Security implications in RFID and authentication processing framework

https://doi.org/10.1016/j.cose.2005.11.008Get rights and content

Abstract

The objective of this paper is to propose an idea called APF (Authentication Processing Framework) as one of the ways to deter the growing concerns of unauthorized readers from accessing the tag (transponder) which could result into the violations of information stored in the tag. On one hand, we will discuss the importance of RFID systems and on the other hand, we will discuss about the security implications that the RFID systems have over consumers' privacy and security. In this paper, we are trying to weigh the two issues, importance of RFID system and the RFID security implications. Having done that, we are recommending our idea called APF (Authentication Processing Framework) as a good method to overcome the above mentioned problem.

Introduction

A typical RFID system will consist of a tag, a reader, an antenna and a host system. Most RFID tags are passive which means that they are battery-less and that they obtain power to operate from the reader. While some are battery powered tags which means they are active and do not need power from the reader to function. RFID tags are tiny computer chips connected to miniature antennae that can be affixed to physical objects (Berthon, 2000). In the most commonly touted applications of RFID, the microchip contains an Electronic Product Code (EPC) with sufficient capacity to provide unique identifiers for all items produced worldwide. When an RFID reader emits a radio signal, tags in the vicinity respond by transmitting their stored data to the reader.

With passive (battery-less) RFID tags, read-range can vary from less than an inch to 20–30 feet, while active (self-powered) tags can have a much longer read-range.

Typically, the data are sent to a distributed computing system involved in, perhaps, supply chain management or inventory control (Spychips, 2003).

RFID system has many beneficial uses as it can be applied to many areas of our day to day activities. It supports many versatile applications including entrance gate control at transport facilities, custody control and so on. However, the major barrier that the RFID system is facing presently is the issue of possibility of privacy violation which could be as a result of illegal access.

Since, RFID tags respond automatically to any reader; that is, they transmit without the knowledge of the bearer, and this property can be used to track a specific user or object over wide areas. While expectations are growing for the use of RFID systems in various fields, opposition to their use without the knowledge of the user is increasing (CASPIAN).

Furthermore, if personal identity were linked with unique RFID tag numbers, individuals could be profiled and tracked without their knowledge or consent. For example, a tag embedded in a shoe could serve as a de facto identifier for the person wearing it. Even if item-level information remains generic, identifying items people wear or carry could associate them with, for example, particular events like political rallies (Spychips, 2003).

Our main goal is to find a solution to the privacy problem of illegal access of readers to the tags (tags) in the RFID system.

Moreover, the RFID has been around for many years now. The first notable application was in identifying aircraft as friend or foe. Since then RFID has been deployed in a number of application such as identifying and tracking animals from implanted tags; tracking transport containers; access control systems; keyless entry systems for vehicles; and automatic collection of road tolls (Allan, 2003).

Many other RFID applications may emerge. Consider an airport setting. Both boarding passes and luggage labels could be tagged with RFID devices. Before take-off, an RFID enabled airplane could verify that all boarding passes issued were on the plane and that all luggage associated with those was in the hold. Within an airport, tracking passengers by their boarding passes could improve both security and customer service. Of course, in other environments this would be an undesirable violation of privacy (Weis, 2003).

Regarding consumers' privacy violation, we can refer to the above example. Since many airlines are in the airport with different workers, there could be malicious workers working for different airlines with ulterior motives to violate consumers' privacy. There is a tendency that the malicious workers would be accessing and monitoring the private information of consumers.

Therefore, there should be a preventive method that should be put in place to deter the violation of privacy of consumers.

Section snippets

Importance and implications of RFID systems

The problem we are dealing with in this paper is the issue of privacy problem in RFID system. Since, in RFID system any reader can read and write to the tag in the range of its vicinity. As it is obvious that any item a tag is attached to is susceptible to tracking or monitoring.

This is explained in Ohkubo et al. (2004) as a leakage of information regarding use of belongings, for example, money and expensive products, medicine (which may indicate a particular disease), and books (which mirror

Importance of a proper security and access control in RFID systems

In this paper, our objective is to find a solution to the pressing concern of data from tags being compromised or altered by an unauthorized source.

We proposed an authentication framework called APF – Authentication Processing Framework. This is a framework that makes it compulsory for the readers to authenticate themselves with the APF database before they can access registered tags.

In order to prevent illegal access to the memory segment of tag there should be a procedural access control to

Merits and demerits of the APF

The APF provides assurance to the RFID users that the information stored in the tag is secured in the sense that only authenticated reader by the APF can have access to the tag. The reason for this is that the information received by the reader from the tag is encrypted and this information can only be decrypted by getting the decryption key from the APF. Also, the reader that did not register with the APF prior to the time it gets the information from the tag will be denied of getting the

Conclusion

In conclusion, information in tags can be protected from being read by unauthorized readers through the authentication procedures as we have described above in the APF system. It is very imperative to protect unauthorized access to the tag in order to prevent the violation of privacy and confidential information stored in it. Moreover, the above framework is a mutual authentication which makes it a system that will be able to protect unauthorized or malicious readers from accessing the

Dr. John Ayoade is an expert researcher in the Security Advancement Group of the National Institute of Information and Communications Technology, Tokyo, Japan.

He obtained his Ph.D. degree in Information Systems under Japanese government scholarship in the Graduate School of Information Systems in the University of Electro-Communications, Tokyo, Japan.

Dr. Ayoade's research work focuses on information and communications security and privacy. He has a very wide knowledge in the university training

References (11)

  • Adopting fair information practices to low cost RFID systems

  • Alex Allan

    RFID and privacy

  • Juels Ari et al.

    The blocker tag: selective blocking of RFID tags for consumer privacy

  • Alain Berthon

    Security in RFID

  • C.A.S.P.I.A.N.
There are more references available in the full text version of this article.

Cited by (59)

  • An intelligent context-aware communication system for one single autonomic region to realize smart living

    2015, Information Fusion
    Citation Excerpt :

    Wireless communication plays an important role nowadays. Pager [1], WLAN (Wireless Local Area Network) [2], WMAN (Wireless Metropolitan Area Network) [3], Bluetooth [4], Wireless Sensor Network, Zigbee [5], RFID [6–8], 1G (First Generation), 2G (Second Generation), 3G (Third Generation), GPRS (General Packet Radio Service) and 3.5G [1,9,10] are a part of wireless communication. Wireless communication is regarded as the landmark of communication technologies because it provides convenience greater than wired communication.

  • Combining Rabin cryptosystem and error correction codes to facilitate anonymous authentication with un-traceability for low-end devices

    2013, Computer Networks
    Citation Excerpt :

    The contributions of this paper include: (1) it is the first scheme that simultaneously applies Rabin cryptosystem and ECC; (2) the operations on tags are very simple and highly efficient; (3) it greatly improves the number of supported tags from O(k) to O(2k), where k is the dimension of the codes, compared to the previous ECC-based RFID authentication scheme [4]; (4) it simultaneously satisfies anonymity, un-traceability and forward secrecy; (5) the server in our schemes only performs some simple computations to identify an anonymous tag instead of exhaustive search and computations for each possible tag in other anonymous RFID authentications schemes. For a survey of some previous RFID authentication schemes like [5–34], readers may refer to [35]. This paper focuses on those RFID authentication schemes that support anonymity and un-traceability.

  • RFID systems in libraries: An empirical examination of factors affecting system use and user satisfaction

    2013, International Journal of Information Management
    Citation Excerpt :

    As well as highlighting the advantages of RFID application, previous studies have identified several technical, economical and social challenges and limitations that organizations encounter when implementing RFID. Some such challenges and limitations include: cost (Abad et al., 2009; Brown & Russel, 2007; Ching & Tai, 2009; Kumar et al., 2009; Roberts, 2006); difficulty in reading tags on products containing high amounts of water and metals (Kumar et al., 2009); difficulty in reading ultra-high-frequency tags near a human body (Kumar et al., 2009; Roberts, 2006); intermittent and unreliable readings (Rappold, 2003; Roberts, 2006); middleware design (Chen, Gonzalez, Leung, Zhang, & Li, 2010); multiple item readings (Smart & Schaper, 2004); perpendicular orientation of the tag to the antenna of the reader make reading difficult/large number of tagged objects randomly placed may cause invisibility (Want, 2004); privacy and security (Atkinson, 2004; Ayoade, 2006; Berthold, Gunther, & Spiekermann, 2005; Edwards & Fortune, 2008; Erwin & Kern, 2003; Jones, Clarke-Hill, Hillier, Shears, & Comfort, 2004; Kelly & Erickson, 2005; Kumar et al., 2009; Muir, 2007; Roberts, 2006); recycling (Kumar et al., 2009); standardization (Abad et al., 2009; Brown & Russel, 2007; Ching & Tai, 2009; Loebbecke & Huyskens, 2008); managerial issues (Hildner, 2006), and vandalism (Coyle, 2005; Engel, 2006; Gomez-Gomez, Ena-Rodriguez, & Priore, 2007; Hopkinson & Chandrakar, 2006; Kern, 2004). Having introduced the benefits/advantages, challenges and limitations of RFID technology, the next section will discuss the theoretical basis of this study, propose the conceptual model to be used, and formulate the relevant hypotheses.

View all citing articles on Scopus

Dr. John Ayoade is an expert researcher in the Security Advancement Group of the National Institute of Information and Communications Technology, Tokyo, Japan.

He obtained his Ph.D. degree in Information Systems under Japanese government scholarship in the Graduate School of Information Systems in the University of Electro-Communications, Tokyo, Japan.

Dr. Ayoade's research work focuses on information and communications security and privacy. He has a very wide knowledge in the university training involving lectures and practical in the principles and practice of telecommunications and network policies, coupled with the sound theoretical and practical knowledge in Computer Science. He has presented and published papers in many conferences and journals, respectively.

Dr. Ayoade is happily married to his loving and caring wife Oluwatomi and they are blessed with a daughter and a son, Opeyemi and Ayodeji, respectively.

View full text