Date post: | 11-Jun-2015 |
Category: |
Business |
Upload: | petersam67 |
View: | 399 times |
Download: | 2 times |
RFID Security and Privacy
A Research Survey
Shruti PathakCS 585
Spring ‘09
1/29/09 UAHuntsville 2
What is RFID?
Radio Frequency IDentification: RFID Automated identification of objects and
people It labels objects uniquely and explicitly
1/29/09 UAHuntsville 3
What is an RFID tag?
Small microchip designed for wireless data transmission
Attached to an antenna: resembles a sticker Contactless and unique identification of
products and people Microchip can be as small as a grain of sand
(0.4mm2)
1/29/09 UAHuntsville 4
Types of RFID tags
‘Passive’ tags (inexpensive) which derive their power from interrogating reader
‘Semi-Passive’ tags whose batteries power their circuitry when they are interrogated
‘Active’ tags whose batteries power their transmission
1/29/09 UAHuntsville 5
An EPC RFID tag used by Walmart
© http://en.wikipedia.org/?title=RFID
1/29/09 UAHuntsville 6
How does it work?
1/29/09 UAHuntsville 7
How does it work?
RFID reader sends high frequent energy with optional encoded information to the transponder
The energy gets converted into electrical charge and gets saved
Transponder responses with unique encoded information
Reader receives the information and processes it
1/29/09 UAHuntsville 8
RFID tag (..contd)
Successor to the optical barcode, which can be seen on any product
1/29/09 UAHuntsville 9
Advantages of RFID over barcodes Unique Identification
Barcode identifies type of object while the RFID identifies the object uniquely
Example: When product is purchased at Walmart and is scanned for billing the information that is scanned can be said to be as “Kleenex tissue pack-10 count”
In fact each identical pack will scan the same informationWhereas the RFID tag would scan the same pack
as “Kleenex tissue pack-10 count serial no. ABC1239086” and each pack thus will generate unique information(identification).
1/29/09 UAHuntsville 10
Advantages of RFID over barcodes (..contd) Automation
Optically scanned hence line-of-sight contact with reader required.
Example: Difficulty while self-checking out the items!
RFID tags overcome these shortcomings! They can scan 100 of items per second.
Example: Items in warehouses.
RFID today and tomorrow
1/29/09 UAHuntsville 12
RFID today
Proximity Cards (contactless cards) Automated toll-payment transponders Ignition keys of automobiles (theft-deterrent) Payment tokens (SpeedPassTM, American
Express ExpressPayTM, Mastercard PayPassTM)
Many house pets have RFID tags implanted in their bodies to facilitate their safe-return home
1/29/09 UAHuntsville 13
© http://www.technovelgy.com/ct/Science-Fiction-News.asp?NewsNum=906
1/29/09 UAHuntsville 14
RFID tomorrow
Smart Appliances: Washing Machines and refrigerators,
even shopping list to home delivery service Shopping:
Check-out by rolling just the card under point of sale and automatic credit to your account. Also would facilitate the return of items without receipts
Interactive Objects:Interaction through mobile phones. Scan movie
posters and an item for sale! Medication Compliance:
To verify whether the medications are taken in a timely manner
Formal definition of RFID
Any RFID is a device that is mainly used for identification of an object or a person
1/29/09 UAHuntsville 16
Security Problems
Two main Privacy concerns Clandestine (concealed) Tracking Readers interrogate and tags respond without
the owner’s knowledge Serious threat when the reader can retrieve your
personal information during this process! Inventorying (making itemized list of supplies) Reader can harvest important information from
the tags related to what type of medication a person is carrying thus what illness he/she may have.
Personal preferences with respect to clothing and other accessories.
1/29/09 UAHuntsville 17
Privacy Problems (concerns of everyday life) Toll-payment transponders Small plaques positioned in windshield corners Euro Banknotes Embedding RFID tags in banknotes as an anti-counterfeiting
measure Libraries Facilitate check-out and inventorying of books Passports An international organization known as International Civil Aviation
Organization officially announced the guidelines for RFID enabled passports and other travel documents
Human Implantation VeriChip is a human implantable RFID tag. It can be used for
medical record indexing by scanning a patient’s tag
1/29/09 UAHuntsville 18
Read ‘ranges’ of tags
Nominal read rangeISO 14443 specifies a nominal read range of 10
cm Rogue scanning range
5 times the nominal read range, i.e.,50 cm Tag-to-reader eavesdropping range
Once the tag is powered by a reader then a second reader can read information from the same tag from a much more larger distance than rogue scanning range
Reader-to-tag eavesdropping rangeReaders transmit tag specific information to the
tag in some RFID protocols. They are subject to eavesdropping to kilometers of distances
NOTE: RFID tags can foul systems with excessively long range. In some extreme cases, one person might pay for another person’s groceries!
1/29/09 UAHuntsville 19
Authentication
Issues concerning well behaving readers extracting information from misbehaving tags
Scanning and replication of RFID tags is another problem
1/29/09 UAHuntsville 20
Nomenclature and Organization Basic Tags
Those that cannot execute standard cryptographic operations like encryption and hashing
Symmetric-key tags
Can perform symmetric cryptographic operations hence cost a little more
1/29/09 UAHuntsville 21
Basic RFID tags
Low cost Lack cryptographic operations Couple of thousand gates devoted mainly to
basic operations Another hundreds for security functionality
1/29/09 UAHuntsville 22
Privacy ‘Killing’ and ‘Sleeping’:
When an EPC tag receives a ‘kill’ command from the reader, it becomes inoperative permanently. These commands are PIN protected
Alternatively, tags are put to “sleep” which means they are temporarily made inactive
Renaming ApproachTag identifiers are suppressed to
disable tracking and hence protect privacy
1/29/09 UAHuntsville 23
Privacy (…contd)
The Proxying approach Consumers might carry their own individual
privacy protection devices instead of depending on readers for the same
Distance measurementWith some additional low-cost circuitry we can
roughly measure the distance between the reader and the tag on the basis of which we can judge the authentication
Blocking Incorporation of modifiable bit called as ‘privacy
bit’ into tags 0 bit : unrestricted public scanning 1 bit : ‘privacy zone’
1/29/09 UAHuntsville 24
Authentication
Using ‘kill pins’ to authenticate tags to the reader ‘Yoking’ is a RFID protocol which provides
cryptographic proof that two items were scanned simultaneously within physical proximity. Example: Medication + instruction booklet scanned
manually Physical one-way functions called POWF are tiny
glass beads. On scanning those, unique pattern is revealed. POWF enables: (i) destroying information on physical tampering of RFID devices (ii) manufacturing duplicate POWF is almost impossible
1/29/09 UAHuntsville 25
The problem of PIN distribution Privacy and authentication features both
depend on tag-specific PINs Extremely necessary to secure point of sale
terminals with the pin while we use the ‘kill’ command
1/29/09 UAHuntsville 26
Symmetric-Key Tags
Cloning Prevents the tag cloning by a simple challenge-response
protocol Privacy Secure authentication of a RFID tag relies on the symmetric
key shared between tag and the reader The Literature
The use of key-search mechanism is very costly and efforts are being made to reduce this cost
Implementing symmetric-key primitives Several different solutions for efficiently designing and
implementing these primitives are being proposed
1/29/09 UAHuntsville 27
More on Privacy in Symmetric key Tags If tag identifies itself prior to the interrogation
from the reader, privacy is unachievable If the reader authenticated to the tag first,
then the tag cannot easily identify itself to the reader
Thus, it becomes difficult to find out the key between the reader and the tag
Solution to this problem: Letting the reader identify the tags using a ‘key search’
1/29/09 UAHuntsville 28
Conclusion
RFID tag gives rise to lot of security and privacy issues especially between the tag and the reader that have been discussed
Sensors are small hardware devices similar in flavor to RFID tags
Sensors are more expensive than RFID tags User perception on RFID tags
1/29/09 UAHuntsville 29
References
A. Juels, "RFID security and privacy: a research survey," IEEE Journal on Selected Areas in Communications, vol. 24, pp. 381-394, 2006