Design Trade-Offs for Realistic Privacy

The integration of RFID technology into consumer products raises serious privacy concerns, but no privacy protection scheme that can be implemented on passive RFID tags is readily available. Existing proposals either sacrifice a core property of RFID systems, such as availability or scalability, or offer only limited privacy. The most promising approaches appear to be tree-based hash protocols, which sacrifice some privacy to maintain scalability. The amount of information that is leaked by these tree-based protocols depends on the tree setup, as well as the number and position of disclosed secrets. This leaked information is valued differently by different attackers. Some attackers aim to collect most information from many tags to build customer profiles; some need detailed information from a representative subset of tags to derive turnover rates of goods while others need very detailed information on selected tags to track individuals. Modifications of the tree protocol can improve privacy but need to be evaluated under the applicable attacker model. In this chapter, we first introduce privacy issues in RFID systems and techniques for measuring achieved privacy. Then, we describe protocols designed to enhance privacy and evaluate their effectiveness against different types of attackers. We find that some measures such as pseudonyms and periodic key updates improve privacy against some attackers, while hurting privacy against other attackers. Some measures such as restructuring the tree improve privacy against all attackers but incur additional computational cost for the legitimate reader. To find the best privacy protocol for a known attacker all available trade-offs should be considered.

[1]  David Evans,et al.  Quantifying Information Leakage in Tree-Based Hash Protocols (Short Paper) , 2006, ICICS.

[2]  Ari Juels,et al.  RFID: security and privacy for five-cent wireless devices (abstract only) , 2004, WiSe '04.

[3]  Andrew M. Odlyzko,et al.  Privacy, economics, and price discrimination on the Internet , 2003, ICEC '03.

[4]  David A. Wagner,et al.  A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of RFID Tags , 2005, IACR Cryptol. ePrint Arch..

[5]  Frédéric Thiesse,et al.  Extending the EPC network: the potential of RFID in anti-counterfeiting , 2005, SAC '05.

[6]  Andrew S. Tanenbaum,et al.  RFID Guardian: A Battery-Powered Mobile Device for RFID Privacy Management , 2005, ACISP.

[7]  Ronald L. Rivest,et al.  Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems , 2003, SPC.

[8]  Ari Juels,et al.  Defining Strong Privacy for RFID , 2007, PerCom Workshops.

[9]  Levente Buttyán,et al.  Optimal Key-Trees for Tree-Based Private Authentication , 2006, Privacy Enhancing Technologies.

[10]  Ted Taekyoung Kwon,et al.  Strong and Robust RFID Authentication Enabling Perfect Ownership Transfer , 2006, ICICS.

[11]  Philippe Oechslin,et al.  RFID Traceability: A Multilayer Problem , 2005, Financial Cryptography.

[12]  Benjamin Fabian,et al.  Emerging Markets for RFID Traces , 2006, ArXiv.

[13]  Sozo Inoue,et al.  Quantitative evaluation of unlinkable ID matching schemes , 2005, WPES '05.

[14]  Jia Zhai,et al.  Hash-Based RFID Security Protocol Using Randomly Key-Changed Identification Procedure , 2006, ICCSA.

[15]  Ivan Damgård,et al.  RFID Security: Tradeoffs between Security and Efficiency , 2008, CT-RSA.

[16]  Ari Juels,et al.  RFID security and privacy: a research survey , 2006, IEEE Journal on Selected Areas in Communications.

[17]  Koutarou Suzuki,et al.  Cryptographic Approach to “Privacy-Friendly” Tags , 2003 .

[18]  David A. Wagner,et al.  Privacy and security in library RFID: issues, practices, and architectures , 2004, CCS '04.