Processing math: 100%
J. Semicond. > 2016, Volume 37 > Issue 7 > 075003

SEMICONDUCTOR INTEGRATED CIRCUITS

A dual-mode secure UHF RFID tag with a crypto engine in 0.13-μm CMOS

Tao Yang, Linghao Zhu, Xi Tan, Junyu Wang, Lirong Zheng and Hao Min

+ Author Affiliations

 Corresponding author: Wang Junyu, Email: junyuwang@fudan.edu.cn

DOI: 10.1088/1674-4926/37/7/075003

PDF

Abstract: An ultra-high-frequency (UHF) radio frequency identification (RFID) secure tag chip with a non-crypto mode and a crypto mode is presented. During the supply chain management, the tag works in the non-crypto mode in which the on-chip crypto engine is not enabled and the tag chip has a sensitivity of -12.8 dBm for long range communication. At the point of sales (POS), the tag will be switched to the crypto mode in order to protect the privacy of customers. In the crypto mode, an advanced encryption standard (AES) crypto engine is enabled and the sensitivity of the tag chip is switched to +2 dBm for short range communication, which is a method of physical protection. The tag chip is implemented and verified in a standard 0.13-μm CMOS process.

Key words: UHFRFIDtagsecurity

Ultra-high-frequency (UHF) radio frequency identification (RFID) tags conforming to electronic product code (EPC) class 1 generation 2 version 1 (EPC C1 Gen2v1) protocol[1] have been widely used in supply chain management. In order to protect consumers' privacy,such tags can be disabled at the point of sales (POS) by using the Kill command,which makes the information about the product no longer accessible. Recently,tagging of clothes,food,medicines,and luxuries after the POS is becoming popular in our daily life,which means these tags should not be simply killed at the POS. However,attacks to these tags may reveal sensitive information of customers,such as health condition,hobbies,locations,etc.,which should be protected with the help of an on-chip crypto engine. A CMOS security-enhanced passive tag is reported with sensitivities of -12 dBm and -11.6 dBm in insecure and secure modes[2],but no read range protection is considered. Actually,the required read range of tags after the POS are usually much shorter than that in supply chain management. Thereby,the data in the tag can be protected by password-controlled command and the short-range protection[3].

In this work,a dual-mode secure tag with an on-chip crypto engine is proposed to meet the needs of both the supply chain management and the security of user's privacy. The none-crypto mode with long-range read range is used for supply chain management; while the crypto mode with a much shorter read range is used as a physical protection to prevent readers farther than roughly 1.3 meters reading the tag,which will be explained in Section 2. In the non-crypto mode,the sensitivity is -12.8 dBm,the embedded secure engine stays inactive,and the baseband works according to the EPC generation 2 version 1 (Gen2v1) protocol[1]. In the crypto mode,the embedded secure engine is activated and the tag bears a shorter read range due to reduced sensitivity (+2 dBm),which is an additional physical protection for the private data in the tag. At the POS,instead of being killed,the proposed tag is switched to the crypto mode. In the crypto mode,the tag will only respond to commands specified in EPC generation 2 version 2 (Gen2v2) protocol[4] and behave according to the mutual authentication protocol specified in International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 9798-2 Mechanism 4.

The remainder of this paper is organized as follows. Section 2 presents the system analysis and architecture of the dual-mode secure tag. The circuit implementation of the tag is shown in Section 3,and experimental results are presented in Section 4. Finally,conclusions are given in Section 5.

In a passive RFID system,the tag is powered up by the RF signal radiated from a reader. Thereby,the read range of the tag is limited by the RF power transmission[5]. The minimum RF signal strength needed to power up the tag chip is the sensitivity of the tag. For a tag with a sensitivity of Psen ,the read range ( d ) can be calculated with the help of Friis transmission equation,which gives the relation between Psen and d :

Psen=EIRPreaderGtag(λ4πd)2,

((1))

where EIRP reader is the effective isotropic radiation power (EIRP) of a reader, Gtag is the antenna gain of the tag. Equation (1) is plotted in Figure 1,in which EIRP reader = 4 W,and Gtag = 0 dBi.

Note that as the sensitivity increases,the read range gets extended. Generally,passive tags are usually designed with higher sensitivity to increase the read range[6, 7, 8]. For secure tags,the functions and circuit design are much more complex,thus need more power to operate correctly. Typically,the sensitivity of secure tags lies around -10 dBm[2, 9].

In this work,the dual-mode secure tag is designed with different sensitivity in the non-crypto mode and the crypto mode. In the non-crypto mode,the measured sensitivity of the proposed tag lies around -12.8 dBm,which corresponds to a 7.2 m read range under 4 W (36 dBm) EIRP. In the crypto mode,the measured sensitivity is +2 dBm,which corresponds to a much shorter read range (1.3 m) under the same situation. Thereby,in the crypto mode,the private information in the tag can be protected by an additional physical protection. Both situations are shown in Figure 1.

Figure  .  Tag received power versus communication distance

The fully integrated dual-mode secure tag consists of a dual-sensitivity analog front end and a digital baseband as shown in Figure 2. Note that the received RF signal gets into the tag through a differential port (ANT+ and ANT-).

Figure  .  System architecture of the proposed tag

The analog frontend includes a rectifier,a regulator with a shunt regulator,a demodulator,a modulator,a power-on-reset (POR),a clock generator (CLK)[10],and a shunt resistor ( Rshunt ). Other necessary blocks such as voltage reference generator and low drop-out regulator (LDO) in the analog front end are similar to conventional UHF RFID passive tags and they are not shown in the diagram of the tag. Note that a shunt resistor is added at the output of the regulator,and it is controlled through a switch S0 by the baseband signal EN,which decides the switch from the non-crypto mode to the crypto-mode. In the non-crypto mode, S0 is OFF,and all the DC power is used to feed the baseband. In the crypto mode, S0 is ON,and the shunt resistor ( Rshunt = 2 k Ω ) is parallel with the digital baseband. In this way,the converted DC current ( IDD ) is bypassed by Rshunt ( IS ). Then,in order to provide enough DC current for the digital baseband,more RF input power is needed at the input of the analog front end,which degrades the sensitivity.

The digital baseband is constructed by three function modules including a EPC Gen2v1 baseband,a EPC Gen2v2 baseband with an AES engine and memory. Some blocks in the function module are shared in the non-crypto mode and the crypto mode to reduce the chip area. In the non-crypto mode,the embedded secure engine stays inactive,and the baseband works according to the EPC Gen2v1 protocol[1]. In the crypto mode,the embedded secure engine is activated and the tag will only respond to commands specified in EPC Gen2v2 protocol[4] and behave according to the mutual authentication protocol specified in ISO/IEC 9798-2 Mechanism 4.

The rectifier is shown in Figure 3(a),which has a cross-coupled bridge configuration and is driven by a differential RF input signal,which is widely used in UHF RFID tags[5, 11, 12]. The increase in stage number ( N ) causes a higher output DC voltage ( VDD ). In this work, N is chosen to be 4 based on the load condition. A simple shunt regulator is shown in Figure 3 (b). The shunt regulator is used to keep the highest VDD lower than 2 V. In the shunt regulator,a diode-connected transistor M3 is stacked on the main discharge transistor M1 to avoid breakdown. Since the input RF signal is amplitude modulated with a modulation depth from 80% to 100%[1],a storage capacitor ( Cstorage ) is connected at the rectifier output to provide power for the chip during the time period when the input RF signal is absent. The simulated VDD is shown in Figure 4,in which the baseband is modeled by a load resistor RL = 50 k Ω based on its estimated power consumption. Note that the maximum VDD is limited lower than 2 V.

Figure  .  The schematics of the rectifier and the shunt regulator
Figure  .  Simulated output DC voltage with RL = 50 k Ω .

The amplitude shift keying (ASK) demodulator consists of an envelope detector,a low pass filter network ( R1 / C1 / R2 / C2 ) and a hysteresis comparator as shown in Figure 5. The envelope is detected by a rectifier-like topology with static threshold compensation technique[13]. A peak detector together with divider is used in Reference [14] to generate the reference voltage for the negative input of the hysteresis comparator. In this work,it is replaced by two simple low pass filters,which is simpler and more power efficient. The hysteresis is accomplished by using the internal positive feedback as shown in Figure 5(b)[15]. The input and output waveforms of the comparator are also shown in Figure 5(a) to illustrate the operation of the demodulator.

Figure  .  (a) ASK demodulator. (b) Hysteresis comparator.

The functional block diagram of the digital baseband is shown in Figure 6. DEMOD and DECODE are used to handle pulse-interval encoding (PIE) signals demodulated from the analog frontend. CONTROL acts as the state machine and gives out signals to control other modules in different scenarios. The CRC module performs a cyclic redundancy check for the tag baseband. MEMORY is the memory to store tag parameters and security related information. MOD and OCU modules handle the reply messages and the FM0 (bi-phase space) modulation. PRNG is a pseudo random number generator. CLK_CON is implemented as the clock control module to cut unnecessary power consumption. AES_CTRL,AES and REG FILE form the secure engine to deal with the encryption/decryption in the crypto mode and they are active only in the crypto mode.

Figure  .  The digital baseband in the tag IC.

The baseband works in two modes. In the non-crypto mode,the digital baseband works as a standard EPC G2V1 baseband,and is capable of communicating with existing standard EPC C1G2 readers in long-range management applications. In the crypto mode,crypto commands are involved in the reader commands,and the secure engine would be activated to provide a decryption session key. In this mode,the digital baseband works as a standard EPC G2V2 baseband with security considerations based on an advanced encryption standard (AES) secure engine to protect the customer's private information.

A customized command named Crypto_En is designed to switch the tag from the non-crypto mode to the crypto mode. Table 1 depicts the structure of the switch command. With the correct Crypto_En commands detected,the tag will be switched into the crypto mode. In this case,the baseband will activate the secure AES engine,and turn the S0 ON in the analog frontend. After switching to the crypto mode,an authentication is required in prior to any privacy involved communication.

Table  1.  The Crypto_En command structure.
DownLoad: CSV  | Show Table

The dual-mode secure tag is fabricated in a standard 0.13- μ m CMOS process,which consists of an analog front end,a digital baseband with an on-chip AES engine and a memory block as shown in Figure 7. The chip area is 1.416 × 1.148 mm 2 including pads for testing and some configurable options. A signal generator is used to transmit a continuous wave (CW) to power up the tag,and the reader command is implemented using a commercial field-programmable gate array (FPGA) chip.

Figure  .  Die photo of the dual-mode secure tag.

The measured output DC voltages of the tag in the non-crypto mode and the crypto mode versus input power sweep are shown in Figure 8. The minimum required supply voltage of the baseband is 0.8 V. The sensitivities are estimated at 0.8~V output voltage as -12.8 dBm and +2 dBm for the non-crypto mode and the crypto mode,respectively.

Figure  .  The measured output DC voltages of the tag in the non-crypto mode and the crypto mode with input power sweep.

In the non-crypto mode,the tag works as a standard EPC G2V1 tag,and the measured link timing is shown in Figure 9,which follows the EPC G2V1 protocol[1]. The measured command sequence of the non-crypto mode to the crypto mode switch is shown in Figure 10. The reader sends two successive Cypto_En commands (1st Crypto_En and 2nd Crypto_En) to switch the tag from the non-crypto mode to the crypto mode. The HANDLE in the tag reply after the 2nd Crypto_En reader command indicates a successful switch action. After the successful command sequence,the AES engine in the baseband is enabled,and the baseband works in the crypto mode.

Figure  .  Link timing in the non-crypto mode.
Figure  .  The switching action from the non-crypto mode to the crypto mode.

In the crypto mode,an authentication flow is needed before the reader reads the private information in the tag's memory. The authentication flow complies with ISO/IEC 9798-2 Mechanism 4. As shown in Figure 11,the reader sends commands named AUTHENTICATE_1 and AUTHENTICATE_2 to which the tag responds with a CHALLENGE. The HANDLE after the CHALLENGE indicates a successful mutual authenticate in the crypto mode.

Figure  .  The measured link timing in the crypto mode.

The measured power consumption of the baseband in standard non-crypto mode and crypto mode is 11.36 μ W and 17.84~ μ W,respectively. Finally,the proposed dual-mode tag is compared with other works in Table 2.

Table  2.  Performance summary and comparison.
DownLoad: CSV  | Show Table

A dual-mode secure tag including the non-crypto mode and the crypto mode is presented in this work. The non-crypto mode works with a high sensitivity (-12.8 dBm) for long range management applications. The crypto mode with an on-chip crypto engine is designed to protect the user's privacy,and the tag in the crypto mode works with a low sensitivity (+2 dBm) for short range as a physical protection to prevent readers further than roughly 1.3 meters reading the tag.



[1]
EPCglobal. Radio-frequency identity protocols class-1 generation-2 UHF RFID protocol for communications at 860 MHz-960 MHz version 1.2.02004
[2]
[3]
Impinj. Monza 4 Tag Chip Datasheet
[4]
EPCglobal. Radio-Frequency identity protocols Generation-2 UHF RFID specification for RFID air interface protocol for communications at 860 MHz-960 MHz Version 2.0.0 Ratified 2013
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
.  Tag received power versus communication distance

.  System architecture of the proposed tag

.  The schematics of the rectifier and the shunt regulator

.  Simulated output DC voltage with RL = 50 k Ω .

.  (a) ASK demodulator. (b) Hysteresis comparator.

.  The digital baseband in the tag IC.

.  Die photo of the dual-mode secure tag.

.  The measured output DC voltages of the tag in the non-crypto mode and the crypto mode with input power sweep.

.  Link timing in the non-crypto mode.

.  The switching action from the non-crypto mode to the crypto mode.

.  The measured link timing in the crypto mode.

Table 1.   The Crypto_En command structure.

DownLoad: CSV

Table 2.   Performance summary and comparison.

DownLoad: CSV
[1]
EPCglobal. Radio-frequency identity protocols class-1 generation-2 UHF RFID protocol for communications at 860 MHz-960 MHz version 1.2.02004
[2]
[3]
Impinj. Monza 4 Tag Chip Datasheet
[4]
EPCglobal. Radio-Frequency identity protocols Generation-2 UHF RFID specification for RFID air interface protocol for communications at 860 MHz-960 MHz Version 2.0.0 Ratified 2013
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
1

A novel power-on-reset circuit for passive UHF RFID tag chip

Ang Wang, Lina Yu, Dehua Wu, Shibo Fu, Wanlin Gao, et al.

Journal of Semiconductors, 2018, 39(12): 125003. doi: 10.1088/1674-4926/39/12/125003

2

Design and implementation of a high sensitivity fully integrated passive UHF RFID tag

Shoucheng Li, Xin'an Wang, Ke Lin, Jingpeng Shen, Jinhai Zhang, et al.

Journal of Semiconductors, 2014, 35(10): 105010. doi: 10.1088/1674-4926/35/10/105010

3

A voltage regulator system with dynamic bandwidth boosting for passive UHF RFID transponders

Jinpeng Shen, Xin'an Wang, Shan Liu, Shoucheng Li, Zhengkun Ruan, et al.

Journal of Semiconductors, 2013, 34(10): 105004. doi: 10.1088/1674-4926/34/10/105004

4

A passive UHF RFID tag chip with a dual-resolution temperature sensor in a 0.18 μm standard CMOS process

Feng Peng, Zhang Qi, Wu Nanjian

Journal of Semiconductors, 2011, 32(11): 115013. doi: 10.1088/1674-4926/32/11/115013

5

A current-mode voltage regulator with an embedded sub-threshold reference for a passive UHF RFID transponder

Liu Zhongqi, Zhang Chun, Li Yongming, Wang Zhihua

Journal of Semiconductors, 2010, 31(6): 065006. doi: 10.1088/1674-4926/31/6/065006

6

Analysis and design of power efficient semi-passive RFID tag

Che Wenyi, Guan Shuo, Wang Xiao, Xiong Tingwen, Xi Jingtian, et al.

Journal of Semiconductors, 2010, 31(7): 075013. doi: 10.1088/1674-4926/31/7/075013

7

Low modulation index RF signal detection for a passive UHF RFID transponder

Liu Zhongqi, Zhang Chun, Li Yongming, Wang Zhihua

Journal of Semiconductors, 2009, 30(9): 095005. doi: 10.1088/1674-4926/30/9/095005

8

Design of an ultra-low-power digital processor for passive UHF RFID tags

Shi Wanggen, Zhuang Yiqi, Li Xiaoming, Wang Xianghua, Jin Zhao, et al.

Journal of Semiconductors, 2009, 30(4): 045004. doi: 10.1088/1674-4926/30/4/045004

9

Low-cost low-power UHF RFID tag with on-chip antenna

Xi Jingtian, Yan Na, Che Wenyi, Xu Conghui, Wang Xiao, et al.

Journal of Semiconductors, 2009, 30(7): 075012. doi: 10.1088/1674-4926/30/7/075012

10

CMOS Implementation of an RF PLL Synthesizer for Use in RFID Systems

Xie Weifu, Li Yongming, Zhang Chun, Wang Zhihua

Journal of Semiconductors, 2008, 29(8): 1595-1601.

11

A Low Voltage,Low Power RF/Analog Front-End Circuit for Passive UHF RFID Tags

Che Wenyi, Yan Na, Yang Yuqing, Min Hao

Journal of Semiconductors, 2008, 29(3): 433-437.

12

Design of a Modulator and Demodulator for UHF RFID Readers

Gao Tianbao, Wang Jingchao, Zhang Chun, Li Yongming, Wang Zhihua, et al.

Journal of Semiconductors, 2008, 29(7): 1403-1406.

13

A Low-Voltage, High Efficiency Power Generation Structure for UHF RFID

Pang Zegui, Zhuang Yiqi, Li Xiaoming, Li Jun

Journal of Semiconductors, 2008, 29(2): 293-297.

14

A Novel Impedance Matching Approach for Passive UHF RFID Transponder ICs

Chen Liying, Mao Luhong, Wu Shunhua, Zheng Xuan

Journal of Semiconductors, 2008, 29(3): 516-520.

15

A Low Power,Large Dynamic Range 915MHz Passive RFID Tag

Bai Rongrong, Li Yongming, Zhang Chun, Wang Zhihua

Chinese Journal of Semiconductors , 2007, 28(8): 1316-1319.

16

A Novel Verification Development Platform for PassiveUHF RFID Tag

Chen Liying, Hou Chunping, Mao Luhong, Wu Shunhua, Xu Zhenmei, et al.

Chinese Journal of Semiconductors , 2007, 28(11): 1696-1700.

17

Design of an Analog Front End for Passive UHF RFID Transponder IC

Chen Liying, Wu Shunhua, Mao Luhong, Hao Xianren

Chinese Journal of Semiconductors , 2007, 28(5): 686-691.

18

Small Size,Low Power RFID RF Front End Circuit Design

Zhou Shenghua, Yang Zhichao, Wu Nanjian, Li Meiyun

Chinese Journal of Semiconductors , 2006, 27(S1): 361-364.

19

Design and Analysis of Analog Front-End of Passive RFID Transponders

Hu Jianyun, He Yan, Min Hao

Chinese Journal of Semiconductors , 2006, 27(6): 999-1005.

20

An Ultralow-Voltage,Low-Power Baseband Processor for UHF RFID Tags

He Yan, Hu Jianyun, Min Hao

Chinese Journal of Semiconductors , 2006, 27(10): 1866-1871.

  • Search

    Advanced Search >>

    GET CITATION

    Tao Yang, Linghao Zhu, Xi Tan, Junyu Wang, Lirong Zheng, Hao Min. A dual-mode secure UHF RFID tag with a crypto engine in 0.13-μm CMOS[J]. Journal of Semiconductors, 2016, 37(7): 075003. doi: 10.1088/1674-4926/37/7/075003
    T Yang, L H Zhu, X Tan, J Y Wang, L R Zheng, H Min. A dual-mode secure UHF RFID tag with a crypto engine in 0.13-μm CMOS[J]. J. Semicond., 2016, 37(7): 075003. doi: 10.1088/1674-4926/37/7/075003.
    shu

    Export: BibTex EndNote

    Article Metrics

    Article views: 2967 Times PDF downloads: 27 Times Cited by: 0 Times

    History

    Received: 24 December 2015 Revised: Online: Published: 01 July 2016

    Catalog

      Email This Article

      User name:
      Email:*请输入正确邮箱
      Code:*验证码错误
      Tao Yang, Linghao Zhu, Xi Tan, Junyu Wang, Lirong Zheng, Hao Min. A dual-mode secure UHF RFID tag with a crypto engine in 0.13-μm CMOS[J]. Journal of Semiconductors, 2016, 37(7): 075003. doi: 10.1088/1674-4926/37/7/075003 ****T Yang, L H Zhu, X Tan, J Y Wang, L R Zheng, H Min. A dual-mode secure UHF RFID tag with a crypto engine in 0.13-μm CMOS[J]. J. Semicond., 2016, 37(7): 075003. doi: 10.1088/1674-4926/37/7/075003.
      Citation:
      Tao Yang, Linghao Zhu, Xi Tan, Junyu Wang, Lirong Zheng, Hao Min. A dual-mode secure UHF RFID tag with a crypto engine in 0.13-μm CMOS[J]. Journal of Semiconductors, 2016, 37(7): 075003. doi: 10.1088/1674-4926/37/7/075003 ****
      T Yang, L H Zhu, X Tan, J Y Wang, L R Zheng, H Min. A dual-mode secure UHF RFID tag with a crypto engine in 0.13-μm CMOS[J]. J. Semicond., 2016, 37(7): 075003. doi: 10.1088/1674-4926/37/7/075003.

      A dual-mode secure UHF RFID tag with a crypto engine in 0.13-μm CMOS

      DOI: 10.1088/1674-4926/37/7/075003
      More Information
      • Corresponding author: Wang Junyu, Email: junyuwang@fudan.edu.cn
      • Received Date: 2015-12-24
      • Accepted Date: 2016-01-25
      • Published Date: 2016-07-25

      Catalog

        /

        DownLoad:  Full-Size Img  PowerPoint
        Return
        Return