in Fig. 2).

Fig. 2
figure 2

WISP lifecycle

Full size image

The duty cycling is enabled by a hardware voltage supervisor. This supervisor creates software interrupts by toggling a microcontroller input high to indicate sufficient voltage for operation. When the supervisor detects a voltage of 2.0 V or greater, the microcontroller is enabled and a computation is initiated. At the end of the computation, if the voltage is between 1.8 V and 2.0 V the microcontroller enters very low-power (RAM-retention only) mode. While in this low-power mode, the harvester provides power to recharge the supply capacitor back to 2.0 V for the next computation. Below 1.8 V, a hardware reset is generated by an insufficient voltage indicator output on the voltage regulator.

Figure 3 depicts a typical lifecycle of WISP with RC5 encryption enabled and voltage level patterns throughout the WISP duty cycle after a hardware reset, captured by an oscilloscope. WISP is in active mode during “Generate Packet” and “Transmit and Receive” stages.

Fig. 3
figure 3

An annotated scope trace of WISP execution and power consumption. The solid line measures the supply voltage VOUT in 2 V increments on the y-axis. While the reader is ON (i.e., sending queries), the WISP’s voltage level stairs up. The voltage supervisor wakes up the WISP from LP4 when the voltage level exceeds 2.0 V, and WISP begins its computation (“Generate Packet”). When the reader receives the WISP’s response, the reader stops sending queries, therefore cutting off RF power to the WISP. This is observed as a gradual decline of voltage at the right side of the figure. The WISP first enters LP4 and then resets as the voltage level falls below the minimum operating voltage. The total latency from 0 V until the end of RF response transmission in this case is approximately two seconds

Full size image

The WISP received uninterrupted power Encryption happens on 64-bit messages

Table 2 presents the execution time and the energy consumption for three operations of RC5 on WISP tags operating at a distance of 1 foot (0.3 m). The time measurements are the mean of five separate trials of execution after a hardware reset. An external power supply charges the WISP to 4.5 V and then let the WISP run each function using the energy stored in the capacitor.

Table 2 Execution time for operations in RC5 with 32-bit words, 18 rounds, and a 16-byte secret key on a WISP tag
Full size table

4.2 Estimates of Maximal Computation and Measurements of the Effect of Flash Writes on Computation

Figure 4 provides an estimate of available microcontroller instructions versus wireless distance. The model used to generate this plot is based on experimental data of WISP performance, on the Friis transmission equation, and on published microcontroller power consumption specifications.

Fig. 4
figure 4

This estimate shows the computation available in one active cycle, where the power harvester charges a 10 uF capacitor to its peak value and then the microcontroller enters active mode, discharging the capacitor down to the minimum operating voltage. The Instructions Available line ends abruptly at the distance where the harvester is no longer able to supply the microcontroller’s minimum operating voltage

Full size image

The Friis transmission equation provides an estimate of power received as a function of distance from the transmitter, transmit power, antenna gains, and wavelength:

$$P_{R} = P_{T} - 20\log \left (\frac{4\pi d} {\lambda } \right ) + G_{T} + G_{R}.$$
(1)

The RFID reader power P T  = 30dBm; the receive and transmit antenna gains are given by G R  = 2dBi and G T  = 6dBi, respectively. The wavelength λ = 0. 33 m at 915 MHz. Using the Friis equation with these parameters, we can find the expected power available as a function of distance.

In [25], experimental data of output voltage as a function of input power for the WISP power harvester is given. Thus, this data, together with the Friis equation, allows us to predict the WISP’s output voltage V rec as a function of distance d. This data captures the finite efficiency of the WISP harvester. An ideal, lossless harvester could produce any desired voltage if it were able to accumulate energy long enough. Actual WISP devices reach a steady state voltage, at which point power lost and power harvested balance.

The TI-MSP430 data sheet specifies its current consumption for given voltage and operating frequencies. This allows us to calculate its energy per instruction: 281 pJ per instruction at V dd  = 1.8 V or 900 pJ per instruction at V dd  = 3.0 V.

Of the energy stored in the WISP’s storage capacitor, only the voltage above the microcontroller’s minimum operating voltage is usable. If the capacitor is initially charged to V rec and its minimum operating voltage is V dd , then \(\frac{1} {2}C{V _{rec}}^{2} -\frac{1} {2}C{V _{dd}}^{2}\) Joules are available to run the computation. Using the previously calculated dependence of V rec on distance, we find energy available as a function of distance. Dividing by energy per instruction provides number of instructions as a function of distance.

Our actual measurements in Fig. 5 show the relationship between the reader-to-tag distance and number of cycles available in one duty cycle with varying workloads of flash writes to the MSP430 information memory. While Fig. 4 provides the estimated upper bound on how much computation we can afford on WISP, Fig. 5 presents how many cycles are available after flash writes of different sizes. For consistency, the experiment involves two steps, initialization and measurement. During the initialization, WISP’s flash memory is checked if its state is erased or not. The flash is wiped out (writing ‘1’ in all bits) before each measurement is taken. During the measurement phase, WISP consumes power writing to flash then raises a bit in a loop until WISP completely runs out of power (brownout voltage of 1.5 V). These bit raises appear as a pulse on the oscilloscope. Since raising a bit requires four cycles, the number of bits is counted to compute available number of cycles after writing different number of bytes to the flash. Note that a minimal set of operations are done during the “Generate Packet” stage in this experiment (e.g., preloading the 64-bit ID into an array) and there is no RC5 computation or CRC computation.

Fig. 5
figure 5

Preliminary measurements of the number of cycles available after writing to flash—computed after a minimal set of operations during the “Generate Packet” stage and without tag response over RF. Each data point represents a mean of ten samples

Full size image

We observed that the number of cycles available does not deviate significantly from each other at short read ranges. At the medium range of 0.5 m, the power consumption of a flash write causes a significant decrease in available computation. Beyond the distance of 0.75 m, WISP is not able to reach the minimum operating voltage of 2.7 V for flash writes; therefore the plot lines for flash writes end abruptly. These measurements are preliminary, and further research is necessary to determine a more precise relationship between flash writes, erase segment sizes, and computation. However, one conclusion is that unnecessary writes to flash at midrange distances will significantly reduce available computation.

5 Conclusions

Our preliminary experimental data shows that UHF RFID tags with cryptographic capabilities are no longer infeasible. Although our experimental platform exceeds the current EPC UHF Class 1 tags in terms of computing power and storage, we believe that the device is comparable and a good representation of the future of UHF RFID tags. We believe that the trend in microelectronics will continue to bring power-efficient and cost-effective microcontrollers capable of more sophisticated computation. We hope that our work will encourage further research to determine the feasibility of maximal-strength cryptography with actual power measurements of RF-powered UHF RFID tags—beyond algorithmic estimates of space and running times.