Advertisement

RFID Security and Privacy

  • Tassos Dimitriou

Abstract

Radio Frequency IDentification (RFID) is a method of remotely storing and retrieving data using small and inexpensive devices called RFID tags. Products labeled with such tags can be scanned efficiently using readers that do not require line-of-sight. This form of identification, often seen as a replacement of barcode technology, can lead to improved logistics, efficient inventory management, and ultimately better customer service.

However, the widespread use of radio frequency identification also introduces serious security and privacy risks since information stored in tags can easily be retrieved by hidden readers, eventually leading to violation of user privacy and tracking of individuals by the tags they carry.

In this chapter, we will start by building some background on the types, characteristics, and applications of RFID systems. Then we will describe some of the potential uses and abuses of this technology, discuss in more detail the attacks that can be applied to RFID systems and, finally, review some of the countermeasures that have been proposed to date.

Keywords

User Privacy International Civil Aviation Organization Electronic Product Code Cloning Attack Object Name Service 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    WalMart (2003) Wal-Mart Details RFID Requirement. Article appears in http://www. rfidjournal.com/article/articleview/642/1/1/
  2. 2.
    DoD(2003) U.S. Military to Issue RFID Mandate. Article appears in http://www.rfidjournal.com/article/articleview/576/1/1/
  3. 3.
    S.E. Sarma, S.A. Weis, and D.W. Engels (2002) RFID systems, security and privacy implications. Technical Report MIT-AUTOID-WH-014, AutoID Center, MITGoogle Scholar
  4. 4.
    About the EPCglobal network. http://www.epcglobalinc.org/about/
  5. 5.
    B. Fabian, O. G ünther, and S. Spiekermann (2005) Security Analysis of the Object Name Service for RFID. In: Security, Privacy and Trust in Pervasive and Ubiquitous ComputingGoogle Scholar
  6. 6.
    K.R. Foster and J. Jaeger (2007) RFID inside: The murky ethics of implanted chips. IEEE Spectrum, March 20–25. Available at http://www.spectrum.ieee.org/mar07/4939
  7. 7.
    Euro Bank Notes to Embed RFID Chips by 2005. Article appears in http://www.eetimes. com/story/OEG20011219S0016
  8. 8.
    ICAO (2004). Document 9303, Machine readable travel documentsGoogle Scholar
  9. 9.
    A. Juels, D. Molnar, and D. Wagner (2005) Security and privacy issues in e-passports. In: D. Gollman, G. Li, and G. Tsudik, editors. IEEE/CreateNet SecureCommGoogle Scholar
  10. 10.
    Wired (2006) Hackers Clone E-Passports. Available at http://www.wired.com/science/discoveries/news/2006/08/71521
  11. 11.
    “Securing communications between mobile phones or other similar devices”, SHA-1 fingerprint: 0x17503346d69b83f1cc9c2c4a43ee748e250b29c4, MD5 fingerprint: 0xae8e0db-474913e9162e058521cae30a4, Version 2, Manuscript 2007Google Scholar
  12. 12.
    M. Usami (2004) An ultra small RFID chip:µ -chip. In: IEEE Asia-Pacific Conference on Advanced System Integrated Circuits AP-ASIC 2004, Fukuoka, Japan, pp. 25Google Scholar
  13. 13.
    R. Stapleton-Gray (2005) Would Macys scan Gimbels? Competitive intelligence and RFID. In: S. Garfinkel and B. Rosenberg, editors, RFID: Applications, Security, and Privacy, Addison-Wesley, Reading, MA, pp. 283–290Google Scholar
  14. 14.
    S. Garfinkel, A. Juels, and R. Pappu (2005) RFID privacy: An overview of problems and proposed solutions. IEEE Security and Privacy, 3(3): 34–43CrossRefGoogle Scholar
  15. 15.
    S. Garfinkel and B. Rosenberg, editors, Reading, MA, (2005) RFID: Applications, Security, and Privacy. Addison-WesleyGoogle Scholar
  16. 16.
    K. Albrecht and L. McIntyre (2005) Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID. Nelson CurrentGoogle Scholar
  17. 17.
    Sanjay E. Sarma, Towards the five-cent tag, Technical Report MIT-AUTOID-WH-006, MIT Auto ID Center, 2001. Available from http://www.autoidcenter.org
  18. 18.
    S.C. Bono, M. Green, A. Stubblefield, A. Juels, A. D. Rubin, and M. Szydlo (2005) Security Analysis of a Cryptographically-Enabled RFID Device. In: Fourteenth USENIX Security SymposiumGoogle Scholar
  19. 19.
    J. Westhues (2005) Hacking the Prox Card. In: S. Garfinkel and B. Rosenberg, editors, RFID: Applications, Security, and Privacy, Addison-Wesley, Reading, MA, pp. 291–300Google Scholar
  20. 20.
    Z. Kfir and A. Wool (2005) Picking Virtual Pockets using Relay Attacks on Contactless Smartcard Systems. In: First IEEE/CreateNet International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm)Google Scholar
  21. 21.
    G. Hancke and M. Kuhn (2005) An RFID distance bounding protocol. In: First IEEE/ CreateNet International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm)Google Scholar
  22. 22.
    R. Want (2004) RFID: A key to automating everything. Scientific American, 290(1): 56–65CrossRefGoogle Scholar
  23. 23.
    A. Juels, R. Rivest, and M. Szydlo (2003) The blocker tag: Selective blocking of RFID tags for consumer privacy. In: Vijay Atluri, editor, ACM Conference on Computer and Communications Security CCS03, Washington, DC, USA, pp. 103–111CrossRefGoogle Scholar
  24. 24.
    RFID Journal (2003) NCR prototype kiosk kills RFID tags. Available online at http://www.rfidjournal.com/article/articleview/585/1/1/
  25. 25.
    Consumers Against Supermarket Privacy Invasion and numbering-CASPIAN (2003) RFID Position paper. Available at http://www.privacyrights.org/ar/RFIDposition.htm
  26. 26.
    S. Garfinkel (2002) An RFID bill of rights. In: Technology Review, Available at http://www. technologyreview.com/articles/02/10/garfinkel1002.asp
  27. 27.
    G. Avoine Security and Privacy in RFID Systems. Online at http://lasecwww.epfl.ch/gavoine/rfid/
  28. 28.
    A. Juels (2008) RFID security and privacy: A research survey. IEEE Journal on Selected Areas in Communication, Volume 24, Issue 2, Feb. 2006, Pages 381–394. CrossRefGoogle Scholar
  29. 29.
    G. Avoine (2005) Cryptography in Radio Frequency Identification and Fair Exchange Protocols. PhD Thesis, EPFLGoogle Scholar
  30. 30.
    G. Avoine and P. Oechslin (2005) RFID traceability: A multilayer problem. In: Andrew Patrick and Moti Yung, editors, Financial Cryptography FC05, Volume 3570 of Lecture Notes in Computer Science, Springer, Berlin, pp. 125–140Google Scholar
  31. 31.
    S. Weis, S. Sarma, R. Rivest, and D. Engels (2003) Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In: First International Conference on Security in Pervasive Computing (SPC)Google Scholar
  32. 32.
    M. Ohkubo, K. Suzuki, and S. Kinoshita (2003) Cryptographic Approach to Privacy-friendly Tags. In: RFID Privacy Workshop, MIT, MA, USAGoogle Scholar
  33. 33.
    G. Avoine and P. Oechslin (2005) A Scalable and Provably Secure Hash Based RFID Protocol. In: The Second IEEE International Workshop on Pervasive Computing and Communication Security (PerSec), IEEE Computer Society Press, Washington, DC, pp. 110–114CrossRefGoogle Scholar
  34. 34.
    T. Dimitriou (2005) A Lightweight RFID Protocol to protect against Traceability and Cloning attacks. In: First IEEE/CreateNet International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm)Google Scholar
  35. 35.
    D. Molnar, A. Soppera, and D. Wagner, A Scalable, delegatable pseudonym protocol enabling ownership transfer of RFID tags, Selected Areas in Cryptography, 2005Google Scholar
  36. 36.
    T. Dimitriou, A Secure and Efficient RFID Protocol That Could Make Big Brother (partially) Obsolete, in Fourth IEEE International Conference on Pervasive Computer and Communications (PerCom), 2006Google Scholar
  37. 37.
    K. Nohl and D. Evans (2006) Quantifying Information Leakage in Tree-Based Hash Protocols. In: Eighth International Conference on Information and Communications Security (ICICS), USAGoogle Scholar
  38. 38.
    L. Lu, Y. Liu, L. Hu, J. Han, and L. Ni (2007) A Dynamic Key-Updating Private Authentication Protocol for RFID Systems. In: Fifth IEEE Conference on Pervasive Computing and Communications (PerCom)Google Scholar
  39. 39.
    M. Feldhofer, S. Dominikus, and J. Wolkerstorfer, Strong authentication for RFID systems using the AES algorithm, Workshop on Cryptographic Hardware and Embedded Systems, 2004Google Scholar
  40. 40.
    M. Jung, H. Fiedler, and R. Lerch (2005) 8-bit microcontroller system with area efficient AES coprocessor for transponder applications. In: Ecrypt Workshop on RFID and Lightweight CryptoGoogle Scholar
  41. 41.
    I. Vajda and L. Butty án (2003) Lightweight Authentication Protocols for Low-Cost RFID Tags In: Second Workshop on Security in Ubiquitous ComputingGoogle Scholar
  42. 42.
    A. Juels (2004) Minimalist Cryptography for RFID Tags. In: C. Blundo, editor, Security of Communication Networks (SCN)Google Scholar
  43. 43.
    B. Defend, K. Fu, and A. Juels (2007) Cryptanalysis of Two Lightweight RFID Authentication Schemes. In: Fourth IEEE International Workshop on Pervasive Computing and Communication Security (PerSec)Google Scholar
  44. 44.
    Nokia unveils RFID phone reader. RFID Journal, 17 March 2004. Available at http://www.rfidjournal.com/article/view/834
  45. 45.
    M. Rieback, B. Crispo, and A. Tanenbaum (2005) RFID Guardian: A Battery-powered Mobile Device for RFID Privacy Management. In: Australasian Conference on Information Security and Privacy, vol. 3574 of LNCS, pp. 184–194Google Scholar
  46. 46.
    A. Juels, P. Syverson, and D. Bailey (2005) High-power proxies for enhancing RFID privacy and utility. In: Center for High Assurance Computer Systems - CHACSGoogle Scholar
  47. 47.
    T. Dimitriou (2008) Proxy Framework for Enhanced RFID Security and Privacy. 5th IEEE Consumer Communications and Networking Conference (CCNC 2008), Las Vegas, USAGoogle Scholar
  48. 48.
    M. Weiser (1991) The computer for the 21st century. Scientific American 265(3): 94–104CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • Tassos Dimitriou
    • 1
  1. 1.Athens Information TechnologyAthensGreece

Personalised recommendations