Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC IEC 29167-19 — IT Security — Part 19: RCS Cryptographic Suite for RFID
RAM-based symmetric key cryptographic protocol for lightweight RFID authentication and encryption
1. Introduction to ISO/IEC 29167-19
ISO/IEC 29167-19 specifies the RCS (Ravensar Cryptographic Suite) cryptographic suite for RFID systems. RCS is a lightweight symmetric-key cryptographic protocol designed specifically for resource-constrained RFID tags. Unlike the ECC or DSA suites which require expensive public-key operations, RCS operates using a shared secret key and a RAM-based keystream generator to provide both authentication and encryption with minimal gate count.
The RCS suite is notable for its extremely low hardware footprint — approximately 4,000-6,000 gate equivalents — making it suitable for the most cost-sensitive RFID applications such as item-level tagging in retail, library management, and pharmaceutical authentication. The algorithm uses a 128-bit secret key and generates a pseudo-random keystream that is XOR-ed with plaintext to produce ciphertext.
With approximately 5,000 gate equivalents, RCS is one of the lightest cryptographic suites in the ISO/IEC 29167 family. For comparison, AES-128 requires roughly 8,000-12,000 GE and ECC-256 requires 20,000-30,000 GE in a typical ASIC implementation.
2. RCS Protocol Operation
The RCS protocol follows a challenge-response authentication model. The reader initiates the protocol by sending a random challenge (typically 64 bits) to the tag. The tag loads the challenge into its internal RAM-based state machine, which generates a keystream using the shared secret key. The first portion of the keystream is used as the authentication response, and subsequent keystream bytes can be used for encrypting or decrypting tag memory contents.
One distinctive feature of RCS is its RAM-based design, which allows the cryptographic state to be initialized from the shared key each session. This eliminates the need for non-volatile memory storage of intermediate states, reducing manufacturing cost and improving flexibility. The RAM-based state machine is designed to be resistant to simple power analysis by ensuring that the number of state transitions is independent of the key or data values.
| Parameter | RCS-64 | RCS-128 | RCS-256 |
|---|---|---|---|
| Secret Key Size | 64 bits | 128 bits | 256 bits |
| Challenge Size | 32 bits | 64 bits | 64 bits |
| Response Size | 32 bits | 64 bits | 128 bits |
| Gate Count (est.) | ~3,000 GE | ~5,000 GE | ~8,000 GE |
| Authentication Time | ~5 ms @ 1 MHz | ~8 ms @ 1 MHz | ~15 ms @ 1 MHz |
| Security Level | Low (basic) | Medium | High |
RCS-64 offers only marginal security against determined attackers and should be used only in low-security applications such as theft detection or inventory management. For applications requiring protection against counterfeiting or data privacy, RCS-128 or RCS-256 is recommended.
3. Implementation Guidance
Implementing RCS in a tag requires careful attention to the RAM-based state machine design. The state machine typically consists of a set of linear feedback shift registers (LFSRs) combined with a non-linear filter function to produce the keystream. The non-linear function — often implemented as a small S-box or a set of Boolean functions — is the critical component that provides resistance against algebraic and correlation attacks.
Key loading is a particularly sensitive operation. During key loading, the shared secret is transferred into the tag’s volatile RAM. If an attacker can observe the power consumption during this phase, the key may be recoverable through simple power analysis. The standard recommends using masked loading techniques where the key is XOR-ed with a random mask during transfer and the mask is removed only after the key is securely stored in the state machine.
The RAM-based design of RCS allows the same hardware to support multiple keys by reloading the state machine with different keys between sessions. This makes RCS particularly suitable for multi-application tags where different applications use different cryptographic keys.
RCS is a proprietary algorithm and has not undergone the same level of public cryptanalysis as AES or SHA. Before deploying RCS in a security-critical application, ensure that a thorough security evaluation has been conducted by an independent third party. Consider using ISO/IEC 29167-21 (AES-GCM) for higher assurance requirements.
4. Frequently Asked Questions
Q: Can RCS be used for encrypting tag-to-reader communication?
A: Yes. After the authentication phase, the keystream generator continues producing pseudo-random bytes that can be XOR-ed with tag memory data to provide confidentiality for the ensuing read/write commands.
A: Yes. After the authentication phase, the keystream generator continues producing pseudo-random bytes that can be XOR-ed with tag memory data to provide confidentiality for the ensuing read/write commands.
Q: How is the shared key distributed in an RCS system?
A: Key distribution is outside the scope of ISO/IEC 29167-19. In practice, keys are typically loaded during tag personalization using a secure programming station, with the corresponding keys stored in a backend key management system.
A: Key distribution is outside the scope of ISO/IEC 29167-19. In practice, keys are typically loaded during tag personalization using a secure programming station, with the corresponding keys stored in a backend key management system.
Q: Does RCS require a random number generator on the tag?
A: No. In the basic RCS protocol, the random challenge is generated by the reader, not the tag. This eliminates the need for an on-tag RNG, further reducing tag cost and complexity.
A: No. In the basic RCS protocol, the random challenge is generated by the reader, not the tag. This eliminates the need for an on-tag RNG, further reducing tag cost and complexity.
Q: What happens to the session key when the tag loses power?
A: Since RCS uses RAM-based state, the keystream generator state is lost when the tag loses power (i.e., when it leaves the reader field). This is a security feature — each new session starts fresh with the challenge provided by the reader.
A: Since RCS uses RAM-based state, the keystream generator state is lost when the tag loses power (i.e., when it leaves the reader field). This is a security feature — each new session starts fresh with the challenge provided by the reader.
