RFID tag authentication with public-key cryptography

We claim: 1. A method for a Radio Frequency Identification (RFID) reader to authenticate an RFID tag, the method comprising: retrieving a tag public key (TPK), an item identifier (II), and an electronic signature (ES) from the tag, the ES computed over at least the TPK and the II; retrieving a signing-authority public key (SAPK) associated with the ES from a signing authority; verifying, using the SAPK and the ES, the TPK and the II; challenging the tag with a challenge; receiving a response from the tag; and authenticating the tag by verifying the response using the TPK. 2. The method of claim 1 , wherein the II comprising one or more of: a tag identifier (TID), a unique item identifier (UII), an electronic product code (EPC), and a serialized trade identification number (SGTIN). 3. The method of claim 1 , wherein the ES is generated from the TPK, the II, and a signing-authority private key (SAPRK) associated with the SAPK. 4. The method of claim 1 , wherein the challenge includes a random number and verifying the response includes decrypting the response using the TPK. 5. The method of claim 1 , wherein the challenge includes a random number encrypted using the TPK and verifying the response includes comparing the response with the random number. 6. The method of claim 1 , further comprising receiving an initial value (IV) from the tag, the initial value generated by the tag from at least a tag random number and a tag private key (TPRK). 7. The method of claim 6 , wherein the challenge includes a random number derived at least in part from the IV. 8. The method of claim 1 , wherein the challenge is generated from at least a reader random number and a tag random number. 9. The method of claim 1 , wherein the RFID tag stores a tag private key (TPRK) associated with the TPK. 10. The method of claim 9 , further comprising: causing the tag to form its response from at least the challenge and the TPRK. 11. The method of claim 9 , further comprising: causing the tag to form its response from at least the challenge, the TPRK, and a tag random number using a cryptographic algorithm. 12. The method of claim 9 , wherein the TPK is stored in a readable memory of the tag and the TPRK is stored in an unreadable memory of the tag. 13. The method of claim 1 , wherein challenging the tag precedes retrieving the TPK. 14. The method of claim 1 , wherein receiving the response includes reading the response from a tag memory. 15. A Radio Frequency Identification (RFID) reader system for authenticating an RFID tag, the system comprising: an RFID reader configured to: retrieve a tag public key (TPK), an item identifier (II), and an electronic signature (ES), the ES computed over at least the TPK and the II, from the tag; retrieve a signing-authority public key (SAPK) associated with the ES from a signing authority; verify, using the SAPK and the ES, the TPK and the II; challenge the tag with a challenge; receive a response from the tag; and authenticate the tag by verifying the response using the TPK. 16. The RFID reader system of claim 15 , wherein the II comprises one or more of: a tag identifier (TID), a unique item identifier (UII), an electronic product code (EPC), and a serialized trade identification number (SGTIN). 17. The RFID reader system of claim 15 , wherein the RFID reader is further configured to: cause the tag to generate a tag random number; receive at least one of the tag random number and a function of the tag random number from the tag; and verify the response using at least a reader random number, one of the tag random number and the function of the tag random number, and the TPK. 18. The RFID reader system of claim 15 , wherein the challenge includes a random number and verifying the response includes decrypting the response using the TPK. 19. The RFID reader system of claim 15 , wherein the challenge includes a random number encrypted using the TPK and verifying the response includes comparing the response with the random number. 20. The RFID reader system of claim 15 , wherein the TPK is stored in a readable memory of the tag and a tag private key (TPRK) associated with the TPK is stored in an unreadable memory of the tag. 21. The RFID reader system of claim 15 , wherein challenging the tag precedes retrieving the TPK, and receiving the response includes reading the response from a tag memory. 22. A method for a Radio Frequency Identification (RFID) reader to authenticate an RFID tag, the method comprising: retrieving a tag public key (TPK) and an item identifier (II) from the tag; retrieving at least one of a first electronic signature (ES1) and a second electronic signature (ES2) from the tag, the ES1 and the ES2 computed over at least the TPK and the II; retrieving at least one of a first signing-authority public key (SAPK1) associated with the ES1 from a first signing authority and a second signing-authority public key (SAPK2) associated with the ES2 from a second signing authority; verifying the TPK and the II using at least one of: the SAPK1 and ES1, and the SAPK2 and ES2; challenging the tag with a challenge; receiving a response from the tag; and authenticating the tag by verifying the response using the TPK. 23. The method of claim 22 , wherein the II comprises one or more of: a tag identifier (TID), a unique item identifier (UII), an electronic product code (EPC), and a serialized trade identification number (SGTIN). 24. The method of claim 22 , wherein the ES1 is generated from the TPK, the II, and a first signing-authority private key (SAPRK1) associated with the SAPK1. 25. The method of claim 22 , wherein the challenge includes a random number and verifying the response includes decrypting the response using the TPK. 26. The method of claim 22 , wherein the challenge includes a random number encrypted using the TPK and verifying the response includes comparing the response with the random number. 27. The method of claim 22 , wherein the first signing authority and the second signing authority are the same entity.