An RFID system is based around a reader and a tag. A tag stores information, whereas an RFID reader retrieves or modifies information stored on the tag. To transmit this information through the air, both devices  use high frequency electric current oscillations (the frequency of such current oscillations is also known as radio frequency or RF) which when applied to a piece of wire (referred to as an antenna) have a tendency to extend themselves well beyond the actual antenna wire boundary in the form of electromagnetic waves.

Such waves consist of two parts; magnetic and electric. Each of these contributing parts has an area of influence which depends on the distance from the emitting antenna.  Another important feature of the waves is their ability to induce electric charge or current in a conductor placed in the path of such wave propagation. If a tag is placed in the path of an electromagnetic wave emitted by a reader, there will most certainly be electric current induced in the tag’s antenna. Also, the direction of propagation can be roughly controlled by the shape of the emitting antenna, although in reality waves tend to scatter among a multitude of directions.

Here’s an oversimplified but basically functional schema of an RFID system. (Fig.1)


Fig. 1

To pass information from the reader to the tag and back, the RF waves are controlled, or as it is custom to say, modulated, with a much lower frequency of actual data transmission. A variety of modulation schemes exist, but most commonly they are based on the control of electromagnetic waves properties; amplitude, frequency and phase. The modulation schemes employed in RFID are designed to be the most useful in digital transmissions, meaning that such modulations encode only two states, interpreted as ‘0’ and ‘1’.  These modulation schemes are called ASK (amplitude shift keying), FSK (frequency shift keying) and PSK (phase shift keying). A simplified overview can be seen in the following examples.

Imagine we need to encode 101010 (this number is chosen as a good illustration of modulation for the purposes of our example).

As can be seen from fig.2 a ‘1’ or a ‘0’ state are represented by intermittently changing one of the wave’s properties; the amplitude, frequency or phase. It is worth noting that the frequency of the electromagnetic wave, which is subjected to modulation, is normally called a base frequency. 

Modulation and demodulation of the carrier frequency normally adds to the computational load for a reader or a tag. Also with the advent of specialized hardware bases for RFIDs there’s also a tendency to shift RF functions away from the main processing unit within a tag or a reader and incorporate them as functionally complete modules within a specialized integrated circuit. Such higher circuit integration essentially frees CPU to conduct more computationally intensive encryption algorithms. To distinguish between varieties of RFID devices and to make sure they best suit their dedicated purposes there are a number of standard protocols defined for an RFID tag and a reader exchange. These protocols differ by occupied bandwidth, carrier frequency, proximity of operation, amount and type of data exchanged and the type of coupling between the reader’s and the tag’s antennas.

So far there are a number of carrier frequencies which are used for RFID protocols. The frequencies in the range of 125-135 KHz are often used for pet and human tag implants as well as for some security access systems, such as car immobilizers and secured perimeters. The range of a reader - tag interrogation is mostly limited to 0.5 meters (around 1.6 feet). The bit rate of communication is comparatively slow (less than 1kbps) and the bit traffic is normally not encrypted.  In most cases tags are passive, meaning that they feed off a magnetic field created by the reader. These passive tags are often quite simple in implementation and tend to use backscatter propagation, basically reflecting the signal emitted by the reader in a certain way based on a configuration of the tag’s reflective surface. Once received, a reader analyzes the signal’s waveform to make a decision about the validity of the tag. Such technology is not new; quite similar techniques are used in radar or sonar applications to identify basic target's shapes for instance.

There are also some carrier frequencies allocated around 13.56 MHz, 433 MHz, 865-956 MHz, 2.45 GHz. The carrier frequency, generally, affects the proximity of operation as well as the amount of information it can carry when modulated, hence the used bandwidth and the speed of data exchange. Of interest, 13.56 MHz is becoming increasingly popular.  Because this frequency is fairly low, it allows inexpensive RF designs for a reader and a tag, and at the same time provides  an increased bandwidth for communication when compared to lower base frequencies such as 125-135 KHz.

Peering inside a modern reader or a tag we can usually spot a number of basic blocks.

Data from a control application, formalized by the CPU (Central Processing Unit) according to an RFID protocol, is passed to a DSP (Digital Signal Processor) where it is functionally transformed following the modulation and encoding schema. The byte stream then follows to a DAC (Digital to Analogue Converter). The DAC converts digital information to its analogue representation (where for instance digits correspond to an analogue parameter, say voltage) and passes it to an RF amplifier. The commutator controls the signal flow in and out of the antenna.

The received signal follows the reverse path where it is digitized by the ADC (analogue to digital converter) and then demodulated and decoded by the DSP. Note that the schematic of the module shown in Fig.3 is greatly simplified, but even at its most basic it shows a modern approach to design and implementation of RFID transceiver modules which heavily rely on digital post processing - while it is somewhat more expensive for design and manufacture, it is extremely flexible.  This architecture can adapt to changes in modulation encoding and RFID protocol by utilizing different software or firmware. It avoids costly hardware redesigns and remanufacturing and leads to greater encapsulation of RFID protocols from the controlling application.

While it is desirable to follow the digital signal processing approach when designing RFID infrastructure, in the case of RFID tags it is not always possible or viable.  For successful adoption of RFID technology it is imperative that the price of RFID tags stay low. This factor limits computational power available to a microcontroller for the DSP implementation. Most of the time DSP is sacrificed in favor of hardwired analogue logic which cannot be changed to reflect adoptions of newer standards.

The basic blocks of a tag include a CPU, memory, RF transceiver, modulator (MOD), demodulator (DEM) and antenna.

There are many variations in RFID tag implementations. For instance, there are tags which use only the geometric properties of their piezoelectric surfaces to resonate in response to the signal transmitted by the RFID reader.  The geometric configuration of the resonating RFID tag membrane imprints a distinct signature on the reflected RF signal. While the cost of such tags is extremely attractive, the use is very limited and overall such a solution might not be as cost effective and as generally adopted as the rewritable tag pictured in Fig.4.

There’s no doubt that RFID solutions are convenient, viable and provide flexibility to access control, payments and tracking infrastructures.  There are a number of pilot programs run by some big retail chains where RFID tags replace UPC barcodes. There are toll payment systems in the US and elsewhere that have been utilizing RFID tags for some time. In recent years we’ve seen the introduction of RFID passports by some European and Asian countries. There also seems to be a wide application of RFID tags implanted in pets, helping to track a stray pet and return it to its owner.

The adoption of RFID tag technologies by industries is on the rise. According to IDTechEX, it is expected that the RFID market will grow from 5 billion measured in 2008 to an estimated 25 billion in 2018.  Where does it leave us in terms of the RFID security? Should we be more concerned and more prepared with all the facts currently at hand? You’ll have to read part 3 of this series on RFID security...

--Oleg Petrovsky