Introduction


EPC Gen 2v2 standard is an update to GS1's Electronic Product Code (EPC) air-interface protocol standard for passive, ultrahigh-frequency (UHF) RFID tags. 

The improvements include improved security and counterfeit detection for tagged products. The tag or reader can be authenticated with a 128-bit security key. The features included are targeted to be used for electronic article surveillance (EAS). 

ISO/IEC 29167-10 specifies the crypto suite used in this context. AES-128 for the ISO/IEC 18000 defines the crypto suite for security for RFID devices. 

ISO/IEC 29167-10 specifies the authentication methods and usage of the encryption algorithm. A tag can support one, a subset, or all of the specified options.


Authenticate command


Authenticate tag crypto key

The Authenticate command can be used to verify the tag's identity. Verification is done against a 128-bit key stored in the tag memory. 

An example of how to use Nordic ID NurApi is shown here:

public bool ISO29167_10_TAM1(byte keyNum, byte[] key);


keyNum is the index of the key

key is array of 16 bytes i.e. 128 bits


return value

True – the key in tag matches the key sent

False – no match, authentication failure


See also ISO29167_10_TAM1ByEPC() and ISO29167_10_TAM1Singulated().

 

Authenticate a memory block

The Authenticate command can also be used to read an encrypted memory block. A Nordic ID NurApi helper function can be used to easily populate the Authenticate parameters.

public static TAM_PARAM AllocTAM2Param(

byte keyNum, 

byte[] keyData, 

uint blockCount, 

byte mpi, 

ushort offset, 

byte protMode)


keyNum
index of the key
keyData
crypto key, array of 16 bytes, 128 bits
blockCount
data block count, a block is 16 bytes
mpi
memory profile indicator, 0 = EPC memory bank, etc.
offset
address of the memory block, 0 = the first 16 bytes, etc.
protMode
the encryption algorithm used, defined in ISO29167-10

             

The actual command to execute reading an encrypted memory block is:

        public TAM_RESP ISO29167_10_TAM2(TAM_PARAM tamParam)

 

Here the tamParam is the return value of the helper function. TAM_RESP can be initialized with a call to function AllocTAMResp() which initializes the response object. See also ISO29167_10_TAM2ByEPC() and ISO29167_10_TAM2Singulated().

The response to Authenticate memory block command has the following structure:

          public class TAM_RESP

          {

                    public bool response;

                    public bool ok;

                    public uint C_TAM;

                    public uint TRnd32;

                    public uint szBlocks;

                    public byte[] challenge;

                    public byte[] firstBlock;

                    public byte[] blockData;

                    public byte[] cmac;

     }


Where the return values indicate the following:

response          
is there a response or not
ok
the response is valid
C_TAM
16-bit constant in the first block, used for validity check
TRnd32
the following 32-bit random value in the first block
szBlocks
the actual number of bytes in blockData
challenge
random sequence sent to the tag
firstBlock
decrypted contents of the first block
blockData
decrypted data requested
cmac
CMAC data if protection mode 2 or 3 is used

 

Untraceable command


The Untraceable command can be used for two purposes.

  1. To limit the operating range of the tag.
  2. To untraceably hide memory from a reader not set up with the untraceable privilege.

The Nordic ID NurApi command format is shown here:

        public void Gen2v2Untraceable(uint accessPwd, UntraceableParam utrParam)

 

The correct Access password is mandatory when using the Untraceable command.
The Untraceable parameters are:

    public class UntraceableParam

    {

        public bool setU = false;

        public bool rxAttn = false;

        public bool hideUser = false;

        public bool hideEPC = false;

        public int epcWordLen = 6;

        public int tidPolicy = NurApi.TID_HIDE_NONE;

        public int rangePolicy = NurApi.UTRACE_RANGE_NORMAL;

    }


setU
set Untraceable bit (enables Untraceable privilege)
rxAttn
RX attenuation for response reception. True reduces operation range
hideUser
true if user memory is hidden from a reader without Untraceable privilege
hideEPC
true if parts of EPC memory are hidden from a reader without Untraceable privilege
epcWordLen
New length of EPC in 16 bit words (0 – 31)
tidPolicy
TID hiding policy (NurApi.TID_HIDE_NONE / SOME / ALL)
rangePolicy
reduced operating range policy (NurApi.UTRACE_RANGE_NORMAL / REDUCE / TOGGLE)

 

References


|1| EPC® Radio-Frequency Identity Generation-2 UHF RFID Standard

https://ref.gs1.org/standards/gen2/

 

|2| ISO/IEC 29167-10:2017 Information technology – Automatic identification and data capture techniques

Part 10: Crypto suite AES-128 security services for air interface communications

https://www.iso.org/standard/69410.html