Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC IEC 29167-16 — IT Security — Part 16: ECDH Key Agreement for RFID
Elliptic Curve Diffie-Hellman key establishment protocol for secure RFID air-interface communication
1. Introduction to ISO/IEC 29167-16
ISO/IEC 29167-16 defines the Elliptic Curve Diffie-Hellman (ECDH) key agreement protocol as a cryptographic suite for RFID systems conforming to the ISO/IEC 18000 series air-interface standards. ECDH enables two parties — an RFID reader and a tag — to establish a shared secret over an insecure channel without exchanging their private keys. Each party generates an ephemeral or static key pair, exchanges public keys, and independently computes the same shared secret using their own private key and the peer’s public key.
The standard distinguishes between ephemeral-ephemeral (EE) mode, where both parties generate fresh key pairs per session, and static-static (SS) mode, where long-term key pairs are used. EE mode provides perfect forward secrecy (PFS): if a long-term key is compromised, past session keys remain secure. SS mode sacrifices PFS but reduces computational overhead since key generation occurs only once during personalization.
ECDH with ephemeral keys (ECDHE) provides perfect forward secrecy, ensuring that compromise of long-term keys does not expose previously recorded encrypted sessions. This is critical for supply chain audit trails where tag-reader interactions may be logged.
2. Protocol Details and Key Derivation
The ECDH protocol specified in ISO/IEC 29167-16 follows a three-message exchange. The reader initiates by sending a “Key Agreement Request” that includes its supported curve identifiers and its ephemeral public key (or an indication that static keys will be used). The tag responds with its chosen curve identifier and its ephemeral public key. Both parties then compute the shared secret as the x-coordinate of the scalar multiplication of their private key with the peer’s public key point.
The raw shared secret derived from ECDH is not directly used as a session key. Instead, the standard specifies a key derivation function (KDF) based on HMAC-SHA-256 that processes the shared secret along with the exchanged nonces and public keys to produce the final session key. This KDF step ensures that each session produces a unique key even if the same ECDH shared secret were somehow generated twice.
| Parameter | ECDHE-256 | ECDHE-384 | ECDHE-521 |
|---|---|---|---|
| Messages Exchanged | 3 (Req/Resp/Confirm) | 3 | 3 |
| KDF Algorithm | HMAC-SHA-256 | HMAC-SHA-384 | HMAC-SHA-512 |
| Session Key Size | 128 bits | 192 bits | 256 bits |
| Perfect Forward Secrecy | Yes (ephemeral mode) | Yes | Yes |
| On-Tag Computation | ~25 ms @ 1 MHz | ~60 ms @ 1 MHz | ~180 ms @ 1 MHz |
| On-Air Payload | ~96 bytes | ~128 bytes | ~196 bytes |
Never use ECDH without an explicit key confirmation step. Without confirmation, a man-in-the-middle attacker can establish separate sessions with the reader and tag. The Confirm message in ISO/IEC 29167-16 prevents this by having each party prove possession of the shared secret.
3. Engineering Implementation Considerations
Implementing ECDH on passive RFID tags requires careful management of the tag’s limited computational resources. The scalar multiplication operation dominates both execution time and power consumption. Hardware architects typically implement a dedicated ECC accelerator using a pipelined Montgomery multiplier operating over the prime field, with a dedicated dual-port RAM for storing intermediate projective coordinates.
A critical implementation detail is proper random number generation for ephemeral keys. The standard requires that each ephemeral key pair be generated using a cryptographic-quality random number generator (RNG). On RFID tags, this presents a challenge because traditional analog entropy sources (ring oscillators, thermal noise) may be unavailable during the power-up transient. Many tag designs incorporate a dedicated RNG that seeds during the initial power stabilization window before the tag responds to any commands.
Using a deterministic random bit generator (DRBG) based on AES-CTR as specified in NIST SP 800-90A provides an excellent compromise between hardware cost and random quality. A single AES-128 core can serve both the DRBG and the encryption/decryption functions.
If the random number generator used for ephemeral key generation is predictable, an attacker who observes multiple protocol runs can recover the private key using lattice-based attacks. This is not theoretical: the 2012 Sony PlayStation 3 ECDSA failure resulted precisely from using a static k-value. Always verify that the RNG output passes statistical tests.
4. Frequently Asked Questions
Q: Can ECDH BE used for group key agreement with multiple tags?
A: Not directly. ISO/IEC 29167-16 specifies one-to-one key agreement. For group scenarios, a higher-level protocol must extend ECDH using techniques such as tree-based group Diffie-Hellman (TGDH) or a centralized key distributor.
A: Not directly. ISO/IEC 29167-16 specifies one-to-one key agreement. For group scenarios, a higher-level protocol must extend ECDH using techniques such as tree-based group Diffie-Hellman (TGDH) or a centralized key distributor.
Q: What happens if a tag’s ephemeral key is reused?
A: Reuse of ephemeral keys eliminates perfect forward secrecy and, if the same ephemeral key is used across multiple sessions, enables key recovery attacks. Implementations MUST enforce single-use ephemeral keys.
A: Reuse of ephemeral keys eliminates perfect forward secrecy and, if the same ephemeral key is used across multiple sessions, enables key recovery attacks. Implementations MUST enforce single-use ephemeral keys.
Q: Is ECDH sufficient for complete RFID security?
A: No. ECDH provides only key agreement. Complete security requires combining ECDH with encryption (e.g., AES-GCM) and authentication (e.g., ECDSA or the ECC suite from 29167-14).
A: No. ECDH provides only key agreement. Complete security requires combining ECDH with encryption (e.g., AES-GCM) and authentication (e.g., ECDSA or the ECC suite from 29167-14).
