Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

901393

Download as pdf
Download as pdf
You are on page 1of 5
Electromagnetic Emissions and Performance for Proximity RFID Jeff R Guerrieri' David R. Novotny', Michael H. Francis", Kato Remley! ‘Electromagnetics Division, National Institut of Standards and Technology 325 Broadway, Boulder, CO 80308, USA juerrierieboulder. et gov wslder nit .cov franciegpoulder.niet.gov renleyaboulder nist gov Absiract— We examined the electromagnetic emissions, and performance of commercial High-Frequency (HE) proximity Radio Frequency Ideatifeation (RFID) systems including their susceptibility to jamming and eavesdropping. These proximity RFID systems are used in an increasing number of Financial identification, and access control applications. We performed Investigations of whether transactions can be Aetected and read at a distance. The measurements were performed to determine the power radiated by commercial systems and how they perform in adverse electromagnetic (EM) environments, LINTRODUCTION High Frequency (HF) proximity Radio Frequency Identification (RFID) systems are used in an increasing umber of eritical applications such as financial transactions (credit cards), access control, identity verification, and inventory ‘tracking, Some of ‘these applications involve the transfer of proprietary or biometric information. ‘The privacy of information and reliability of the transmission lnk is very important. These preliminary measurements show how detectable these transactions are at certain distances and ther resistance to interference from outside sources, HF proximity RFID systems operate in the 13.56 MHz Industrial, Scientific, and Medical (ISM) band and are primarily’ govemed by Intemational Standards Organization (ISO) standards 14443, 15693, 18000-3 and 18092 [I-4]. This ISM band also coatains systems such as high power plasma generators, medical telemetry equipment, and other unlicensed communication equipment. Operational compatibility with these types of systems is necessary for low-power RFID to function correctly, LHF proximity RFID systems are designed to operate at a range of 10.em oF les. This range is limited by the level of field available to power a passive tag. Limits are placed on allovable transmitted field levels at a given distance (7.5 Alm at 37.5 mm from the antenna). ‘WS Goverament Work NotSubjon To US Copyright 1997 ‘The practical effect is that standard-compliant HF proximity RFID has a limited transaction range on the order of 10 to 20 em. However, the information transmited by a remotely powered tag and reader can be detected at greater distances 5] ‘The measurements in [6] highlight the operating conditions in which these commercial RFID systems can be used. Some basic issues regarding security and the range at which a transaction can be detected are reported in {7,8} Note that eavesdropping is defined for this paper as remotely detecting and deciphering 2 legitimate reader-to- tag transaction using another system. Skimming, which refers tothe use of a remote reader to sureptitiously query a tag at along distance (possibly without the tag holder's consent) isnot addressed in this paper. Il, PROTOCOL and BACKGROUND HF RFID systems operating at 13.56 MHz come in two forms: vicinity and proximity. Proximity tags generally requite more power to operate, but they can involve much ‘more information and functionality (for example: active encryption, limited amounts of processing power, data storage and retrieval). The power requirements for sctvation and operation limit the operating distance to less than 20 om, Vicinity tags are a simple read device that will send back a limited number of bits (I 10 64) at lower data rates. They are employed in seenarios such as inventory control and theft deterrence systems. Their limited functionality requires less power and can be used in the 2 ‘to 5 meter range. This study focuses on proximity systems. Consequently, HF RFID is assumed to be HF proximity RFID from this point forward inthe paper. ‘There are many types of proximity systems operating at 13.56MHz. They usually differ in communication protocol: the ISO compliant “type A” and “type BY systems, the “GO-card” used in some fare and. transit systems, and the “type C” card used mostly in Asian fare and tariff systems. We will further focus our study on the analysis of the “type A” and “type B” tags, as they are ‘more widely used and utilize ISO conformance standards. Il, HF PROXIMITY EMISSIONS and SUSCEPTIBILITY A. RFID Emissions HF proximity readevinterrogators transmit a carrier frequency, fof 13.56 Milz modulated ata data rate, fy, of| fL2B=108.9375 kHz, £I64-211.875 kHz, f/92 = 42375 lz, or //16=847.5 ki ‘The HF RFID tags modulate a backscattered carrier to produce sub-carier transmissions back to the reader a. £f/16 = 13.56 0.8475 MHlz= 14.4075 and 12.7125 MElz “These sub-cartiers are modulated at one of the data rates available to the interrogator. We recognize that the lower side-band modulation falls into a martime-mobile band, and the upper side-band modulation falls into an aviation band, Furthermore, the relatively wide modulation bandwidth of the carir frequency ean smear energy from the reader over a bandwidth of 13.56 MHz fi. Similarly, the tag radiates in the 12.7125 MHz f, to 144075 MHz: orange. While the very low power emissions ftom the tag are probably of litle concen to maritime or aviation applications, the modulation spll-over from the reader ean bbe much higher and may extend beyond the ISM limited 13.56 MHZ 7 kiiz, It comes very close to the prohibited radio astronomy band between 13.36 and 13.41 MHz. Patents are now being issued for ISM communications and nonstandard tagging systems that suppress effects of RFID sidebands and limit system susceptibility 9} Figue | Typia SO 1443 ype A emission spectrum. The top graphs ‘ow ts ene twe-nayconstuniaion inboth he me dona ‘nd euoney domain ght). The eaer-onag query inte mile, fndthe ng-terende responsi at te bot. Note that fe reader mst ‘nan the carter sgl or te psive lg ean nega B. HE Eavesdropping and Jamming In Figure 1 and Figure 2, we see that the 13.56 MHz carrer is on during the entite transaction, delivering power 1998 to the tag. ‘The cartier is modulated to send information to the tags. Since the tag lacks a power source and only ‘modulates its loop antenna load to seater back information, the retuned signal is small compared to the carrier (typically 60 dB less than the carrier ata distance beyond 10 em) Eavesdropping systems must be able to distinguish the very weak fag response from the relatively strong carrier response, Aggressive filtering allows an eavesdropper to detect the tag in the presence of the reader at moderate distances (over several meters), Since HF RFID systems typically ely on relatively low power transmissions, they may be susceptible to interference from intentional jamming and unintentional sources. Jamming can occur By interrupting the reader-to- tag communications by interfering with the carrier and/or the reader information, Jamming can also occur by interfering with the tageto-reader transaction. ‘The reader transmits at several watts and is inthe very near-field ofthe tag. Therefore, to overcome the carrier signal at the tag requires @ considerable amount of power if jamming is done at a distance. As tageto-reader power levels are orders ‘of magnitude less than the cartier, itis easier to upset the transaction by overpowering the weakest link in the RF power budget. igure 2 Typical iSO 1445 ype emission spectrum. The top graphs how the en tvo-vay commutation bah fe tine-domain eh). ‘hd eqeney dona igh) ‘The ender ng gor is he mie, hd the tngto-ende response feat be tom. Tha ag ronda ‘ont pase modulated CW eursignal tf. o= 133648475 MBE IV, MEASUREMENTS and RESULTS A. Eavesdropping The eavesdropping research was performed on a commercial off-the-shelf (COTS) reader and COTS tags. We chose several tags including a type A tag with 16 KB of memory that has a processor capable of performing fairly complex computational and encryption tasks used for RFID financial transactions. The reader and the tag are coupled loops that are typically axially aligned in the same plane. To study the RFID emissions, the orientation of the reader and tag was kept constant and the eavesdropping anteana was moved relative to them. Since the pattems of the reader and the tag antennas are those of small loops, we can assume that the radiation patterns conform to the simple loop fields siven by Harrington [10]: “oS cf = o ak GF Hire ris the distance from the tag to an outside point and @ is the elevation angle, both illustrated in Figure 3. is the ccurent in the loops, S$ is the surface area, 17 is the impedance of free space, and kis the wave number. 1s om Rite Reader _ Ble Ange \ Tag, Figure3, Relative dtstions for xveséroping on an HF RED syst, ‘When lott the reader, couplings bast ow elation sles (8-05 ‘When fre avy approaching waveeogh (20m), exvesdroping shold Be mor efient st (250 For short distances, r, the axial magnetic field, Hy, is stronger than the @ directed field, Ha At larger distances, the 1/ dependence of Hdominates. So, we expect that at close distances (h) eavesdropping should be easier in the plane of the reader antenna (Figure S). Bavesdeopping / Figue ¢. Oxenaton for shor discs (14) eavestopping (0-09, 1999 Endep ne Se im i Pipe 5 Orrin fr lng dss (1) ervey (8-907) We used a single 1 m loop with a capacitive bridge to _atch the 50 0 input ofthe receiving system. The receiver ‘nominally had 60 dB of gain at the subcarrier f. + f/16 and had 70 dB of relative rejection atthe carrer ffequency J- This allowed for detection ofthe carier modulation and the tag response while suppressing the carrier power. Our tests showed that ifa tag response of 6 dB above the noise floor is captured the information in the signal could be reliably decoded. This set the criterion for a successful eavesdropping session Figure 6 shows the raw output of the eavesdropping. antenna at 2 m. Without filtering, the reeder modulation can easily be distinguished, but the tag response cannot. After receiver filtering, shown in Figure 7, the tag and reader are both distinguishable and the information ean be decoded, igre 6, Raw signal rzaved by the eavesdropping antenna. Here the tag resposecanot be eiinguised. Figure 7 Reslsof an eavestopped ype A aanaon at 2m ditanoe fle ering othe ere. Toe burs on he ef the tases nthe Samir modslton, The but onthe ight the ag ripen Teble I summarizes the resuls ofthe eavesdropping tests. Otter groups have reported considerably longer range results in more idealized testing environments. We limited these tests t using low-cost COTS equipment, small anteanas, and performed these tests in @ non-ideal, RF clutered environment. Also by placing the tag at an ‘optimal distance from the reader antenna, the RFID system ‘an be tuned to maximally radiate outwatd (which was not done for this ts), ‘Table I also. shows that the ‘eavesdropping, distance is stronaly ted to tag design. We saw litle variation between these tags in the activation Field (el level to turn on the tag), but we saw appreciable ‘variations inthe eavesdropping distance. TABLET EAVESDROPPING RESULTS for TYPE A TAGS Manica | — Tag] Enveappng | Favestopring runier | disaneet (009 | diane at (0-00%) (osFig 5) tx) _| (ae ig 6) 1 | Aor 65 15 1___| aooz 65 1s 2] A003, 3.0 9 2 TAooe 3.0 9 2 Aoos: 3.0 9 3 A006: 6.0 8 ‘A007 6.0 8 B.Jamming To test the communications reliability of these HF RFID systems, they were subjected to in-band energy. Previous swept frequency measurements indicate vulnerabilities only near the frequency band of operation. We show that jamming at the carrier and sub-earrers would provide the Dest opportunity to upset the communication between the reader and tag. We used three types of antennas: (1) a set of dual 1 m Joop antennas, (2) a single 15 em ISO 10373-6 standard Proximity Coupling Device (PCD) loop, and (3) a set of dual 15 em ISO 1037346 standard PCD loops, shown in ure 8, Each antenna was tuned to the frequency of the Jamming signal (runing between tests were required). The ‘1m loops represent an easily deployable and relatively efficient transmit configuration. The 15 em loops represent a small device with less radiation efficiency, or a nearby RFID system. ‘One scenario studied was jamming at the carrier or reader ‘wansmit frequency, £.. Other scenarios include jamming at the upper and lower sub-cartiers or the tag backscatter frequency, fe To ensure maximum readability ofthe tag signal by the reader and to present the most difficult upset scenario for the jammer, the tag was placed in close proximity to the reader antenna (within the limits ofthe reader geometry < 05 cm). Ifthe tag is further from the reader but still within its nominal operating range (<10 em), the transaction is 2000 much easier to upset as the tag backscatter falls off very rapidly with distance in the near-field. Figure Stacked PCD antennas, A diagram of the jamming system is shown in Figure 9. ‘Three basic wavefoims were used to mimic probable threat scenarios, A continuous wave (CW) source at, f a CW ‘carer atthe sub-carier equency, f+ f,,and a CW carier at the sub-carier frequency, f¢ +f, modulated at fi 0 ‘mimic a nearby reader or tag. ‘The power delivered to the antenna wes monitored to censure that the tuning was correct. ‘The system was considered upset when consistent failures were noted. Some HF RFID systems have robust data failure and retry algorithms; only consistent deta failures assure upset coger E=]—

You might also like