Since its invention in the 1940s, RFIDhas been an obvious target for abuse.Wireless identification is a powerfulcapability, and RFID reveals both aphysical object’s nature and location.
Anyone can easily gain unauthorized access toRFID data because they don’t need a line of
sight to gather it. For example,in the original RFID-basedapplication—IdentificationFriend or Foe (IFF) systems—security breaches resulted inAllied planes being shot down.
A casual observer might think that the situa-tion hasn’t improved because despite concernsthat RFID systems are open to abuse, it is nowachieving wide deployment. RFID functions as amedium for numerous tasks including managingsupply chains, tracking livestock, preventingcounterfeiting, controlling building access, sup-porting automated checkout, developing smarthome appliances, locating children, and even foil-ing grave robbers (www.rfidbuzz.com/news/2005/rest_in_peace.html). Pundits and activistswarn that modern RFID systems could be usedfor a wide range of activities, from corporatesecurity breaches to behavioral profiling to uni-versal surveillance. Although this is true, it’simportant to remember that problems tend toinspire daring solutions. RFID and informationsecurity have been historically intertwined in aserendipitous marriage of technological progress.Attacks against original IFF systems provided thebackdrop for the development of both classical
and modern security techniques, ranging fromsignal jamming to challenge-response identifica-tion. It’s also likely that RFID will continue toinspire progress in security and privacy research,as it has done for decades.
RFIDTo understand RFID technology’s implications,
you need a sense of where it came from and whereit’s going.
Historical perspectiveRFID’s primary prerequisite was the advent of
radio technology. Since Guglielmo Marconi firsttransmitted radio signals across the Atlantic in1901, radio waves have been an important way tosend messages—from Morse code to the first voicebroadcast in 1906. Scientists also discovered thatthey could use radio waves for more than just mes-sage transmission.1 In 1935, Alexander Watson-Watt showed how his new invention, radar, coulduse radio waves to locate physical objects.2 Radarfound its first big application during World WarII, where it detected incoming aircraft by sendingout pulses of radio energy and detecting the echoesthat came back.3 Radar energy’s reradiation wasa form of on-off modulation that indicated an air-craft’s presence or absence.
However, radar operators still had no way toidentify their own forces, presenting a major mil-itary weakness. (Some people hypothesize that theUS could have prevented the attack on Pearl Har-bor if its radar had been able to identify as well asdetect. A Diamond Head, Hawaii, radar station
As RFID technology progresses, security and privacy threats also evolve.By examining RFID‘s history, we can learn from past mistakes, rediscoversuccessful solutions, and inspire future research.
Melanie R. Rieback, Bruno Crispo,and Andrew S. TanenbaumVrije Universiteit Amsterdam
allegedly spotted the incoming airplanesbut dismissed them as American aircraftarriving from the mainland.3)
The Germans attempted to solve theidentification problem by simultane-ously rolling their aircraft in response toa signal from the ground radar station.This would change the radar reflection’spolarization, creating a distinctive blipon the radars. This crude system was thefirst demonstration of active RFID usingelectromagnetic backscatter.3 The Britishresponded by creating IFF, where long-range transponders actively modulatedthe reradiated ground radar signal so theaircraft itself didn’t have to.2 Parallel tothese developments, Harry Stockman ofthe US Air Force Materiel Commandpublished “Communications by Meansof Reflected Power,” the first publicdescription of RFID technology.4
Modern perspectiveA half-century later, RFID systems
hardly seem recognizable. Modern RFIDtags, like other pervasive technologies(such as sensor motes), represent a cul-mination of the evolution toward wire-less infrastructure and low-cost embed-ded computers. RFID tags are now thesize of a grain of rice and have built-inlogic (microchip or state machine), acoupling element (analog front-end withantenna), and memory (pre-masked orelectrically erasable-programmable read-only memory) (see figure 1). Passive andsemiactive tags use RFID readers’ powerto communicate, while active tags usebattery power for greater range. Youcan typically read low-frequency tags(125–135 kHz) up to 30 cm away, high-frequency tags (13.56 MHz) up to 1 maway, ultra high-frequency tags (2.45GHz) up to 7 m away, and active tags100 m away or more.
Despite these modern features, RFIDhasn’t changed as suddenly as we think.Many of today’s familiar RFID applica-tions have roots deep in the past.
Supply chain management. Stores andlibraries have used electronic article sur-veillance, a 1-bit form of RFID for theftcontrol, since the 1960s. EAS tags indi-cate whether an item has been boughtor properly checked out; a clerk willusually deactivate the tag at checkout.By extension, RFID tags are basicallyEAS tags augmented with additionaldata storage and processing. Low-costRFID tags promise to expedite supply-chain processes, from moving goodsthrough loading docks to managing theterabytes of data collected from thesegoods. The US Department of Defenseand various retailers are already con-ducting RFID trials at the pallet, case,
and item levels. Wal-Mart even issueda mandate requiring its top 600 sup-pliers to adopt pallet-level RFID tag-ging by January 2007 (www.rfidjournal.com/article/articleview/1930/1/9).
Automatic payment. Automatic pay-ment is another popular RFID applica-tion. Various industry sectors have con-ducted trials of RFID-enhanced cashlesspayment technology, from RFID-aug-mented credit cards and public trans-portation tickets to RFID-like Near FieldCommunication in consumer devices.Electronic toll collection using E-ZPassis widespread. The active E-ZPasstransponder attaches to a car’s wind-shield or front license plate; as the cardrives over a toll road, the transpon-der sends account information toequipment in the toll collection lanes.The toll then automatically deductsfrom a prepaid account. Although cus-tomers consider the E-ZPass hip andmodern, the technology was patentedin 1977 (see figure 2) and has beendeployed since the 1980s.
JANUARY–MARCH 2006 PERVASIVEcomputing 63
Figure 1. A Philips I.Code RFID tag. (figure courtesy of Philips Semiconductors)
174184
152156
36
154166
186
190
192
188
168
164160
102100
158
178
176182
182
Direction of traffic
162170
172
Figure 2. Car tracking with RFID-tagged license plates. (courtesy Fred Sterzer, US Patent 4001822)
Access control. Contactless access con-trol with RFID is popular for securingphysical locations, such as office build-ings and university campuses. CharlesWalton first invented an RFID-basedaccess control system in 1973. It involvedan electronic lock that opened with anRFID key card. The passively poweredkey card, which Schlage sold forUS$1.25, was a 36-square-inch circuitboard loaded with chips and analogcomponents. Today, RFID-based accesscards are the size of a credit card andassist with policing border access. TheUS Department of Homeland Securityand the International Civil AviationOrganization also plan to use passiveRFID to police airport access. By 2015,the ICAO wants to replace all pass-ports—approximately 1 billion—withdigital passports that store encryptedbiometric data on an RFID chip. TheDHS also wants to use passive RFID torecord who is entering or leaving the USacross land routes.
Animal tracking. RFID-tagged animals arealready common. Applications vary fromidentifying runaway pets to tracking cat-tle from pastures to the grocer’s freezer.Cows and chips first met in the 1970s inAmerican microwave-based systems andEuropean inductively powered systems(see figure 3). Since then, various partieshave used RFID-based animal tracking tomonitor cows, pigs, cats, dogs, and evenfish to control outbreaks of animal dis-eases such as avian influenza (“bird flu”)or bovine spongiform encephalopathy(“mad cow disease”).
RFID has also been used to track peo-ple. Manufacturers have created wearableRFID wristbands, backpacks, and cloth-ing to track prisoners, schoolchildren, andeven the elderly. Applied Digital createdan injectable RFID tag called the Verichip.This subdermal RFID chip stores personaldata that can be read at venues as variedas nightclubs and hospitals.
Other applications. RFID tagging letsphysical objects be represented in cyber-space and entered into databases. Can-didates include clothes (to be queried bysmart washing machines), packagedfoods (to be queried by smart refrigera-tors), medicine bottles (to be queried bysmart medicine cabinets), rental cars, air-line baggage, library books, banknotes,driver’s licenses, employee badges, andeven surgical patients (to avoid mix-ups).Both the opportunities and the threatsare enormous.
The evolutionDespite modern RFID’s gradual evo-
lution, comparing older RFID systemswith modern RFID systems reveals sev-eral trends.
RFID tag characteristics. RFID tags areboth shrinking and multiplying. They’resmaller, and there are more of them, espe-cially in the supply chain. The proportionbetween active and passive tags is alsochanging; IFF and early RFID systemsused mostly active tags, while most mod-ern applications use passive RFID tags.
Application characteristics. Today, RFIDis used for much more than just identifi-cation. RFID tags have been reinventedas data-bearing devices. Accordingly,modern applications require networkconnectivity to permit the exchange ofdata with back-end management sys-tems (which then necessitates the devel-opment of industry-wide standards forair interfaces and on-tag data formats).
Another modern twist is that the desiredRFID application functionality mightchange within a tag’s lifetime. When anRFID tag changes hands, the new ownermight consider the old function unde-sirable or even an attack—for example,tracking supply-chain RFID tags after acustomer buys the tagged item.
System perimeters. Modern RFID sys-tems have no clear system perimeters.The users aren’t well-defined, and RFIDtag ownership has become less clear.With IFF, the military was always theowner. However, with modern RFID, anindividual could own an RFID tag but aseparate third party could own the tag’sdata (for example, the issuing govern-ment could retain sovereignty over thedata on a digital passport).
Security and privacy threatsDespite—or perhaps on account of—
their myriad uses, RFID chips scare manypeople. Tags that optimize supply chainscan also violate a person’s privacy bytracking the tagged item’s owner. Muggerswith RFID readers could scan crowds forhigh-value banknotes. Terrorists couldscan digital passports to target specificnationalities. And police could abuse aconvenient new method of cradle-to-grave surveillance. As futuristic as thesethreats sound, they have precedent.
Historical perspectiveIFF has always been an attractive mil-
itary target. Attacks against IFF systemscan be classified into several categories.
Sniffing and tracking. Analysts can exam-ine IFF devices’ operating characteristicsusing tools such as search receivers, pulseanalyzers, and panoramic adapters.5 Thisanalysis allows the localization andtracking of airplanes using signals sentby their IFF transponders. In one inci-dent during World War II, British RoyalAir Force bomber crews mistakenly
64 PERVASIVEcomputing www.computer.org/pervasive
R F I D T E C H N O L O G Y
Figure 3. Injecting a cow with an RFID tag,circa 1978. (photo courtesy of Matt Lezin)
believed that their IFF systems had ajamming effect against the GermanWurzburg-Riese radar system. Somebomber crews deliberately left their IFFturned on. The German air force thendeployed the Freya Flamme system,which covertly interrogated the IFFtransponders, to get range bearing andidentification information for severalRAF bombers at once.
Spoofing. American and British militaryforces simulated enemy aircraft by dis-persing large quantities of reflectingmaterial into the sky. The most efficientmaterial for this purpose was alu-minum foil cut into strips of one-halfthe enemy radar frequency’s wave-length. The British called these stripswindow, and the Americans calledthem chaff. Allied aircraft dispensedthousands of these foil dipoles on everyflight over enemy territory. Addition-ally, the Allies sometimes sent up bal-loons towing strips of chaff (see figure4).5 (The German countryside becamelittered with chaff, which people usedto decorate their Christmas trees.)
Replay attacks. Friendly aircraft havebeen simulated by the use of decoy IFFtransponders. Enemies would either stealauthentic IFF transponders or programenemy transponders to imitate the char-acteristics of legitimate IFF identificationsignals. The Germans conducted a spe-cialized spoofing attack where theyrecorded legitimate Allied IFF responsesand played them back whenever theAllies challenged them.6
Denial of service. IFF was affectionatelynicknamed “reply or die” because radaroperators considered an airplane anenemy if it couldn’t send back correct IFFresponses. To exploit that design deci-sion, developers created counter-IFF jam-ming radars (such as the Jadwiga-4) thatperformed denial of service (DoS) attacks
on IFF systems. These attacks were effec-tive because they degraded pilots’ abilityto discriminate friendly from enemy air-craft, possibly causing friendly fire or hes-itation to shoot down enemy aircraft.
Modern perspectiveIn contrast to the high-budget military
campaigns against early RFID systems,modern ones face less expensive attacks.As RFID is adopted for more applica-tions, vandalism and other attacksagainst RFID will likely occur, stemmingfrom temptation, dishonesty, civil dis-obedience, and a perverse sense of humor.But despite these differences, modernRFID security and privacy threats canstill be grouped into familiar categories.
Sniffing. RFID tags are indiscriminate—they’re designed to be readable by anycompliant reader. Unfortunately, this letsunauthorized readers scan tagged itemsunbeknownst to the bearer, often fromgreat distances. People can also collectRFID data by eavesdropping on the wire-less RFID channel. Unrestricted access totag data can have serious implications;collected tag data might reveal informa-tion such as medical predispositions orunusual personal inclinations, whichcould cause denial of insurance coverageor employment for an individual.
Tracking. RFID technology facilitatesclandestine monitoring of individuals’whereabouts and actions. RFID read-ers placed in strategic locations (suchas doorways) can record RFID tags’unique responses, which can then bepersistently associated with a person’sidentity. RFID tags without uniqueidentifiers can also facilitate trackingby forming constellations, recurringgroups of tags that are associated withan individual. RFID technology alsoenables monitoring entire groups ofpeople. UK workers’ union GMBrecently called on the European Com-mission to ban the RFID tagging ofemployees in the workplace. GMBaccused employers of “dehumanizing”warehouse staff by forcing them towear computers that track how long ittakes to complete tasks with RFIDtagged objects.7 Civil liberties groupsalso warn that governments could mon-itor individuals’ movements, eliminat-ing anonymity in public places.
Spoofing. Attackers can mimic authen-tic RFID tags by writing appropriatelyformatted data on blank RFID tags. Forexample, thieves could retag items in asupermarket identifying them as similar,but cheaper, products. Tag cloning isanother kind of spoofing attack, which
JANUARY–MARCH 2006 PERVASIVEcomputing 65
Figure 4. Dispersing chaff from anairplane in WWII.
produces unauthorized copies of legiti-mate RFID tags. Researchers from JohnsHopkins University recently cloned acryptographically-protected Texas Instru-ments digital signature transponder, whichthey used to buy gasoline and unlock aDST-based car immobilization system.8
Replay attacks. At least three researchers(Ziv Kfir, Jonathan Westhues, and Ger-hard Hancke) have independentlydescribed or implemented RFID relaydevices. Relay devices can intercept andretransmit RFID queries, which offend-ers can use to abuse various RFID appli-cations. England’s new RFID-enabledlicense plates, e-Plates, are one exampleof a modern RFID system that’s sus-ceptible to attack by a relay device. Theactive e-Plate tags contain an encryptedID code that is stored in the UK Min-istry of Transport’s vehicle database. Anattacker can record the encrypted iden-tifier when another car’s license plate isscanned and replay it later (perhaps toavoid paying the Congestion Chargewhen driving into central London).
Denial of service. RFID systems onlywork when RFID tags and back-enddatabases are available. Thieves canexploit this to steal RFID-tagged itemsby removing tags from the items com-pletely or by putting them in a foil-lined booster bag (that is, a Faradaycage) that blocks RFID readers’ querysignals and temporarily deactivates theitems. (In 2001, the Colorado StateLegislature made it a misdemeanor tomake or wear aluminum underwear orto conceal its use to fool stores’ theft-protection devices.) Another attacktakes the opposite approach—flood anRFID system with more data than itcan handle. Anti-RFID activists couldremove RFID tags and plant them onother items, causing RFID systems torecord useless data, discrediting anddevaluing RFID technology.
The evolutionDespite the similar threats facing IFF
and RFID systems, modern RFID hasacquired some unique qualities that influ-ence security and privacy requirements.
Attacker model. In the original militaryRFID systems, there was a clear delin-eation between attackers and defenders.Both were highly motivated and highlyskilled, had abundant resources, andacted rationally to achieve a well-definedgoal. With modern RFID systems, thedelineation between attackers and defend-ers is fuzzy, and attackers are often oppor-tunistic, unskilled, poorly financed, andeven irrational. It’s also difficult to answerthe question, “Who is the enemy?” Thedefinition of an attack against modernRFID systems isn’t constant, given thatthe desired RFID tag functionalitychanges over time. Of course, classifica-tion difficulties in modern RFID systemsalso parallel the difficulties facing muchof computer security today.
Physical security. In the old days, air-planes (and their IFF devices) were largelyphysically secure. Planes fell into enemyhands only in the most extreme cases. Incontrast, modern RFID tags are often “inenemy hands.” (We can take this phraseliterally when discussing subdermalRFID chips. Amal Graafstra, author ofRFID Toys, implanted an RFID chip inhis hand that automatically unlocks hisfront door). Consequently, most mod-ern RFID applications can’t achievephysical security because the chip own-ers are also the potential attackers—forexample, the owner of a contactlesssmart card could try to increase theamount of money on the card.
Security versus privacy. The military caresabout security matters, such as the con-fidentiality of its intelligence, weapons,and logistics information. However, pri-vacy is a nonissue; worse yet, surveil-
lance and privacy loss are inherent toparticipation in the armed forces. In con-trast, modern RFID tags suffer primar-ily from privacy threats. Security con-cerns haven’t gone away—companiesdeploying RFID still must defend againstsecurity breaches. However, privacy vio-lations have more far-reaching implica-tions for consumers.
Back-end infrastructure. The original IFFsystems were stand-alone, so attacksusually affected only one airplane. Incontrast, modern RFID transpondersimport all of RFID’s weaknesses into aback-end digital infrastructure (such asdatabases and distributed middleware).This infrastructure necessitates using acost-benefit analysis. As opposed to themilitaristic view of “security at all costs,”modern security analysts must nowweigh the value of RFID return oninvestment against the cost (both mon-etary and reputation) of security and pri-vacy violations.
Social considerations. The controversysurrounding modern RFID introduces asocial dimension that defines threatsbased on stakeholder perspectives. InWorld War II, soldiers died conductingor preventing DoS attacks on radar andIFF systems. With modern RFID, DoSisn’t always considered an attack—sometimes it’s a social defense. This per-spective causes anti-RFID activists toplace random RFID tags on objectsthroughout the city.
Security and privacy solutionsWorld War II’s electronic front was
called the Wizard War for good reason.IFF-related security problems forced uni-formed heroes to devise groundbreakingtechnological countermeasures. ModernRFID security solutions have partiallyevolved from this work. However, mod-ern RFID poses special problems andconstraints that will require academic
66 PERVASIVEcomputing www.computer.org/pervasive
R F I D T E C H N O L O G Y
and industry researchers to show thesame ingenuity as their predecessors.
Historical perspectiveWe can classify IFF-related counter-
measures into the following categories:
Cryptography. The US Air Force draftedskilled cryptographers into the wareffort, including Horst Feistel (bestknown for his work on the Lucifer andDES block ciphers). Feistel developedsecure IFF devices during the 1940s and1950s, including a system that mitigatedGerman replay attacks. The systemworks as follows:
• IFF interrogators send a radio signalcontaining a random challenge tounidentified aircraft.
• Friendly planes encrypt the challengeand send the result back to the inter-rogator.
• The interrogator decrypts and vali-dates the response.
Enemy planes can’t replay recordedresponses because subsequent encoun-ters use a different challenge.9
Since the 1950s, Feistel’s two-passchallenge-response scheme has withstoodthe test of time and has found numerouspractical uses. The scheme also still dis-tinguishes friendly from hostile aircraftin MK XII IFF systems today.6
Detection and evasion. During WorldWar II, both sides tried to locate enemyradars and jamming devices to take eva-sive or retaliatory action. Allied aircraftused radar prediction devices, reliefmaps of enemy territory that showedsuspected radar locations. The RPD indi-cated weak detection or blind spots inthe enemy radar beam, helping Alliedaircraft escape detection.5
Temporary deactivation. RAF bomberpilots in World War II learned the hard
way that German attackers could trackaircraft by their IFF transponders. But thesolution was simple, according to USColonel Walker “Bud” Mahurin. Duringthe Korean War, he carried out attacks inChinese airspace. One day, Mahurin wassummoned to the Fifth Air Force Head-quarters, where the commanding generalreprimanded him for violating the China-Korea demarcation line. The generalthreatened him with a court martial—then quietly warned, “If you’re gonnacross the Yalu, for god’s sake, turn offyour identification friend or foe system,because we can track you on radar.”10
Other techniques. The Allies used numer-ous other techniques to protect IFFdevices against attacks. Frequency-hop-ping spread spectrum was a method tocombat eavesdropping and signal jam-ming. Invented in 1942 by actress HedyLamarr and composer George Antheil,FHSS is a method of transmitting sig-nals by rapidly switching a carrieramong several frequency channels usinga pseudo-random sequence both thetransmitter and receiver know. Addi-tionally, IFF equipment designers com-bated IFF transponder spoofing by giv-ing IFF transponders a secret code;enemy forces couldn’t use stolen IFFinterrogation equipment without peri-odically entering this code.
Modern perspectiveIn contrast to IFF systems, modern
RFID imposes physical limitations foron-tag security mechanisms. FifteenmicroAmps of power and 5,000 gatesare typical for a 0.35-micrometer com-plementary metal-oxide semiconductorprocess.11 To cope with these limitations,researchers have devised ultra light-weight cryptographic and proceduralsolutions, which we have categorizedsimilar to the IFF-based solutions.
Cryptography. Researchers have devel-
oped lightweight versions of symmetrickey11 and public key cryptography. RFID-specific authentication schemes havealso sproutedup,someofwhichare light-weight,using techniques such as minimal-ist cryptography12 and human-computerauthentication.13 Other schemes offloadcomplexity to a back-end database,such as hash locks14 and EPCglobal’sproposed authentication servers (www.epcglobalinc.org/standards_technology/Final-epcglobal-arch20050701.pdf). Oneof the first RFID-specific authenticationschemes to be widely deployed is the pub-lic-key-based Basic Access Control fordigital passports.
Detection and evasion. Consumers ableto detect unauthorized RFID activity canalso take their own evasive maneuvers.C’t magazine’s RFID Detektor (http://tinyurl.com/blfx4) and FoeBuD’s DataPrivatizer (https://shop.foebud.org/product_info.php/products_id/88) helpusers detect nearby RFID activity. Otherdevices, such as the RFID Guardian(www.rfidguardian.org), will interpretRFID scans and log their meaning. Cus-tomers can also perform more activeRFID evasion by RFID blocking in eithera distributed15 or centralized16 fashion.
Temporary deactivation. Just as fighterpilots deactivated their IFF devices toescape detection, consumers can some-times deactivate their RFID tags toavoid most modern-day threats. Onetemporary tag-deactivation method isusing a Faraday cage, such as the RF-deflecting metallic sleeves that will beissued with digital passports. Researchershave also created on-tag mechanisms fortag deactivation. EPCglobal tags comewith a password-protected kill functionthat permanently deactivates tags, andsome more expensive tags might offera password-protected sleep/wake func-tion, which temporarily deactivates andthen reactivates RFID tags.
JANUARY–MARCH 2006 PERVASIVEcomputing 67
Other techniques. Numerous other tech-niques protect RFID devices from attacks.Similar to FHSS, periodically modifyingRFID tag identifiers’ appearance and datacan prevent unauthorized tag access.RFID tags’ pseudonyms consist of namesthat are periodically refreshed, either bytrusted RFID readers12 or an on-tagpseudorandom number generator. Amixnet of RFID readers can also period-ically reencrypt tag data.17
The evolutionDespite the similarities between IFF
and RFID security solutions, some mod-ern RFID characteristics can influencethese solutions’ feasibility.
Application considerations. Cost andimplementation size were never issuesfor IFF devices, but these factors now pre-vent our standard cryptographic toolsfrom working. The difficulty definingenemies and attacks also complicatesRFID security protocols’ design, whichalways starts by establishing principles,assumptions, and goals. Also, modernRFID devices rarely have physical tam-per resistance and tamper evidence; suchqualities are expensive, and it’s easier forattackers to use the wireless channel.
On-tag cryptography. During World WarII, the Allies used every technology possi-ble against their enemy, including cryp-tography on IFF transponders. With mod-ern-day RFID, cryptography’s desirabilityis situation dependent. On-tag cryptog-raphy is generally desirable when replay,man-in-the-middle, and tracking attacksare a problem. For the rest, off-tag cryp-tography is usually sufficient for mostdata-privacy needs. Furthermore, on-tagcryptography is prohibitive when cryp-tography violates application require-ments, such as power or cost constraints.
Key revocation. In the early days, if some-one stole an airplane, the army revoked
the IFF key. Fortunately, this wasn’t nor-mal, so compromised keys were bothinfrequent and obvious. With modernRFID, it’s difficult to know when RFIDtag information has been compromised.Additionally, offline RFID use makes itdifficult to communicate that informa-tion back to a centralized location, whichcan then pass the revocation informa-tion to other RFID deployments.
Legislation. Legislation or self-regulatoryguidelines wouldn’t have helped preventattacks against IFF systems during WorldWar II. This stems from the fact that lawsaren’t respected much during wartime(not even the Geneva Convention).Modern RFID, however, requires a mod-est amount of legislation or industryguidelines to succeed. Without a regula-tory mechanism, both lawmakers andthe general public are likely to resist andreject RFID technology.
Standardization. What ultimately pre-vented the Germans from deploying IFFsystems was astoundingly low-tech—lack of standardization. Nazi technologypolicies were inconsistent and disorga-nized, resulting in inadequate unifiedstandards. German engineers worked onIFF throughout the war but were unableto pool their efforts. They never devel-oped an IFF transponder capable of beingcarried on an aircraft (www.vectorsite.net/ttwiz8.html#m2). With modernRFID standardization, ISO and EPC-global have taken a leadership role.Other radio-specific issues also need tobe coordinated nowadays, includingradio spectrum allocation and prevent-ing RFID-induced airwave congestion(the FCC/ETSI regulates the airwaves).
Revolutionary as it might seem,RFID technology is relativelyold. Examining RFID and itsthreats historically lets us learn
from past experiences and reuse old solu-tions. More important, looking backinspires us to devise new solutions tolead information security research intothe future.
ACKNOWLEDGMENTS
The Nederlandse Organisatie voor WetenschappelijkOnderzoek (NWO) supported this work as project#600.065.120.03N17.
REFERENCES1. J. Landt, “Shrouds of Time: The History of
2. “The History of RFID Technology,” RFIDJ., 20 Dec. 2005; www.rfidjournal.com/article/articleview/1338/1/129.
3. “Identification Friend or Foe IFF Systems:IFF Questions & Answers,” Dean Boys, 20Dec. 2005; www.dean-boys.com/extras/iff/iffqa.html.
4. H. Stockman, “Communication by Meansof Reflected Power,” Proc. IRE, Oct. 1948,pp. 1196–1204.
5. Dept. of Ordnance and Gunnery, US NavalAcademy, “Chapter 16: Radar and Optics,”Naval Ordnance and Gunnery, Vol. 2, FireControl, 1958; www.eugeneleeslover.com/USNAVY/CHAPTER-16-A.html.
6. W. Diffie, “The First Ten Years of Public-Key Cryptography,” Proc. IEEE, vol. 76,no. 5, 1988, pp. 560–577.
7. A. McCue, “Union Calls for European Banon Staff-Tracking RFID,” silicon.com, 19Jul. 2005; http://hardware.silicon.com/servers/0,39024647,39150564,00.htm.
8. S. Bono et al., “Security Analysis of a Cryp-tographically-Enabled RFID Device,” Proc.14th USENIX Security Symp., USENIX, 2005,pp. 1–15; http://spar.isi.jhu.edu/~mgreen/DSTbreak.pdf.
9. S. Levy, Crypto: How the Code Rebels Beatthe Government—Saving Privacy in theDigital Age, Viking, 2001.
68 PERVASIVEcomputing www.computer.org/pervasive
R F I D T E C H N O L O G Y
JANUARY–MARCH 2006 PERVASIVEcomputing 69
10. W. Mahurin, “Interview with Col. Walker‘Bud’ Mahurin,” 1997; www.acepilots.com/korea_mahurin.html.
11. M. Feldhofer, S. Dominikus, and J.Wolker-storfer, “Strong Authentication for RFIDSystems Using the AES Algorithm,” Cryp-tographic Hardware and Embedded Sys-tems—CHES 2004—6th Int’l Workshop,LNCS 3156, Springer, 2004, pp. 357–370.
12. A. Juels, “Minimalist Cryptography forLow-Cost RFID Tags,” Security in Com-munication Networks—Proc. 4th Int’lConf., LNCS 3352, Springer, 2004, pp.149–164.
13. A. Juels and S. Weis, “Authenticating Per-vasive Devices with Human Protocols,”Advances in Cryptology—CRYPTO 2005—25th Ann. Int’l Cryptology Conf., LNCS3621, Springer, 2005, pp. 293–308.
14. S. Sarma, S. Weis, and D. Engels, “RFIDSystems and Security and Privacy Implica-tions,” Cryptographic Hardware andEmbedded Systems—CHES 2002—4thInt’l Workshop, LNCS 2523, Springer2002, pp. 454–469.
15. A. Juels, R.L. Rivest, and M. Szydlo, “TheBlocker Tag: Selective Blocking of RFIDTags for Consumer Privacy,” Proc. 10thACM Conf. Computer and Comm. Secu-rity, ACM Press, 2003, pp. 103–111.
16. M.R. Rieback, B. Crispo, and A.S. Tanen-baum, “Keep on Blockin’ in the Free World:Personal Access Control for Low-CostRFID Tags,” to be published in Proc. 13thInt’l Workshop Security Protocols, Springer,2006; www.cs.vu.nl/~melanie/rfid_guardian/papers/sec_prot.05.pdf.
17. P. Golle et al., “Universal Re-encryption forMixnets,” Topics in Cryptology—CT-RSA2004, LNCS 2964, Springer, 2004, pp.163–178.
For more information on this or any other comput-ing topic, please visit our Digital Library at www.computer.org/publications/dlib.
the AUTHORS
Melanie R. Rieback is a doctoral student at the Vrije Universiteit Amsterdam in theComputer Systems Group. Her research interests include computer security, ubiqui-tous computing, and RFID. She received her MSc in computer science from theTechnical University of Delft. Contact her at the Dept. of Computer Science, VrijeUniversiteit Amsterdam, De Boelelaan 1081a, 1081 HV Amsterdam, Netherlands;[email protected]; www.cs.vu.nl/~melanie.
Bruno Crispo is an assistant professor of computer science at the Vrije UniversiteitAmsterdam. His research interests are security protocols, authentication, authoriza-tion and accountability in distributed systems and ubiquitous systems, and sensorssecurity. He received his PhD in computer science from the University of Cambridge,UK. Contact him at the Dept. of Computer Science, Vrije Universiteit Amsterdam,De Boelelaan 1081a, 1081 HV Amsterdam, Netherlands; [email protected]; www.cs.vu.nl/~crispo.
Andrew S. Tanenbaum is a professor of computer science at the Vrije UniversiteitAmsterdam. His research interests are reliability and security in operating systems,distributed systems, and ubiquitous systems. He received his PhD in physics fromthe University of California, Berkeley. He’s a Fellow of the IEEE and the ACM and amember of the Royal Dutch Academy of Sciences. Contact him at the Dept. ofComputer Science, Vrije Universiteit Amsterdam, De Boelelaan 1081a, 1081 HVAmsterdam, Netherlands; [email protected]; www.cs.vu.nl/~ast.
www.computer.org/internet/
Stay on TrackIEEE Internet Computing reports emerging tools,technologies, and applications implemented through theInternet to support a worldwide computing environment.
