Ubi-Check: a pervasive integrity checking system

Michel Banatre, Fabien Allard and Paul Couderc

INRIA Rennes / IRISA,WWW home page: http://www.irisa.fr/aces

Abstract. Integrity checking is an important concern in many activi-ties, such as logistic, telecommunication or even day to day tasks suchas checking for someone missing in a group. While the computing andtelecommunication worlds commonly use digital integrity checking, manyactivities from the real world do not beneficiate from automatic mech-anisms for ensuring integrity. RFID technology offer promising perspec-tives for this problem, but also raises strong privacy concerns as theyare usually based on global identification and tracking. In this paperwe present an alternative approach, Ubi-Check, based on the concept ofcoupled physical objects which enable integrity checking relying only onlocal interactions, without the support of a global information system.

1 Introduction

Integrity checking is an important concern in many activities, both in the realworld and in the information society. The basic purpose is to verify that a setof objects, parts, components, people remain the same along some activity orprocess, or remain consistent against a given property (such as a part count).

In the real world, it is a common step in logistic: objects to be transportedare usually checked by the sender (for their conformance to the recipient expec-tation), and at arrival by the recipient. When a school get a group of children toa museum, people responsible for the children will regularly check that no oneis missing. Yet another common example is to check for our personal belong-ings when leaving a place, to avoid lost. While important, these verification aretedious, vulnerable to human errors, and often forgotten.

Because of these vulnerabilities, problems arise: E-commerce clients some-times receive incomplete packages, valuable and important objects (notebookcomputers, passports etc.) get lost in airports, planes, trains, hotels, etc. withsometimes dramatic consequences.

While there are very few automatic solutions to improve the situation in thereal world, integrity checking in the computing world is a basic and widely usedmechanism: magnetic and optical storage devices, network communications areall using checksums and error checking code to detect information corruption,to name a few.

The emergence of Ubiquitous computing and the rapid penetration of RFIDdevices enables similar integrity checking solutions to work for physical objects.The purpose of this paper is to present the design of such a system, and one

2

of its application. The paper is organized as follows: in next section, we detailthe problem. Then we present the design and implementation of the Ubi-Checksystem. Finally, some some related works and perspectives are discussed.

2 The problem

Let’s focus on a typical application scenario, which well help identify the keyissues of the problem. Consider someone at the airport who is going to crossthe security gate. He is required to wear off his jacket, his belt, to put in acontainer his mobile phone, his music player, to remove from his bag his notebookcomputer, and may be other objects... All that in hurry, with other people inthe queue doing the same. Obviously, personal objects are vulnerable to get lostin this situation: objects can get stuck inside the scanner, can stack up on eachother at the exit of the scanner, and it is easy to forget something while beingstressed to get a flight. Another vulnerability is to get the object of someone elsebecause, such as a notebook computer of the same model.

The vulnerability is introduced because:

1. objects belonging to a common set have to be separated from each other insome occasion

2. getting them back together is not checked by reliable process

Consider what’s happen in a computer network: digital objects are frag-mented into “packets” which can be transported by independently of each otherin the network. When they arrive at a destination point, packets are assem-bled together to rebuild the original object, which is checked for integrity. Forthis purpose, packets include additional information enabling error detection.Of course, networks are more complex than this simple view, with multiple en-capsulation and fragmentation levels, but for the analogy with real objects andpeople, the basic principle is sufficient:

We can consider a set of physical objects as “data” which are going to betransported and eventually separated at some occasions. At some point wherethe set of physical object is assumed to be complete, integrity checks will takeplace. For instance, in our airport security gate scenario, the integrity checkwould be performed on leaving the zone.

Our goal is to propose an integrity checking system that could be integratedat strategic places to warn people when missing objects are detected, or thatthey are carrying someone’s else object. Such a system would turn some areainto smart space that where people would not have to worry of object lost, whichis interesting for trains, hotels, etc.

Such a system is only interesting if it can be realistically deployed, given theconstraints of the real-world. To this end, some important requirements have tobe considered

1. ease of use and as low as possible impact on existing processes2. low cost for the user

3

3. scalability and reliability4. ease of on-site integration5. privacy respect

We think important to insist on the two latter requirements. Integrationissues can lead to death of emerging technologies or experimental systems: thecost of integrating something new into an operational infrastructure is very high,and dependence or impact on existing information systems should be as low aspossible for a chance of acceptance.

Privacy concerns raise strong resistance to RFID technology [8]. As we willsee, a core idea of Ubi-Check is to ensure anonymous operation and no depen-dence on databases.

3 System design

The Ubi-Check system is based on the principle of coupled objects. Coupled ob-jects are a group of physical objects that are logically associated together, mean-ing that they carry digital information referencing other objects from the set, orrepresenting their membership to the group. An important property is that thisinformation is physically stored on the objectq. Typically, this information willbe stored on RFID memory tags embedded on the objects.

In our application scenario, this means that users of the Ubi-Check systemwould have their important objects enabled with tags. Ideally, those tags couldbe embedded into the object at build time by the manufacturer, but user installedtags could of course be added for objects not ready for the service.

Then, there are two procedures in the system. A first one consisting of asso-ciating all the object of a group (ie the objects of a person). And a second onewhere integrity will be checked at the appropriate places. The figure 1 sums upthe process, which we detail in the following.

3.1 Group creation

At this step, the user presents himself in small area in the range of an RFIDwriter, and a group is initialized for all its tagged objects: a signature is computedfrom individual identifiers of the tags. The identifiers can be those attributedat tag construction, or generated for the Ubi-Check system. The latter case isbetter to protect user’s privacy, because new identifiers can be used each time agroup is created, thereby reducing the risk of user tracking by their objects. Auser could create a new group a each trip for example.

As we can see, a group is made of a set of identifiers. We need to storethe group representation somewhere, such as group integrity could be checkedat appropriate places. Storage in a database is a straightforward solution, butit would requires that each checkpoint could access this database, through acommunication infrastructure which raises several issues:

– Deployment and operating cost

4

Fig. 1. Group creation and checking

– Reliability and scalability, because checking operation would be dependanton the availability of the communication infrastructure and the remote database,and the communication load would increase linearly with the number of usersof the service

– Privacy, as group representation associated with individuals would we storedin a central database. However, depending on the nature of the object identi-fiers and the group representation that is used, this issue may be mitigated.

These issues conflicts with our design goals which motivate an alternativesolution, that would not depend on a remote service to operate. In the concept ofcoupled objects previously mentioned, the logical association between the objects(or the group membership) is part of the physical objects themselves. This can beeasily implemented with RFID tags, which in addition to the identifier part, canprovide a programmable memory of up to a few kilobit. The group representationwill be stored in this memory. Because the size is limited and the integrity checkshould be fast, the group is represented by a signature, computed by a hash codefunction. A good discussion of hash functions in the context of RFID is [3]. Thisapproach enables full autonomous operation of both the association points andthe checkpoints.

An additional property can be stored in a particular object, considered as theowner of the group: the cardinal of the the set. The owner tag would typicallybe associated with an object that the user would always keep with him, such ashis watch. We will see in the next section how it is used.

3.2 Checking phase

Once a group is formed, the user can move away with his objects. He can separatefrom his objects, but if he pass a checking point without the complete set, awarning is shown.

5

The checking point is made of an RFID reader controlling a double antennaset up arranged close to each other (typically separated by one meter), in orderto detect objects crossing the checkpoint. A time frame ∆t is set to allow agroup of objects to cross the gate. In practice, we have used an interval of 2 to3 seconds with good success for typical pedestrian flow.

A cyclic buffer logs all the identifier i passing the gate, the timestamp of theevent ti, and the signature Si of the tag. The integrity check is triggered for eachgroup that is reaching the end of its time frame, that is :

∀i such as t0 ≤ tsi ≤ t0 + ∆t and Si = Xwhere t0 is the timestamp when the first identifier of the group of signature

X is read.The hash code H(i0, ..., in) is checked against the X, and three cases have to

be considered :

1. H(i0, ..., in) = X, meaning that the set is complete. In Ubi-Check this isshown on as green status at the exit of the checkpoint.

2. H(i0, ..., in) 6= X, and one of the identifier has the owner status described inprevious section. This means that there is at least one missing object fromthe group. Ubi-Check reports a warning of missing objects. The number ofmissing objects is known as the owner tag includes the cardinal of the set.

3. H(i0, ..., in) 6= X, and no identifier has owner status. Ubi-Check reports thatyou are carrying one or more objects that do not belong to you.

3.3 Implementation and experimentation

A prototype of the system has been implemented: it uses FEIG HF 13.56 Mhzreaders, controlled by a standard embedded PC, and standard HF read/writetags. A single unit can play both the roles of the group creator (association),and checkpoint. The figure 2 shows a simple set up with an LCD display usedto report status.

Performance of the readers allow typical rate of capture of 10 tags/s, whichin practice translates into checking up to 2 users per second. As we can expectwith RFID technology, and especially in this context of free mobility and on-the-fly tags acquisition, mis-read are possible. The occurrence are highly dependanton the placement of the tags in the objects, the nature and the environment ofthe objects. While some advices can be suggested to the users for optimal tagplacement, metal proximity and other perturbation cannot always be avoided.However, as the system is based on a multiplicity of tags, read failures typicallylead to false warnings, not missed warning as failing the read all the tags froma user is very unlikely. In case of a false warning, the user can pass again thecheckpoint.

The system was experimented with the at the “Fete de la science” in Novem-ber 2008, a two days event where the general public was invited to experimentwith recent scientific and technological developments. The feedback was verypositive regarding the relevance of service. However, the reading reliability iscurrently not robust enough to allow operational deployments in environments

6

Fig. 2. A simple Ubi-Check set up

with sustained and continuous flow of people, such as airports. But in other con-texts with relaxed constraints, such as in hotels, the system performance couldbe adequate.

4 Related works

RFID is a hot topic with many issues given its broad application domain andemerging success in security, accountability, tracking, etc. However, the Ubi-Check service and its underlying coupled-objects principle differ than manyRFID systems where the concept of identification is central and related todatabase supported information systems. In some works, the tags memory areused to store semantic information, such as annotation, keywords, properties [1,7]. Ubi-Check is in the line of this idea: RFID are used to store in a distributedway group information over a set of physical artifacts. The concept using dis-tributed RFID infrastructure as pervasive memory storage is due to Bohn andMattern [2].

Maintaining group membership information in order to cooperate with “frienddevices” is a basic mechanism (known as pairing or association) in personal areanetworks (PAN) such as Bluetooth or Zigbee. Some personal security systemsbased on PAN for luggages were proposed [5], which enable the owner to mon-itor some of his belongings, such as his briefcase, and trigger an alarm whenthe object is out of range. A major drawback of active monitoring is the energy

7

power which is required, as well as poential conflicts with radio regulations thatcan exist in some places, such as in particular in airplanes.

Still in the context of Bluetooth, RFID has also been used to store PANaddresses in order to improve discovery and connexions establishment time [9].It can be seen as storing “links” between physical objects, such as in Ubi-Check,but without the idea of a fragmented group. Yet another variant is FamilyNet [6],where RFID tags are used to provide intuitive network integration of appliances.Here, there is a notion of group membership, but it resides on information serversinstead of being self-contained in the set of tags as in Ubi-Check. Probably theclosest concept to Ubi-Check is SmartBox [4], where abstractions are proposedto determine common high level properties (such as completeness) of groups ofphysical artifacts using RFID infrastructures.

5 Conclusion

We presented a service for enabling smart spaces to check that people do not leavea protected area without all their belongings, or with objects of other people.The system is based on completely autonomous checkpoints, and logical groupdistributed over a set of physical artifacts. The strong points of this solution areits independence of any remote information system support or network support,and user’s privacy respect as it is anonymous and does not relies on globalidentifiers. As we have seen, RF reading reliability have to be improved for someapplication scenarios. We have also examined other scenarios, such as checking athome the integrity of a complex medical prescription with a group of medicationset up by a druggist.

In further research we are investigating other variations of the coupled-objectsconcept to improve trust and accountability in logistic and e-commerce.

References

1. Michel Banatre, Mathieu Becus, and Paul Couderc. Ubi-board: A smart informa-tion diffusion system. In NEW2AN ’08 / ruSMART ’08: Proceedings of the 8thinternational conference, NEW2AN and 1st Russian Conference on Smart Spaces,ruSMART on Next Generation Teletraffic and Wired/Wireless Advanced Network-ing, pages 318–329, Berlin, Heidelberg, 2008. Springer-Verlag.

2. Jurgen Bohn and Friedemann Mattern. Super-distributed rfid tag infrastructures.In Proceedings of the 2nd European Symposium on Ambient Intelligence (EUSAI2004), number 3295 in Lecture Notes in Computer Science (LNCS), pages 1–12,Eindhoven, The Netherlands, November 2004. Springer-Verlag.

3. Martin Feldhofer and Christian Rechberger. A case against currently used hashfunctions in rfid protocols. pages 372–381. 2006.

4. Christian Floerkemeier, Matthias Lampe, and Thomas Schoch. The smart boxconcept for ubiquitous computing environments. In Proceedings of sOc’2003 (SmartObjects Conference), pages 118–121, Grenoble, May 2003.

5. Rolf Kraemer. The bluetooth briefcase: Intelligent luggage for increased security.http://www-rnks.informatik.tu-cottbus.de/content/unrestricted/teachings/2004/,2004.

8

6. Wendy Mackay and Michel Beaudouin-Lafon. Familynet: A tangible interface formanaging intimate social networks. In Proceedings of SOUPS’05, Symposium OnUsable Privacy and Security. ACM, jul 2005.

7. Tommaso Di Noia, Eugenio Di Sciascio, Francesco M. Donini, Michele Ruta, Flo-riano Scioscia, and Eufemia Tinelli. Semantic-based bluetooth-rfid interaction foradvanced resource discovery in pervasive contexts. Int. J. Semantic Web Inf. Syst.,4(1):50–74, 2008.

8. Pedro Peris-Lopez, Julio Cesar Hernandez Castro, Juan M. Estevez-Tapiador, andArturo Ribagorda. Rfid systems: A survey on security threats and proposed solu-tions. In PWC, pages 159–170, 2006.

9. Timo Salminen, Simo Hosio, and Jukka Riekki. Enhancing bluetooth connectivitywith rfid. In PERCOM ’06: Proceedings of the Fourth Annual IEEE InternationalConference on Pervasive Computing and Communications, pages 36–41, Washing-ton, DC, USA, 2006. IEEE Computer Society.