Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
RFID Security and Privacy A Research Survey Shruti Pathak CS 585 Spring ‘09 What is RFID? Radio Frequency IDentification: RFID Automated identification of objects and people It labels objects uniquely and explicitly 1/29/09 UAHuntsville 2 What is an RFID tag? Small microchip designed for wireless data transmission Attached to an antenna: resembles a sticker Contactless and unique identification of products and people Microchip can be as small as a grain of sand (0.4mm2) 1/29/09 UAHuntsville 3 Types of RFID tags ‘Passive’ tags (inexpensive) which derive their power from interrogating reader ‘Semi-Passive’ tags whose batteries power their circuitry when they are interrogated ‘Active’ tags whose batteries power their transmission 1/29/09 UAHuntsville 4 An EPC RFID tag used by Walmart © http://en.wikipedia.org/?title=RFID 1/29/09 UAHuntsville 5 How does it work? 1/29/09 UAHuntsville 6 How does it work? RFID reader sends high frequent energy with optional encoded information to the transponder The energy gets converted into electrical charge and gets saved Transponder responses with unique encoded information Reader receives the information and processes it 1/29/09 UAHuntsville 7 RFID tag (..contd) Successor to the optical barcode, which can be seen on any product 1/29/09 UAHuntsville 8 Advantages of RFID over barcodes Unique Identification Barcode identifies type of object while the RFID identifies the object uniquely Example: When product is purchased at Walmart and is scanned for billing the information that is scanned can be said to be as “Kleenex tissue pack-10 count” In fact each identical pack will scan the same information Whereas the RFID tag would scan the same pack as “Kleenex tissue pack-10 count serial no. ABC1239086” and each pack thus will generate unique information(identification). 1/29/09 UAHuntsville 9 Advantages of RFID over barcodes (..contd) Automation Optically scanned hence line-of-sight contact with reader required. Example: Difficulty while self-checking out the items! RFID tags overcome these shortcomings! They can scan 100 of items per second. Example: Items in warehouses. 1/29/09 UAHuntsville 10 RFID today and tomorrow RFID today Proximity Cards (contactless cards) Automated toll-payment transponders Ignition keys of automobiles (theft-deterrent) Payment tokens (SpeedPassTM, American Express ExpressPayTM, Mastercard PayPassTM) Many house pets have RFID tags implanted in their bodies to facilitate their safe-return home 1/29/09 UAHuntsville 12 1/29/09 © http://www.technovelgy.com/ct/Science-Fiction-News.asp?NewsNum=906 UAHuntsville 13 RFID tomorrow Smart Appliances: Washing Machines and refrigerators, even shopping list to home delivery service Shopping: Check-out by rolling just the card under point of sale and automatic credit to your account. Also would facilitate the return of items without receipts Interactive Objects: Interaction through mobile phones. Scan movie posters and an item for sale! Medication Compliance: To verify whether the medications are taken in a timely manner 1/29/09 UAHuntsville 14 Formal definition of RFID Any RFID is a device that is mainly used for identification of an object or a person Security Problems Two main Privacy concerns Clandestine (concealed) Tracking Readers interrogate and tags respond without the owner’s knowledge Serious threat when the reader can retrieve your personal information during this process! Inventorying (making itemized list of supplies) Reader can harvest important information from the tags related to what type of medication a person is carrying thus what illness he/she may have. Personal preferences with respect to clothing and other accessories. 1/29/09 UAHuntsville 16 Privacy Problems (concerns of everyday life) Toll-payment transponders Small plaques positioned in windshield corners Euro Banknotes Embedding RFID tags in banknotes as an anti-counterfeiting measure Libraries Facilitate check-out and inventorying of books Passports An international organization known as International Civil Aviation Organization officially announced the guidelines for RFID enabled passports and other travel documents Human Implantation VeriChip is a human implantable RFID tag. It can be used for medical record indexing by scanning a patient’s tag 1/29/09 UAHuntsville 17 Read ‘ranges’ of tags Nominal read range ISO 14443 specifies a nominal read range of 10 cm Rogue scanning range 5 times the nominal read range, i.e.,50 cm Tag-to-reader eavesdropping range Once the tag is powered by a reader then a second reader can read information from the same tag from a much more larger distance than rogue scanning range Reader-to-tag eavesdropping range Readers transmit tag specific information to the tag in some RFID protocols. They are subject to eavesdropping to kilometers of distances NOTE: RFID tags can foul systems with excessively long range. In some extreme cases, one person might pay for another person’s groceries! 1/29/09 UAHuntsville 18 Authentication Issues concerning well behaving readers extracting information from misbehaving tags Scanning and replication of RFID tags is another problem 1/29/09 UAHuntsville 19 Nomenclature and Organization Basic Tags Those that cannot execute standard cryptographic operations like encryption and hashing Symmetric-key tags Can perform symmetric cryptographic operations hence cost a little more 1/29/09 UAHuntsville 20 Basic RFID tags Low cost Lack cryptographic operations Couple of thousand gates devoted mainly to basic operations Another hundreds for security functionality 1/29/09 UAHuntsville 21 Privacy ‘Killing’ and ‘Sleeping’: When an EPC tag receives a ‘kill’ command from the reader, it becomes inoperative permanently. These commands are PIN protected Alternatively, tags are put to “sleep” which means they are temporarily made inactive Renaming Approach Tag identifiers are suppressed to disable tracking and hence protect privacy 1/29/09 UAHuntsville 22 Privacy (…contd) The Proxying approach Consumers might carry their own individual privacy protection devices instead of depending on readers for the same Distance measurement With some additional low-cost circuitry we can roughly measure the distance between the reader and the tag on the basis of which we can judge the authentication Blocking Incorporation of modifiable bit called as ‘privacy bit’ into tags 0 bit : unrestricted public scanning 1 bit : ‘privacy zone’ 1/29/09 UAHuntsville 23 Authentication Using ‘kill pins’ to authenticate tags to the reader ‘Yoking’ is a RFID protocol which provides cryptographic proof that two items were scanned simultaneously within physical proximity. Example: Medication + instruction booklet scanned manually Physical one-way functions called POWF are tiny glass beads. On scanning those, unique pattern is revealed. POWF enables: (i) destroying information on physical tampering of RFID devices (ii) manufacturing duplicate POWF is almost impossible 1/29/09 UAHuntsville 24 The problem of PIN distribution Privacy and authentication features both depend on tag-specific PINs Extremely necessary to secure point of sale terminals with the pin while we use the ‘kill’ command 1/29/09 UAHuntsville 25 Symmetric-Key Tags Cloning Prevents the tag cloning by a simple challenge-response protocol Privacy Secure authentication of a RFID tag relies on the symmetric key shared between tag and the reader The Literature The use of key-search mechanism is very costly and efforts are being made to reduce this cost Implementing symmetric-key primitives Several different solutions for efficiently designing and implementing these primitives are being proposed 1/29/09 UAHuntsville 26 More on Privacy in Symmetric key Tags If tag identifies itself prior to the interrogation from the reader, privacy is unachievable If the reader authenticated to the tag first, then the tag cannot easily identify itself to the reader Thus, it becomes difficult to find out the key between the reader and the tag Solution to this problem: Letting the reader identify the tags using a ‘key search’ 1/29/09 UAHuntsville 27 Conclusion RFID tag gives rise to lot of security and privacy issues especially between the tag and the reader that have been discussed Sensors are small hardware devices similar in flavor to RFID tags Sensors are more expensive than RFID tags User perception on RFID tags 1/29/09 UAHuntsville 28 References A. Juels, "RFID security and privacy: a research survey," IEEE Journal on Selected Areas in Communications, vol. 24, pp. 381394, 2006 1/29/09 UAHuntsville 29