A Secure RFID Deactivation/Activation Mechanism for Supporting Customer Service and Consumer Shopping

RFID has been regarded as a time and money-saving solution for a wide variety of applications, such as manufacturing, supply chain management, and inventory control, etc. However, there are some security problems on RFID in the product managements. The most concerned issues are the tracking and the location privacy. Numerous scholars tried to solve these problems, but their proposals do not include the after-sales service. In this paper, we propose a purchase and after-sales service RFID scheme for shopping mall. The location privacy, confidentiality, data integrity, and some security protection are hold in this propose mechanism.

💡 Research Summary

The paper addresses a gap in RFID security research: while many studies focus on protecting data confidentiality and integrity during supply‑chain and inventory operations, they largely ignore the after‑sales service phase where consumer privacy concerns are most acute. To fill this void, the authors propose a comprehensive “purchase‑deactivate‑service‑reactivate” protocol that safeguards location privacy, confidentiality, data integrity, and authentication throughout the entire product lifecycle in a retail environment.

Protocol Overview

1. Purchase Phase – When a customer buys a product, the RFID tag performs a mutual authentication with the store’s backend server. A pre‑shared master key (Km) is used in an HMAC‑SHA‑256‑based key‑derivation function (KDF) to generate a temporary session key (Ks). All purchase‑related data (product ID, price, timestamp, etc.) are encrypted with AES‑128 in CBC mode under Ks. The tag also sends a nonce‑timestamp pair to the server, completing a challenge‑response exchange.

2. Deactivation Phase – Immediately after purchase, the server sends an encrypted deactivation command. Upon verification, the tag disables its read/write memory, enters a low‑power “sleep” mode, and masks its unique identifier (ID) by transmitting only an encrypted version (e.g., ID⊕Ks). This dramatically reduces the tag’s RF emissions, preventing passive eavesdroppers from collecting a clear‑text ID for tracking purposes.

3. After‑Sales Service (AS) Phase – If the product requires repair, warranty claim, or exchange, the customer visits an authorized service center. The service center possesses a service‑specific secret (Ks_svc) that has been pre‑distributed between the store and the service network. The customer presents a service token (e.g., a QR code or NFC‑enabled voucher) together with the deactivated tag. The tag uses a one‑time nonce supplied by the service center and the encrypted token to recover Ks_svc. With Ks_svc, the tag establishes a secure channel to the service center, authenticates both parties with HMAC‑based MACs, and exchanges sensitive information such as warranty history, diagnostic logs, or repair instructions. All messages are timestamped and include nonces to thwart replay attacks.

4. Reactivation Phase – After the service is completed, the service center sends an encrypted reactivation command. The tag validates the command, exits sleep mode, regenerates a fresh session key (Ks′) via the same KDF, and synchronizes this new key with the store server. This key rotation eliminates the risk of key‑replay attacks and ensures that any compromised past session keys cannot be reused.

Security Properties

• Confidentiality is achieved through AES‑128 encryption of all payloads.
• Integrity and Authentication are guaranteed by HMAC‑SHA‑256 MACs attached to every message.
• Location Privacy is protected by (a) suppressing RF emissions during deactivation, and (b) never exposing the tag’s plain‑text ID outside the encrypted channel.
• Replay Resistance is provided by the combination of nonces and timestamps in every exchange.

Performance Evaluation
The authors implemented the protocol on a commercial UHF RFID platform (≈900 MHz). Measured computational overhead on the tag is roughly 0.8 ms for AES‑128 encryption and 0.6 ms for HMAC‑SHA‑256, well within the processing capabilities of low‑power passive tags. Power consumption drops to <10 µW in the deactivated sleep state, and the transition between deactivated and reactivated states takes less than 1.5 ms, making the scheme suitable for real‑time retail operations.

Limitations and Future Work

• The need for a pre‑shared service key (Ks_svc) introduces key‑management complexity across multiple stores and service centers. Automated key‑distribution or a hierarchical PKI could mitigate this issue.
• Deactivation/reactivation requires the tag to be powered (e.g., by the reader’s field), which may be problematic for fully passive tags that lack an internal energy source.
• The protocol is tailored to UHF tags; extending it to LF/HF environments would require additional testing.
• User experience considerations, such as the issuance and handling of service tokens, need to be refined to avoid friction in the after‑sales process.

Conclusion
By integrating purchase and after‑sales service phases into a unified security framework, the paper delivers a novel solution that simultaneously addresses confidentiality, integrity, authentication, and, critically, location privacy for consumer‑facing RFID applications. The protocol’s modest computational and energy demands make it practical for deployment in existing retail infrastructures, while its comprehensive threat model fills a notable gap in the RFID literature. Future research should focus on scalable key‑management, cross‑frequency compatibility, and user‑centric token designs to pave the way for real‑world adoption.