Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC IEC 29167-21 — IT Security — Part 21: AES-GCM Cryptographic Suite for RFID
Authenticated encryption for RFID air-interface using AES in Galois/Counter mode providing confidentiality and integrity
1. AES-GCM in ISO/IEC 29167-21
ISO/IEC 29167-21 specifies the use of Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) as a cryptographic suite for RFID systems. AES-GCM is an authenticated encryption (AE) algorithm that provides both confidentiality (encryption) and integrity (authentication) in a single unified operation. For RFID applications, this dual property is particularly valuable because it eliminates the need for separate encryption and MAC engines, reducing both gate count and protocol overhead.
The standard defines two modes of operation: AES-GCM for full authenticated encryption and AES-GMAC (Galois Message Authentication Code) for authentication-only scenarios. Both modes support 128-bit keys as the minimum requirement, with optional support for 192-bit and 256-bit keys. The underlying AES core operates on 128-bit data blocks with the GCM mode producing ciphertext of equal length to the plaintext plus a 32-128 bit authentication tag.
AES-GCM is the only suite in the ISO/IEC 29167 family that provides authenticated encryption (confidentiality + integrity) from a single hardware core. Other suites require separate encryption and authentication passes, doubling the computation time and power consumption.
2. Protocol and Operational Details
The AES-GCM protocol in ISO/IEC 29167-21 begins with the reader sending an initialization vector (IV, 96 bits recommended) to the tag. The tag increments a 32-bit counter starting from the IV to generate unique counter blocks for each plaintext block. Each counter block is encrypted with AES-128, and the result is XOR-ed with the corresponding plaintext block to produce ciphertext. Simultaneously, the ciphertext blocks are multiplied in GF(2^128) to compute the GMAC authentication tag.
One critical advantage of GCM over other modes (such as CCM used in 29167-11) is that the AES encryption and the GHASH computation can be pipelined: while the AES core encrypts block N+1, the GF multiplier computes the authentication tag for block N. This pipelining allows GCM to achieve throughput close to the raw AES encryption rate with minimal additional latency.
| Parameter | AES-128-GCM | AES-192-GCM | AES-256-GCM |
|---|---|---|---|
| Key Size | 128 bits | 192 bits | 256 bits |
| IV / Nonce Size | 96 bits | 96 bits | 96 bits |
| Auth Tag Size | 32-128 bits | 32-128 bits | 32-128 bits |
| Gate Count (est.) | ~10,000 GE | ~12,000 GE | ~15,000 GE |
| Throughput @ 1 MHz | ~8 Mbps | ~6.5 Mbps | ~5 Mbps |
| AAD Support | Yes | Yes | Yes |
Never reuse an IV/nonce value with the same AES-GCM key. If the IV is ever reused, an attacker can recover the GHASH authentication key H by solving a system of linear equations over GF(2^128), completely breaking both confidentiality and integrity. For RFID systems, this means the reader must guarantee IV uniqueness across all sessions with the same tag.
3. Engineering Design for RFID Tags
Implementing AES-GCM in an RFID tag requires two main hardware blocks: an AES-128 encryption core and a GF(2^128) multiplier for GHASH. The AES core represents approximately 70% of the total gate count and the GF multiplier about 25%, with control logic making up the remainder. For tags requiring only authentication (not encryption), the GMAC-only mode eliminates the need for output ciphertext buffering, reducing the gate count by approximately 15%.
Power management is a key concern for passive tags using AES-GCM. A full AES-128 encryption round consumes approximately 5-10 microjoules in a typical 130 nm CMOS process. For passive tags operating at typical read ranges (2-5 meters from a 4W ERP reader), the available power is approximately 10-50 microwatts. This means that an AES-GCM operation requiring 50-100 clock cycles at 1.6 MHz will take 30-60 microseconds and consume a significant fraction of the available energy budget. Designers must carefully sequence the AES-GCM operations with power harvesting and storage to prevent brown-out during cryptographic processing.
A well-optimized AES-GCM implementation on a passive RFID tag can complete authentication and encryption of a 128-bit payload in under 100 microseconds at 1.6 MHz, consuming approximately 0.5 microjoules total when implemented in 65 nm low-power CMOS technology.
Allowing the tag to output plaintext before the GMAC tag has been verified opens the system to timing-based oracle attacks. Implementations MUST buffer all decrypted data and only release it after successful GMAC verification. Failure to do so enables chosen-ciphertext attacks that can recover the GHASH key.
4. Frequently Asked Questions
Q: What is the difference between AES-GCM and AES-CCM used in other RFID standards?
A: GCM uses a GHASH polynomial evaluation for authentication while CCM uses CBC-MAC. GCM allows pipelined encryption and authentication for higher throughput, while CCM requires two sequential AES passes, making it slower but requiring less hardware.
A: GCM uses a GHASH polynomial evaluation for authentication while CCM uses CBC-MAC. GCM allows pipelined encryption and authentication for higher throughput, while CCM requires two sequential AES passes, making it slower but requiring less hardware.
Q: Does ISO/IEC 29167-21 support additional authenticated data (AAD)?
A: Yes. AAD is supported and is typically used to authenticate the protocol header bytes (command code, tag ID, parameter length) that must be sent in the clear for protocol operation.
A: Yes. AAD is supported and is typically used to authenticate the protocol header bytes (command code, tag ID, parameter length) that must be sent in the clear for protocol operation.
Q: How do I choose between AES-GCM and other suites in the 29167 family?
A: Choose AES-GCM when you need both encryption and authentication, and tag cost allows ~10k GE. Choose ECC suites for key agreement without pre-shared keys. Choose RCS for lowest-cost tags where only basic authentication is needed.
A: Choose AES-GCM when you need both encryption and authentication, and tag cost allows ~10k GE. Choose ECC suites for key agreement without pre-shared keys. Choose RCS for lowest-cost tags where only basic authentication is needed.
Q: Can the AES core be shared between GCM and other tag functions?
A: Yes. If the tag also uses AES for other purposes (e.g., secure memory encryption), the same AES core can be time-multiplexed, significantly reducing the incremental cost of adding GCM support.
A: Yes. If the tag also uses AES for other purposes (e.g., secure memory encryption), the same AES core can be time-multiplexed, significantly reducing the incremental cost of adding GCM support.
