Achieving privacy and security in radio frequency identification

Radio Frequency Identification RFID systems are gaining popularity in a wide variety of applications like asset tracking, personnel identification, and sensor networks. However, unique security and privacy issues arise in these systems because (a) low computation capabilities of RFID tags prevent the use of complicated cryptographic protocols, and (b) wide deployment of tags opens up room for illegal tracking of people and objects. In this paper, we first describe a basis-set of requirements that need to be necessarily satisfied to mitigate security and privacy problems in RFID systems. We then outline some recent proposals that try to solve these issues, and then explore in detail a research publication [1] that uses a pseudonym based tree walking security scheme [2], and claims to meet all the requirements. However, we identify some attacks that are still possible in this scheme [1] in the same threat model but more realistic scenarios, and then extend the scheme to mitigate these attacks. We also address the issue of secure establishment of session keys to exchange information between tags, readers, and centralized trusted centers, which had not been proposed earlier. Our extensions make the overall scheme complete, and deal with most issues that had not been addressed comprehensively by other related work in the past. In all, our extensions provide a complete RFID scheme that meets all the security and privacy goals.

[1]  Kazuo Takaragi,et al.  An Ultra Small Individual Recognition Security Chip , 2001, IEEE Micro.

[2]  Koutarou Suzuki,et al.  RFID Privacy Issues and Technical Challenges , 2005, IEEE Engineering Management Review.

[3]  Simson L. Garfinkel,et al.  RFID privacy: an overview of problems and proposed solutions , 2005, IEEE Security & Privacy Magazine.

[4]  Sandra Dominikus,et al.  Strong Authentication for RFID Systems Using the AES Algorithm , 2004, CHES.

[5]  Ari Juels,et al.  Minimalist Cryptography for Low-Cost RFID Tags , 2004, SCN.

[6]  David A. Wagner,et al.  Privacy and security in library RFID: issues, practices, and architectures , 2004, CCS '04.

[7]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[8]  Philippe Oechslin,et al.  RFID Traceability: A Multilayer Problem , 2005, Financial Cryptography.

[9]  David A. Wagner,et al.  A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of RFID Tags , 2005, IACR Cryptol. ePrint Arch..

[10]  Leonid Bolotnyy,et al.  Randomized pseudo-random function tree walking algorithm for secure radio-frequency identification , 2005, Fourth IEEE Workshop on Automatic Identification Advanced Technologies (AutoID'05).

[11]  David A. Wagner,et al.  Security and Privacy Issues in E-passports , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[12]  Ronald L. Rivest,et al.  The blocker tag: selective blocking of RFID tags for consumer privacy , 2003, CCS '03.

[13]  Koutarou Suzuki,et al.  Cryptographic Approach to “Privacy-Friendly” Tags , 2003 .

[14]  Ari Juels,et al.  Squealing Euros: Privacy Protection in RFID-Enabled Banknotes , 2003, Financial Cryptography.

[15]  Jian Huang,et al.  An approach to security and privacy of RFID system for supply chain , 2004, IEEE International Conference on E-Commerce Technology for Dynamic E-Business.