Trust and Security in RFID-Based Product Authentication Systems

Product authentication is needed to detect counterfeit products and to prevent them from entering the distribution channels of genuine products. Security is a critical property of product authentication systems. In this paper, we study trust and security in RFID-based product authentication systems. We first present a formal definition for product authentication process and then derive the general chain of trust as well as functional and nonfunctional security requirements for product authentication. Most of the scientific literature that covers the topic focuses on cryptographic tag authentication only. This paper, however, provides a broader view including also other known approaches, most notably location-based authentication. To derive the functional security requirements, we employ the concept of misuse cases that extends the use case paradigm well known in the field of requirements engineering. We argue that the level of security of any RFID-based product authentication application is determined by how it fulfills the derived set of functional and nonfunctional requirements. The security of different RFID-based product authentication approaches is analyzed. To study how RFID supports secure product authentication in practice, we investigate how the current EPC standards conform to the functional security requirements of product authentication and show how the unaddressed requirements could be fulfilled. The benefits of implementing a service that detects the cloned tags in the level of the network's core services are identified.

[1]  Avishai Wool,et al.  Picking Virtual Pockets using Relay Attacks on Contactless Smartcard , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[2]  Stuart E. Schechter,et al.  Quantitatively Differentiating System Security , 2002 .

[3]  Frédéric Thiesse,et al.  RFID, privacy and the perception of risk: A strategic framework , 2007, J. Strateg. Inf. Syst..

[4]  Steve H. Weingart Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defences , 2000, CHES.

[5]  Elgar Fleisch,et al.  Product specific security features based on RFID technology , 2006, International Symposium on Applications and the Internet Workshops (SAINTW'06).

[6]  Sandra Dominikus,et al.  Symmetric Authentication for RFID Systems in Practice , 2005 .

[7]  István Vajda,et al.  Lightweight Authentication Protocols for Low-Cost RFID Tags , 2003 .

[8]  Ari Juels,et al.  RFID security and privacy: a research survey , 2006, IEEE Journal on Selected Areas in Communications.

[9]  Mikko Lehtonen,et al.  From Identification to Authentication – A Review of RFID Product Authentication Techniques , 2008 .

[10]  L OpdahlAndreas,et al.  Eliciting security requirements with misuse cases , 2005 .

[11]  Ari Juels,et al.  Minimalist Cryptography for Low-Cost RFID Tags , 2004, SCN.

[12]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.

[13]  H. Hurley computer networking. , 1996, Ostomy/wound management.

[14]  Luke Mirowski,et al.  Detecting Clone Radio Frequency Identification Tags , 2006 .

[15]  Ronald L. Rivest,et al.  Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems , 2003, SPC.

[16]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[17]  Sandra Dominikus,et al.  Strong Authentication for RFID Systems Using the AES Algorithm , 2004, CHES.

[18]  Gene Tsudik,et al.  YA-TRAP: yet another trivial RFID authentication protocol , 2006, Fourth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOMW'06).

[19]  Frédéric Thiesse,et al.  Extending the EPC network: the potential of RFID in anti-counterfeiting , 2005, SAC '05.

[20]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[21]  Ari Juels,et al.  Shoehorning Security into the EPC Standard , 2006 .

[22]  Kwangjo Kim,et al.  Mutual Authentication Protocol for Low-cost RFID , 2005, CRYPTO 2005.

[23]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[24]  Ari Juels,et al.  Strengthening EPC tags against cloning , 2005, WiSe '05.

[25]  D. Istance Organization for Economic Co-operation and Development , 1966, Nature.

[26]  D. Engels,et al.  Security and Privacy : Modest Proposals for Low-Cost RFID Systems # , 2004 .

[27]  Tim Kerins,et al.  An Elliptic Curve Processor Suitable For RFID-Tags , 2006, IACR Cryptol. ePrint Arch..

[28]  Philippe Oechslin,et al.  A scalable and provably secure hash-based RFID protocol , 2005, Third IEEE International Conference on Pervasive Computing and Communications Workshops.

[29]  SandhuRavi Good-Enough Security , 2003 .

[30]  Glyn A. Holton Defining Risk , 2004 .

[31]  Florian Michahelles,et al.  Connecting Mobile Phones to the Internet of Things: A Discussion of Compatibility Issues Between EPC and NFC , 2007, AMCIS.

[32]  Sandra Dominikus,et al.  An Application of RFID Tags using Secure Symmetric Authentication , 2005 .

[33]  Sinan Si Alhir Learning UML , 2003 .

[34]  Marten van Dijk,et al.  A technique to build a secret key in integrated circuits for identification and authentication applications , 2004, 2004 Symposium on VLSI Circuits. Digest of Technical Papers (IEEE Cat. No.04CH37525).

[35]  Tassos Dimitriou,et al.  A Lightweight RFID Protocol to protect against Traceability and Cloning attacks , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[36]  Ari Juels,et al.  Shoehorning Security into the EPC Tag Standard , 2006, SCN.

[37]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[38]  Matthew Green,et al.  Security Analysis of a Cryptographically-Enabled RFID Device , 2005, USENIX Security Symposium.

[39]  Matthew J. B. Robshaw,et al.  An Active Attack Against HB +-A Provably Secure Lightweight Authentication Protocol , 2022 .