Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC IEC 29167-22 — IT Security — Part 22: SHA-2 Cryptographic Suite for RFID
Hash-based cryptographic suite using SHA-256/384/512 for RFID tag authentication and data integrity verification
1. SHA-2 in ISO/IEC 29167-22
ISO/IEC 29167-22 specifies the SHA-2 (Secure Hash Algorithm 2) family of hash functions as a cryptographic suite for RFID systems. Unlike other suites in the 29167 family that provide both authentication and encryption, SHA-2 is a one-way hash function — it takes an input message and produces a fixed-size digest that cannot be inverted to recover the original message. In RFID applications, SHA-2 is primarily used for tag authentication via HMAC (Hash-based Message Authentication Code) construction and for data integrity verification.
The standard supports three members of the SHA-2 family: SHA-256 (32-byte digest), SHA-384 (48-byte digest), and SHA-512 (64-byte digest). All three are based on the same Merkle-Damgard construction with different word sizes, round counts, and initial values. The standard also specifies truncated variants (SHA-224 and SHA-512/256) for applications where shorter digests are beneficial for reducing on-air transmission time.
SHA-256 offers an excellent balance of security and performance for RFID applications. With a 256-bit (32-byte) digest, it provides 128-bit collision resistance — equivalent to the security of AES-128 — while requiring approximately 8,000-10,000 gate equivalents for a hardware implementation.
2. HMAC Construction and Authentication Protocol
The HMAC construction specified in ISO/IEC 29167-22 follows RFC 2104: HMAC(K, m) = H((K’ XOR opad) || H((K’ XOR ipad) || m)), where H is the selected SHA-2 function, K’ is the key padded to the block size, and opad/ipad are the outer and inner padding constants. The tag stores a shared secret key and, upon receiving a reader challenge, computes HMAC over the challenge and a tag-specific context (tag ID, session counter, or both) to produce an authentication response.
The protocol supports both unilateral (tag-to-reader) and mutual (tag-to-reader and reader-to-tag) authentication. In mutual authentication mode, the reader also computes an HMAC over the tag’s response and its own challenge, proving that it possesses the shared key. This mode prevents reader impersonation attacks where a rogue reader attempts to extract sensitive data from a tag.
| Parameter | SHA-256 | SHA-384 | SHA-512 |
|---|---|---|---|
| Digest Size | 256 bits (32 B) | 384 bits (48 B) | 512 bits (64 B) |
| Word Size | 32 bits | 64 bits | 64 bits |
| Rounds | 64 | 80 | 80 |
| Collision Resistance | 128 bits | 192 bits | 256 bits |
| Gate Count (est.) | ~9,000 GE | ~14,000 GE | ~18,000 GE |
| HMAC Throughput @ 1 MHz | ~40 authentications/s | ~25 authentications/s | ~18 authentications/s |
SHA-2 hash functions are vulnerable to length extension attacks when used directly for authentication without the HMAC construction. Always use the HMAC construction specified in the standard rather than attempting to build custom authentication protocols using raw SHA-2 hashing.
3. Hardware Implementation Strategy
A SHA-2 hardware core for RFID tags consists of three main components: the message scheduler (expanding 16 message words into 64 or 80 round words), the compression function (applying the round constants and Boolean functions), and the state register file (holding the eight working variables). The message scheduler dominates the gate count, occupying approximately 45% of the core area, while the compression function accounts for 35% and the state registers for 20%.
For passive tags, the most power-efficient SHA-2 implementation uses a fully unrolled datapath with a single clock cycle per round, giving a total of 64-80 clock cycles per hash operation. At a typical tag clock frequency of 1-2 MHz, a single SHA-256 hash completes in 32-80 microseconds. The instantaneous current draw during hashing can reach 5-15 microamps in 130 nm CMOS, which must be within the tag’s power harvesting budget.
A key advantage of SHA-2 over public-key-based suites is that the hash function is purely combinatorial and does not require any random number generator for operation. This eliminates a significant source of hardware complexity and potential security vulnerabilities.
Side-channel attacks against SHA-2 HMAC implementations can recover the HMAC key by analyzing the power consumption during the message expansion phase, which has data-dependent activity. Implementations should use masking techniques where the message words are XOR-ed with random masks before entering the scheduler, with the masks removed after the expansion is complete.
4. Frequently Asked Questions
Q: How does SHA-2 authentication compare with AES-GCM authentication?
A: SHA-2 HMAC provides only authentication (not encryption) and requires less hardware than AES-GCM. SHA-2 is also not subject to the IV uniqueness requirement that makes AES-GCM nonce management challenging in multi-reader environments.
A: SHA-2 HMAC provides only authentication (not encryption) and requires less hardware than AES-GCM. SHA-2 is also not subject to the IV uniqueness requirement that makes AES-GCM nonce management challenging in multi-reader environments.
Q: Can SHA-256 be used for data encryption on a tag?
A: No. SHA-2 is a one-way hash function, not an encryption algorithm. However, it can be used as a building block in a stream cipher construction or for key derivation, which some proprietary designs employ.
A: No. SHA-2 is a one-way hash function, not an encryption algorithm. However, it can be used as a building block in a stream cipher construction or for key derivation, which some proprietary designs employ.
Q: Is SHA-256 post-quantum resistant?
A: Partially. SHA-256’s collision resistance is reduced from 128 bits to approximately 85 bits by Grover’s algorithm. While not completely broken, designers should monitor developments in quantum hash collision research.
A: Partially. SHA-256’s collision resistance is reduced from 128 bits to approximately 85 bits by Grover’s algorithm. While not completely broken, designers should monitor developments in quantum hash collision research.
Q: What is the recommended SHA-2 variant for new RFID designs?
A: SHA-256 is the recommended baseline. It provides adequate security for most applications (128-bit collision resistance) while minimizing silicon area and power consumption. SHA-384/512 should be reserved for high-security government or financial applications.
A: SHA-256 is the recommended baseline. It provides adequate security for most applications (128-bit collision resistance) while minimizing silicon area and power consumption. SHA-384/512 should be reserved for high-security government or financial applications.
