Bharati Vidyapeeth's Institute of Computer Applications and Management (BVICAM), New Delhi (INDIA)
6HFXULW\LQ5),'EDVHG6PDUW5HWDLO6\VWHP
Ravi. V
Department of CSE, Siddaganga Institute of
Technology Tumkur, Karnataka 572103, INDIA
Email ID:rsheelavanth@gmail.com 

$EVWUDFW±5HFHQWGHYHORSPHQWVLQ5),'DQG1)&WHFKQRORJLHV
KHOS PDQXIDFWXUHU WR ILQG RXW ZD\V RI UHSODFLQJ WUDGLWLRQDO REMHFW
LGHQWLILFDWLRQVXFKDVEDUFRGHZLWK5),'WDJV7KHVH5),'WDJVDUH
SDVVLYHDQGFKHDSHUWDJVWKDWHQDEOHREMHFWWUDFNLQJDUHDOLW\7DJV
FDQDOVRKHOSUHWDLOHUVWRDOORZFXVWRPHUVWRVKRSLQDVPDUWHUZD\
DOORZLQJ FXVWRPHUV WR SXUFKDVH LWHPV WKURXJK VPDUW UHWDLOHUV
HQDEOHG ZLWK 5),' UHDGHUV LQ WKH VKRSSLQJ FDUW &* WDJV DOORZ
WDFNOLQJ DJDLQVW FRXQWHUIHLW LWHPV XVLQJ LWV PLQLPDO FU\SWRJUDSK\
DSSURDFKHV VXFK DV ;25  ELW 351* &5& WHFKQLTXHV DQG
VHSDUDWHPHPRU\IRUVWRULQJVHFUHWSLQV7KHSURSRVHGPRGHOFUHDWHV
VHFXUHSHULPHWHUWRUHDOL]HVPDUWVKRSSLQJHQYLURQPHQWDQGVXSSO\
FKDLQPDQDJHPHQW,QWKLVSDSHUZHKDYHH[WHQGHGWKHDSSOLFDWLRQ
RI 5),' WHFKQRORJ\ WR VPDUW VKRSSLQJ HQYLURQPHQW DOORZLQJ
FXVWRPHUWRVKRSDXWKHQWLFLWHPVZKLFKOHVVHQFRXQWHUIHLWLWHPVDOH
LQWKHPDUNHW2XUWHFKQLTXHFDQHYHQVWUHQJWKHQWDJEDVHGSURGXFW
VDOH LQ RSHQ PDUNHW ZKHUH FKDQFH RI VHOOLQJ FRXQWHUIHLW LWHPV DUH
KLJK
 RFID technologies in shops and retails help to configure
.H\ZRUGV ± RFID Security; Smart Shopping; Internet of
Things.
I. INTRODUCTION
In recent years, with rapid development of wireless sensor
networks and smart objects such as smart phones, tablets and
other devices are extensively used to build heterogeneous
network, Breakthroughs have been made in Internet of Things
(IoT) with variety of applications such as environmental
monitoring, medical treatment and public health care,
Intelligent Transportation System (ITS), Smart perimeter
control, smart grid and other areas.
IoT [1][10][11] refers to interconnection of various sensing
devices, Smart objects and technologies which are able to sense
and actuate various activities of human life. This makes the IoT
as diverse network. IoT comprises of various technologies,
such as wireless sensor nodes, RFID devices [2][3][4], GPS
enabled devices, Infrared sensor nodes, smart phones etc. All
these devices collect real time data from various environments
which are to be monitored, linked and interacted for satisfying
various end user requirements. The purpose of IoT is to
connect assorted devices to internet and have Machine to
Machine (M2M), Machine to man, and man to man
communication making IoT convenient approach for
identification, management, and control of various things. IoT,
as a fusion of heterogeneous networks, has three layers namely
Perception layer, Network layer, and Application layer.
978-9-3805-4421-2/16/$31.00 2016
c IEEE

Aparna. R
Department of CSE, Siddaganga Institute of
Technology Tumkur, Karnataka 572103, INDIA
Email ID:raparna@sit.ac.in

Each layer of IoT requires different level of security standards
which makes realizing IoT security difficult. In the following
section we consider the application of RFID in smart shopping
environment which helps people to feel the advantages of IoT.
With the advent of RFID and NFC technologies, the items
with bar code can be replaced with cheaper passive tags which
enable smart shopping a reality.
The passive tags attached to the items offer multiple benefits
over the bar code for both the retailers and consumers. The
retailers will have unique and unified item identification from
the manufacturing plant to consumer. They may also help the
consumers to shop the items in a smart shop which has cart
enabled with RFID readers which tabulates the items and
allows the consumer to check out the products by paying
online at the cash counter, which avoids long check outs.
shelves to intelligently issue a refill order automatically to
back end storage as items are sold, which offers precise
delivery of items from the wholesaler directly to the shelf.
Smart phone apps provide facilities for consumer to transmit
the list of items to be purchased to the shop, when the
customer reaches the shop he may find readymade shopping
bag packed with items he needed from the shop or retailer.
With this ability customer can directly make payment online
and inventory of belongings may be stored in the mobile
phone making insurance claims easier and facilitating the
private sales of goods since a centralized registry of things
will no longer be needed.
To enable smart shopping, we assume that retailers are
equipped with mRFID readers which are able to read EPC
Global standard C1G2 Tags[2]. These tags carry no explicit
mechanism for authentication and only provide basic features
such as
1) UHF band (800-960 MHz) for Tag-reader communication.
2) 16 bit pseudo-random generator function (PRNG).
3) XOR operation.
4) Memory banks for storing 32 bit access PIN and Kill
PIN.
5) 16 bit CRC for integrity check.
6) User memory.
EPC Global standard tags such as C1G2 tags are cost effective
to be used instead of existing bar code on the items. RFID tags
are advantages when compared to traditional bar code system,
since once the items are tagged by RFID, we can use the tag
information to track and identify the item against counterfeit
587
item. This application makes the RFID system well suitable for III. MODEL
supply chain and retail management systems, where
In this section we specify the requirements for the proposed
manufacturer can combat against counterfeit items once after
RFID based smart shopping environment. Fig 1 shows the
selling the items to the retailers. C1G2 tags do not provide any
model of the proposed system, where customer shops item
additional circuitry for cryptographic approaches to protect
from smart shop which are enabled with shopping carts with
against counterfeiting or skimming attacks, where an adversary
mobile RFID (mRFID) reader and items with RFID tags.
can clone a tag and create a counterfeit item. To realize the
While the customer shops, the mRFID sends the C1G2[7]
smart shopping and retail management system, we put forward
enabled tagged item information to shop server via
requirements such as
aggregation nodes (Ai) which help Shop S to aggregate the
x Two-way authentication between reader and tag.
items purchased by customer.
x Secure communication of tag information between We assume that mRFID are configured and authenticated by
shop-reader and shop server. the shop servers to read EPC code from the item. We also
x Secure communication between shop server and assume that each customer has downloaded mobile app
manufacturer EPC server. developed by the shop/retailer which specifically enables
x Authenticated way of killing the tag against purchase customer to prepare and customize e-wallet which can be
of items. configurable to store e-cash in his/her account during
x Maintaining privacy about customer purchases. registration of the app. Customer can later use this mobile
The structure of the rest of this paper is as follows: Section II application to pay the bill for the items purchased through the
discusses model on RFID based supply chain system and e-wallet of the app.
examines weaknesses in existing schemes. Section III proposes We also assume the following operations through this mobile
extended model of RFID based supply chain system to realize app
the smart shopping environment. Section IV analyzes the 1) Provides identity of the customer each time he shops since
security and performance of the proposed scheme. Finally the shop server has credentials for identifying the customer.
Section V summarizes the paper and describes the future 2) App helps in editing the item list present in the cart during
requirements for realizing the smart environment for shopping
and retail system.
II. RELATED WORK
RFID based systems are well suited for various applications
such as logistics and retail, smart transportation, banking,
health care applications. The use of RFID in retail and supply
chain has grown to a larger extent where items produced by
manufacturer are tagged with unique EPC code and delivered
to the retailers. Present scenario of RFID based supply chain
management helps in product tracking and timely delivery of
products. Various approaches such as unique serial numbering
or product ID[5], track and trace [6], PKC based techniques
[13] are earlier proposed for product authentication, Use of
RFID enhances and provides a secure authentication for
product to protect against counterfeiting items.
The major hurdle in purchase of RFID tagged items are Fig 1. Model
problems with counterfeit items which is the result of cloned
tag attack. The existing RFID based supply chain system faces shopping, such as adding or removing of items in the cart.
larger domain of security hurdles such as 3) Make payment to the shop server.
1. RFID tags are designed only to track items/pallet of 4) Maintain privacy of customer transactions, items purchased.
items. The following subsection elaborates on various levels of
2. Cloned tags which result in manufacturing of security requirements required to realize smart environment,
counterfeit items, resulting in loss of revenue for the communication between Tag-Reader, mRFID reader and
manufacturers. shop server, shop server and manufacturer server are
3. Exposure of secret information stored in tagged items explained,
due to insecure channel between reader and tag. followed by secure way of killing tagged items is described in
4. Physical tampering on tagged items make it unusable detail. Table 1. shows the notations used in the proposed
or allows adversary to modify the tag data. model.
5. Privacy issues concerning to Manufacturer, Retailers
and Customers.

588 2016 International Conference on Computing for Sustainable Global Development (INDIACom)
 TABLE I. NOTATIONS

1RWDWLRQV 0HDQLQJ
,7U ,WHPVUHFHLYLQJUHDGHU
 37U 3RLQWRI6DOHUHDGHU
 P5),'L 0RELOH5HDGHUDWFDUW
 $L $JJUHJDWRU1RGH
 0LG 0DQXIDFWXUHU,G

 6 6KRS6HUYHU

 0 0DQXIDFWXUHU6HUYHU

 7 7DJJHG,WHP

 5HT[ 5HDGHUUHTXHVW
57; 5DQGRPQXPEHUIURP7DJ The proposed tag authentication scheme shifts the
 authentication process to shop level instead of M level which
 50; 5DQGRPQXPEHUIURP5HDGHU
in turn reduces the computational overhead of M.
$SZ' ELWDFFHVVSDVVZRUG
 % 5),'%DVHG6PDUW5HWDLO6\VWHP
.SZ' ELW.LOOSDVVZRUG

&&SZG &RYHU&RGH3DGIURP3DG*HQIXQFWLRQ

3$'[ 3DG9DOXHVIURP3DG*HQIXQFWLRQ

__ &RQFDWHQDWLRQ

+ +DVK)XQFWLRQ

(U. ULVHQFU\SWHGXVLQJNH\.

'U. ULVGHFU\SWHGXVLQJNH\.

3.P 3XEOLFNH\RI0DQXIDFWXUHU

35P 3ULYDWHNH\RI0DQXIDFWXUHU

3.V 3XEOLFNH\RI6KRSVHUYHU

35V 3XEOLFNH\RI6KRSVHUYHU Fig 2. 6KRSDQG0DQXIDFWXUHU&RPPXQLFDWLRQ

$ 6KRS6HUYHUDQG0DQXIDFWXUHUFRPPXQLFDWLRQ Our proposed smart retail system replaces the traditional bar
code system, by allowing customers to shop different RFID
Algorithm 1 shows the interaction between the shop and tagged items which are authenticated by manufacturer once
manufacturer EPC-IS server. To realize the proposed system purchased. To reduce the overhead of manufacturer, we
every shop server 6 and Manufacturer 0 share secret keys via propose a new authentication scheme based on RFID tag
secure channel. These secret keys are later used to prove the aggregation, where in shop server aggregates the tag
authenticity of shop server S when ever shop owner places information of items purchased by the customer and
order for items from the manufacturer M. In order to generate collectively performs authentication by cover-coded
secret keys for every shop server S we can use asymmetric key scheme[12] at the shop server level. We have extended
algorithm such as RSA or Elliptic Curve Cryptography (ECC) Divyan M. Konidala tag reader authentication protocol by
algorithm which enable confidentiality and authenticity among considering items of different manufacturers which are sold
servers. through the retail shop.
The proposed system considers the use of RSA based
asymmetric key algorithm between S and M: The proposed
model enhances the security level against counterfeit item sale
by authenticating every item by the shop server S instead of
manufacturer server as proposed by Divyan M. Konidala et al.
[12]. According to Divyan et. al. scheme, Tag-Reader
authentication is designed to be two way authentication scheme
which require communication with M for authenticating every
item.
2016 International Conference on Computing for Sustainable Global Development (INDIACom)
 5),' 7DJ $JJUHJDWLRQ Fig 3. shows the Tag
aggregation scheme used in proposed model,
Following are the sequence of operations:
x Customer places the items to mRFIDi which reads
EPC and the information of item which are later sent
to Ai.
x Each tag T generates EPC, Mid, RT1, RT2
information, when it comes to the proximity of
mRFIDi.
x Each tag T generates CCpwD1 using RT1, RT2 and
stores in internal memory.
589
 x Every mRFIDi is associated with a unique static ID
which is used by the aggregation node Ai to identify
from which mRFIDi reader it received the tag
information.
x Aggregation Node Ai aggregates tag information EPC,
Mid ,RT1, RT2 based on Mid and sends the aggregated
information to S by appending id of mRFIDi and Ai.
x S receives aggregated information from Ai and
extracts the EPC, RT1,RT2.
x S has to generate two 16 bit Cover-code for each item
secretly, We can use the following steps:
1) S can query its internal database containing the
($SZ'(3&3.P for each item based on EPC.
2) S decrpyts the ApwD of the item sent from M and
calculates CCpwd32 bit using RT1 and RT2 of the
item.
3) CCpwd32 can now be used by Point of Sale PTr
reader during purchase of item.
x S also queries the ONS server to obtain the URL of M
for the Kill Pin of items.
Fig 4.Tag-Reader Authentication
The proposed scheme uses mRFIDi reader at the Cart only to
aggregate the tag information, these readers are not used to
authenticate the item. Following is the sequence of operations
for Tag-Reader authentication:
ƕ Shop server S has entries Mid, EPC, RT1, RT2, CCpwd32 of
each item. S calculates CCpwd using PadGen() function along
x M receives ((3&V$SZ'V3.P from S. with parameters RT1,RT2 of tag T which was read by mRFIDi
x M can send Kill Pin securely using its private key and sent through Ai initially.
(.LOO3LQ3.P ƕ Point of Sale PTr reader authenticates tag before customer
x S database is updated with EPC, Mid, RT1, RT2, purchases the item.
CCpwd32 of Item, (.LOO3LQ3.P of the item. ƕ PTU issues Reqx for T. Tag in turn generates Mid, EPC, and
two random numbers RT3, RT4 and sends it to Point of Sale
The database entries EPC, Mid, RT1 RT2, CCpwd32 of each reader.
Item are later used by Point of Sale PTr reader to kill the tag. ƕ The Point of Sale Aggregator Node Ai aggregates EPC, Mid,
 7DJ5HDGHU $XWKHQWLFDWLRQ Fig 4. shows our
proposed approach of Tag-Reader authentication,
which extends Divyan M. Konidala et al. scheme for
mutual authentication between tag-reader. Our scheme
uses mutual authentication of tag-reader only at the
point of sale, where each tag has to be authenticated
before purchase.
Fig 3. RFID Tag Aggregation Model
590 2016 International Conference on Computing for Sustainable Global Development (INDIACom)
RT3, RT4, PTid and sends it to Shop server S.
ƕ S calculates for each EPC, the Cover-Code for ApwD and
Kill Pins which are obtained securely by M.
ƕ S issues the EPC, CCpwD, RS1, RS2, RS3, RS4 to Ai.
ƕ T checks the CCpwD with its internal Access password,
Only when both match, tag T assumes PTr as authentic reader.
ƕ T issues the EPC, CCpwD, RT3, RT4 to PTr.
ƕ PTr uses information EPC, CCpwD1, CCpwD2, RS1, RS2,
RS3, RS4 stored at Ai to verify if Tag T is authentic.
ƕ Only when CCpwD1 == CCpwD2, PTr can issue a Kill
Command for T.
& .LOOLQJWKH7DJ
To provide security against reproduction of counterfeit items
and also enforce privacy, C1G2 tags are provided with 32 bit
kill password which is used to lock the memory of the tag
making it unusable. This makes cloning of tag for
counterfeiting impossible. Once the items are purchased by
customer the tags have to be killed to give the proof of item
ownership to customer. In the proposed model, Point of Sale
reader PTr at the counter can kill the tag by issuing correct
ApwD to the item.
Following is the sequence of operation for Killing a Tag:
x PTr issues a request Reqx to T .
x T replies to PTr with EPC, Mid, RT3 and RT4, where RT3
and RT4 are used to calculate cover-code for CCpwD2.
x Ai at the Point of Sale aggregates the EPC information
based on Mid.
x Ai sends EPC, Mid, RT3 and RT4 to S, which in turn
calculates the cover-code CCpwD2 for each item using
RT3 and RT4.
x S sends EPC, Mid, RS1, RS2, RS3, RS4, CCpwD1,
CCpwD2, RT3 and RT4 to Ai which can be used by PTr to
kill the tag using the following two steps:
1) Reader Authentication: PTr can issue CCpwD1 to T to
authenticate itself. T verifies internally stored
CCpwD1 and only if it matches, T generates CCPwD2
&7DJ'DWDDJJUHJDWLRQ
The proposed model uses tag data aggregation allowing
customer to choose different products manufactured by
different manufacturers with less overhead of tag
authentication. The two way authentication of tag- reader is
done only at the point of sale. This approach prevents the extra
overhead of authenticating each item purchased by customer.
The tag data aggregation is done based on Mid and EPC
information which makes system simple to implement at shop
level.
and sends it to PTr using 3DG*HQ function with
RT3 RT4, RS3 and RS4.
2) Tag Authentication: PTr verifies if CCPwD1 ==
CCpwD2, if yes T is authenticated.
3) Now PTr can issue the Kill Command for T obtained
from Ai.
IV. ANALYSIS OF THE PROPOSED MODEL
The proposed model is practically secure for realizing the smart
shopping environment where items tagged with RFID help the
manufacturer to track items and protect against counterfeiting.
It helps shop or retailers to sell items by providing easy
shopping experience and customer satisfaction. The proposed
model is simple, low cost and adheres to specification of EPC
global standards. The following section gives the security
analysis of the model to tackle against passive and active
attacks.
$6KRSVHUYHUDQG0DQXIDFWXUHUDXWKHQWLFDWLRQ
The first phase of proposed model considers every shop or
retailer purchasing items from M and obtaining the ApwD for
the items through a secure channel. During the initial phase
only shop server obtains the ApwD of items and never
possesses Kill PIN of any item. This protects the system from
adversary who can access the shop server for ApwD but cannot
obtain KillPin for the items which are stored in manufacturer
server which makes counterfeiting of items at shop level
difficult. Even the tag-reader and shop server communication is
secured to protect against compromised reader attack and
insider attack. Because even if the insider possesses the ApwD
he doesn’t know the Kill PIN to generate CCpwD for
authenticating reader and tag.
%7DJ5HDGHUDXWKHQWLFDWLRQ
The proposed model uses two-way authentication on tag-reader
communication only at the point of sale. This approach
prevents the system to face threats like exposed tag password
attacks, malicious RFID-readers, and cloned fake tags. We are
using the scheme proposed by Konidala et al[12]. which proves
to be light weight authentication protocol for deploying RFID
tags on items using cover-code scheme.
2016 International Conference on Computing for Sustainable Global Development (INDIACom)
D..H\0DQDJHPHQW
The proposed system uses RSA based asymmetric key
algorithm between a single shop and manufacturer server. The
proposed model doesn’t consider key provisioning, key
evolution, key renewal, key updating algorithms as the
number of shops or retailers and even manufacturers increase.
The communication inside the shop or retail i.e., between
reader and shop server requires keys to be generated for every
new communication to authenticate the reader to shop server.
(3ULYDF\DQGRWKHU,VVXHV
The model specified does not provide any privacy measures
except that the items purchased by the customer are issued
with Kill PIN on tags which lock the memory of the item
permanently before purchase. The transactions made by each
customer are stored at shop database; information stored at
shop server can be obtained easily by owner or clerk at the
shop, which can be a serious privacy issue. The security pin of
each item is stored at the manufacturer database. There is a
strong requirement of protecting this secret information from
insider attack.
V. SIMULATION SETUP
The proposed system is simulated on Free and Open Source
software for Track and Trace for EPCIS (Fosstrak EPCIS) a
Java servlet based module development which provides EPC
Global standards for EPC repository, Querying, and Client
side operations for RFID based applications. The simulation
setup includes RFID readers at shops and Aggregator nodes
for aggregating EPC tag information. EPC repository can be
queried by Tag reader to authenticate the Tag further issue
Kill Pwd for killing the Tag.
VI. CONCLUSION
We have presented a simplied model for realizing RFID based
smart environment for retail system. Our model extends the
work proposed by Konidala et al. and achieves desirable
security features of RFID system including: Tag-reader
authentication, encryption of tag information between tag-
reader, shop and manufacturer server and lastly privacy
protection (against counterfeit items in market). By replacing
RFID tags on items, it is possible to reduce computational and
communication burden on the item level authenticity to
protect against counterfeit item sale in gray market. When a
product is sold and EPC is recorded at the point of sale, the
591
manufacturer can track the items sold by verifying the history
of the product. This helps manufacturer to track as well as
protect items against counterfeiting. The proposed model is
well suited for smart shopping environment and can be further
enhanced to meet the dynamic requirements of retailers and
shop owners.
VII. FUTURE SCOPE
In the future work we propose to include cloud architecture at
the Manufacturer and shops, which can securely store secret
information of tags, Shop or Retailer credentials, customer
transactions and other information. Inclusion of IoT devices
such as Arduino boards at Shopping cart for reading EPC Tag
and Rasperry Pi at the manufacturer outlets as aggregator nodes
helps us to aggregate the EPC information.

REFERENCES
[1] Rolf H. Weber (2010) Internet of Things New security and privacy
challenges computer law security review 26 (2010).
[2] http://www.EPCglobalinc.org.
[3] RFID Journal (2003). Wal-Mart Draws Line in the Sand. News
Article, June 11, 2003. Available at
http://www.rdjournal.com/article/articleview/462/1/1/(11.5.2006).
[4] J. Collins. Marks Spencer expands RFID retail trial. RFID Journal, 10
February 2004. Available at
http://www.rdjournal.com/article/articleview/791/1/1/
[5] EPCGlobal Ratied Standard, EPCTM Radio-Frequency Identity
Protocols Class- 1 Generation-2 UHF RFID Protocol for
Communications at 860MHz - 960MHz Version 1.0.9,
http://www.epcglobalinc.org/standards/
[6] Staake, T., Thiesse, F., and Fleisch, E. (2005). Extending the EPC
Network - The Potential of RFID in Anti-Counterfeiting. In
Proceedings of the 2005 ACM symposium on Applied computing (pp.
1607 - 1612). New York (NY): ACM Press.
[7] Juels, A. (2005). RFID Security and Privacy: A research Survey.
Condensed version to appear in 2006 in the IEEE Journal on Selected
Areas in Communication.
[8] Ari Juels, RFID Security and Privacy: A Research Survey, RSA
Laboratories, 2005. Koh, R., Schuster, E., Chackrabarti, I., and
Bellman, A. (2003). Securing the Pharmaceutical Supply Chain. White
Paper, Auto-ID Labs, Massachusetts Institute of Technology, 2003.
[9] Juels, A. (2005). Strengthening EPC Tags against Cloning. In M.
Jakobsson and R. Poovendran, eds., ACM Workshop on Wireless
Security (WiSe), pp.67-76. 2005.
[10] Divyan M. Konidala, Zeen Kim, Kwangjo Kim, A
Simple and Cost-effective RFID Tag-Reader Mutual Authentication
Scheme Conference on RFID Security 2007.
[11] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, Internet of
Things (IoT): A Vision, Architectural Elements, and Future Directions,
Future Generation Computer Systems, vol. 29, no. 7, pp. 1645-1660,
ISSN: 0167-739X, Elsevier Science, Amsterdam, The Netherlands,
2013.
[12] R. Khan, S.U. Khan, R. Zaheer and S. Khan, Future Internet: The
Internet of Things Architecture, Possible Applications and Key
Challenges in Proceedings of the 10th International Conference on
Frontiers of Information Technology, December 17-19, 2012, pp. 257-
260.
[13] Arbit, Alex Livne, Yoel Oren, Yossef Wool, Avishai : Implementing
public-key cryptography on passive RFID tags is practical,
International Journal for Information security, Springer 2014.

592 2016 International Conference on Computing for Sustainable Global Development (INDIACom)