Slides

RFID Security and Privacy

A Research Survey

Shruti PathakCS 585

Spring ‘09

1/29/09 UAHuntsville 2

What is RFID?

Radio Frequency IDentification: RFID Automated identification of objects and

people It labels objects uniquely and explicitly


What is an RFID tag?

Small microchip designed for wireless data transmission

Attached to an antenna: resembles a sticker Contactless and unique identification of

products and people Microchip can be as small as a grain of sand

(0.4mm2)


Types of RFID tags

‘Passive’ tags (inexpensive) which derive their power from interrogating reader

‘Semi-Passive’ tags whose batteries power their circuitry when they are interrogated

‘Active’ tags whose batteries power their transmission


An EPC RFID tag used by Walmart

© http://en.wikipedia.org/?title=RFID


How does it work?


How does it work?

RFID reader sends high frequent energy with optional encoded information to the transponder

The energy gets converted into electrical charge and gets saved

Transponder responses with unique encoded information

Reader receives the information and processes it


RFID tag (..contd)

Successor to the optical barcode, which can be seen on any product


Advantages of RFID over barcodes Unique Identification

Barcode identifies type of object while the RFID identifies the object uniquely

Example: When product is purchased at Walmart and is scanned for billing the information that is scanned can be said to be as “Kleenex tissue pack-10 count”

In fact each identical pack will scan the same informationWhereas the RFID tag would scan the same pack

as “Kleenex tissue pack-10 count serial no. ABC1239086” and each pack thus will generate unique information(identification).


Advantages of RFID over barcodes (..contd) Automation

Optically scanned hence line-of-sight contact with reader required.

Example: Difficulty while self-checking out the items!

RFID tags overcome these shortcomings! They can scan 100 of items per second.

Example: Items in warehouses.

RFID today and tomorrow


RFID today

Proximity Cards (contactless cards) Automated toll-payment transponders Ignition keys of automobiles (theft-deterrent) Payment tokens (SpeedPassTM, American

Express ExpressPayTM, Mastercard PayPassTM)

Many house pets have RFID tags implanted in their bodies to facilitate their safe-return home


© http://www.technovelgy.com/ct/Science-Fiction-News.asp?NewsNum=906


RFID tomorrow

Smart Appliances: Washing Machines and refrigerators,

even shopping list to home delivery service Shopping:

Check-out by rolling just the card under point of sale and automatic credit to your account. Also would facilitate the return of items without receipts

Interactive Objects:Interaction through mobile phones. Scan movie

posters and an item for sale! Medication Compliance:

To verify whether the medications are taken in a timely manner

Formal definition of RFID

Any RFID is a device that is mainly used for identification of an object or a person


Security Problems

Two main Privacy concerns Clandestine (concealed) Tracking Readers interrogate and tags respond without

the owner’s knowledge Serious threat when the reader can retrieve your

personal information during this process! Inventorying (making itemized list of supplies) Reader can harvest important information from

the tags related to what type of medication a person is carrying thus what illness he/she may have.

Personal preferences with respect to clothing and other accessories.


Privacy Problems (concerns of everyday life) Toll-payment transponders Small plaques positioned in windshield corners Euro Banknotes Embedding RFID tags in banknotes as an anti-counterfeiting

measure Libraries Facilitate check-out and inventorying of books Passports An international organization known as International Civil Aviation

Organization officially announced the guidelines for RFID enabled passports and other travel documents

Human Implantation VeriChip is a human implantable RFID tag. It can be used for

medical record indexing by scanning a patient’s tag


Read ‘ranges’ of tags

Nominal read rangeISO 14443 specifies a nominal read range of 10

cm Rogue scanning range

5 times the nominal read range, i.e.,50 cm Tag-to-reader eavesdropping range

Once the tag is powered by a reader then a second reader can read information from the same tag from a much more larger distance than rogue scanning range

Reader-to-tag eavesdropping rangeReaders transmit tag specific information to the

tag in some RFID protocols. They are subject to eavesdropping to kilometers of distances

NOTE: RFID tags can foul systems with excessively long range. In some extreme cases, one person might pay for another person’s groceries!


Authentication

Issues concerning well behaving readers extracting information from misbehaving tags

Scanning and replication of RFID tags is another problem


Nomenclature and Organization Basic Tags

Those that cannot execute standard cryptographic operations like encryption and hashing

Symmetric-key tags

Can perform symmetric cryptographic operations hence cost a little more


Basic RFID tags

Low cost Lack cryptographic operations Couple of thousand gates devoted mainly to

basic operations Another hundreds for security functionality


Privacy ‘Killing’ and ‘Sleeping’:

When an EPC tag receives a ‘kill’ command from the reader, it becomes inoperative permanently. These commands are PIN protected

Alternatively, tags are put to “sleep” which means they are temporarily made inactive

Renaming ApproachTag identifiers are suppressed to

disable tracking and hence protect privacy


Privacy (…contd)

The Proxying approach Consumers might carry their own individual

privacy protection devices instead of depending on readers for the same

Distance measurementWith some additional low-cost circuitry we can

roughly measure the distance between the reader and the tag on the basis of which we can judge the authentication

Blocking Incorporation of modifiable bit called as ‘privacy

bit’ into tags 0 bit : unrestricted public scanning 1 bit : ‘privacy zone’


Authentication

Using ‘kill pins’ to authenticate tags to the reader ‘Yoking’ is a RFID protocol which provides

cryptographic proof that two items were scanned simultaneously within physical proximity. Example: Medication + instruction booklet scanned

manually Physical one-way functions called POWF are tiny

glass beads. On scanning those, unique pattern is revealed. POWF enables: (i) destroying information on physical tampering of RFID devices (ii) manufacturing duplicate POWF is almost impossible


The problem of PIN distribution Privacy and authentication features both

depend on tag-specific PINs Extremely necessary to secure point of sale

terminals with the pin while we use the ‘kill’ command


Symmetric-Key Tags

Cloning Prevents the tag cloning by a simple challenge-response

protocol Privacy Secure authentication of a RFID tag relies on the symmetric

key shared between tag and the reader The Literature

The use of key-search mechanism is very costly and efforts are being made to reduce this cost

Implementing symmetric-key primitives Several different solutions for efficiently designing and

implementing these primitives are being proposed


More on Privacy in Symmetric key Tags If tag identifies itself prior to the interrogation

from the reader, privacy is unachievable If the reader authenticated to the tag first,

then the tag cannot easily identify itself to the reader

Thus, it becomes difficult to find out the key between the reader and the tag

Solution to this problem: Letting the reader identify the tags using a ‘key search’


Conclusion

RFID tag gives rise to lot of security and privacy issues especially between the tag and the reader that have been discussed

Sensors are small hardware devices similar in flavor to RFID tags

Sensors are more expensive than RFID tags User perception on RFID tags


References

A. Juels, "RFID security and privacy: a research survey," IEEE Journal on Selected Areas in Communications, vol. 24, pp. 381-394, 2006

Date post:	11-Jun-2015
Category:	Business
Upload:	petersam67
View:	399 times
Download:	2 times

Slides

Business