Impinj M775 Tag Authentication

Retrieving Tag Authentication Information Using Impinj Readers

Overview

This document outlines the steps to retrieve an authentication response from tags built with Impinj M775 tag chips (M775) using the Impinj IoT Device Interface (IoTDI) for the Impinj reader firmware version 8.0.1.240 or later. The firmware is available on the Impinj Support Site.

Tag Authentication

Impinj provisions each M775 during manufacturing with a unique cryptographic key. The key is used when the Impinj reader challenges an M775 using the Authenticate command defined by the GS1 EPC UHF Gen2 Air Interface Protocol. The M775 responds as defined by ISO/IEC 29167-11.

Using the M775 response, the IoTDI will construct a Tag Authentication Response, which includes: the challenge sent to the Impinj M775, the challenge-response generated using the M775’s cryptographic key, and optionally the shortened M775's Tag Identification number (TID).

{
    "timestamp": "2022-05-19T20:01:30.461684205Z",
    "eventType": "tagInventory",
    "tagInventoryEvent": {
        "epcHex": "E2C011A2A5001FA0098050BC",
        "tagAuthenticationResponse": {
            "messageHex": "0535443E2AA7",
            "responseHex": "071305DC7779E91A",
            "tidHex": "11A210BC4C02FD00"
        }
    }
}

If the message payload for the Authenticate command includes a header of 000001b, then the response includes the shortened version of the TID. The shortened TID is 64 bits in length and consists of words 1, 3, 4 and 5 of the full TID.

Inventory Presets

The Inventory Preset feature of the IoT Device Interface allows sending a Tag Authentication challenge to each inventoried tag. To enable this feature using the WebUI, check the Tag Authentication checkbox for the preset.

Enable tag authentication

Once checked, the Message Hex field will appear. This field is optional, and if left blank, the reader will automatically generate a random challenge message. Otherwise, enter a 12-character hex string representing a 48-bit command. The first 5 bits of the command must be 0. If the sixth bit is 1, then the TID is included in the tag's response. The remaining 42 bits make up the challenge sent to the M775.

Once the preset is configured and saved, click the preset's Start button to begin the inventory, sending the Authentication challenge as part of the inventory operations.

Start inventory

Alternatively, the IoT REST API PUT /profiles/inventory/presets/{presetId} method can enable the Tag Authentication feature for Inventory Presets by specifying "tagAuthentication": {"messageHex": "<Message>"} inside an antenna configuration within the body message of the request. Refer to the IoT Device Interface's API Reference for more information on REST API methods.

Like the WebUI, use a blank messageHex to have the reader generate a random Tag Authentication challenge message. Below is a cURL example that will create (or modify) a profile named 'tag-auth':

curl -u root:impinj -X PUT 'https://192.168.0.101/api/v1/profiles/inventory/presets/tag-auth' -H 'Content-Type: application/json' -H 'Accept: application/json' --data-raw '{"antennaConfigs": [{"antennaPort": 1,"transmitPowerCdbm": 3000,"inventorySession": 2,"inventorySearchMode": "dual-target", "estimatedTagPopulation": 2,"rfMode": 4,"tagAuthentication": {"messageHex": ""}}],"eventConfig": {"tagInventory": {"epcHex": "enabled"}}}'

Use the POST /profiles/inventory/presets/{presetId}/start REST API method to tart the Inventory preset.

curl -u root:impinj -X POST 'https://192.168.0.101/api/v1/profiles/inventory/presets/tag-auth/start' -H 'Accept: application/json'

Authentication Response

Use any Event Reporting methods supported by the reader's firmware to view the tag response information. For example, the following cURL command reads the data from the reader's HTTP Stream:

curl -u root:impinj 'https://192.168.0.101/api/v1/data/stream'

The response from the Impinj M775 tag will contain a tagAuthenticationReponse that has the messageHex, responseHex, and tidHex (if requested).

{
    "timestamp": "2022-05-19T20:01:30.461684205Z",
    "eventType": "tagInventory",
    "tagInventoryEvent": {
        "epcHex": "E2C011A2A5001FA0098050BC",
        "tagAuthenticationResponse": {
            "messageHex": "0535443E2AA7",
            "responseHex": "071305DC7779E91A",
            "tidHex": "11A210BC4C02FD00"
        }
    }
}

Notices

Copyright 2022, Impinj, Inc. All rights reserved.

Impinj gives no representation or warranty, express or implied, for accuracy or reliability of information in this document. Impinj reserves the right to change its products and services and this information at any time without notice.

EXCEPT AS PROVIDED IN IMPINJ'S TERMS AND CONDITIONS OF SALE (OR AS OTHERWISE AGREED IN A VALID WRITTEN INDIVIDUAL AGREEMENT WITH IMPINJ), IMPINJ ASSUMES NO LIABILITY WHATSOEVER AND IMPINJ DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATED TO SALE AND/OR USE OF IMPINJ PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT.

NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY PATENT, COPYRIGHT, MASK WORK RIGHT, OR OTHER INTELLECTUAL PROPERTY RIGHT IS GRANTED BY THIS DOCUMENT.

Impinj assumes no liability for applications assistance or customer product design. Customers should provide adequate design and operating safeguards to minimize risks.

Impinj products are not designed, warranted or authorized for use in any product or application where a malfunction may reasonably be expected to cause personal injury or death or property or environmental damage ("hazardous uses") or for use in automotive environments. Customers must indemnify Impinj against any damages arising out of the use of Impinj products in any hazardous or automotive uses.

Impinj, GrandPrix™, Indy®:, Monza®, Octane™, QT®, Speedway®, STP™, True3D™, xArray®, and xSpan® are trademarks or registered trademarks of Impinj, Inc. All other product or service names are trademarks of their respective companies.

These products may be covered by one or more U.S. patents. See impinj.com/patents for details.

For more information, contact support@impinj.com