Tag Authentication

Tag Authentication

RFID tag genuineness." data-category="Security">Tag authentication is the process of cryptographically verifying that an RFID tag is genuine and has not been cloned or tampered with. It goes beyond simply reading the tag's EPC or TID Memory — authentication proves that the tag possesses a secret key that is embedded in the silicon and cannot be extracted or copied. Tag authentication is the cornerstone of RFID-based anti-counterfeiting programmes in pharmaceuticals, luxury goods, and aerospace.

Why EPC Alone Is Not Enough

Reading an EPC only proves that a tag carries a particular identifier. Since epc-memory/" class="glossary-term-link" data-term="EPC Memory" data-definition="Writable tag memory for item identity." data-category="Data & Encoding">EPC Memory is writable, an attacker can programme any blank tag with a valid EPC. Even TID Memory verification, while harder to spoof (because TID is factory-locked), only confirms the chip model and serial — it does not prove that the tag is the original one associated with a specific product.

Tag authentication closes this gap by requiring the tag to prove knowledge of a secret key through a crypto suite challenge-response protocol. The key is stored in a protected area of the tag IC silicon that cannot be read through the air interface or extracted through physical probing (in properly designed ICs).

Authentication Methods

Symmetric (AES-128): The reader and tag share a secret key. The reader sends a random challenge, the tag encrypts it, and the reader verifies the response. This is the approach used by NXP UCODE DNA and is defined in ISO 29167 crypto suites. Symmetric authentication requires a key management infrastructure — every tag must be provisioned with a unique key, and readers must have access to the key database.

Asymmetric (public-key): Some newer ICs support elliptic-curve cryptography where the tag holds a private key and the reader verifies using the corresponding public key. This simplifies key distribution because the public key can be shared freely. However, asymmetric crypto requires more silicon and more power from the RF field.

Proprietary: Impinj's Protected Mode and NXP's NTAG DNA offer manufacturer-specific authentication schemes that may combine password-based access with cryptographic verification.

Authentication in Practice

A typical pharmaceutical anti-counterfeiting deployment works as follows:

1. At manufacturing, each tag is encoded with an SGTIN and provisioned with a unique AES-128 key.
2. The key and SGTIN are registered in a cloud authentication service.
3. At each supply chain checkpoint (distributor, wholesaler, pharmacy), the reader performs mutual authentication to verify the tag's genuineness.
4. The authentication result is recorded as an EPCIS event, creating an auditable chain of custody.
5. If authentication fails, the item is quarantined for investigation.

Performance Considerations

Cryptographic authentication adds latency to the tag interaction — typically 50-200 ms per tag depending on the algorithm and IC. In high-throughput environments such as source tagging lines or portal readers, this overhead is significant. Deployments must decide whether to authenticate every tag on every read (maximum security, lower throughput) or sample a percentage of tags (faster, with statistical confidence).