A Study on the Security of RFID with Enhancing Privacy Protection

Transcription

1 A Study on the Security of RFID with Enhancing Privacy Protection *Henry Ker-Chang Chang, *Li-Chih Yen and *Wen-Chi Huang *Professor and *Graduate Students Graduate Institute of Information Management Chang Gung University Taiwan *Correspondence: Professor Henry Ker-Chang Chang Graduate Institute of Information Management Chang Gung University Tao-Yuan, Taiwan, ROC Tel.: Ext

2 A Study on the Security of RFID with Enhancing Privacy Protection Abstract: A ubiquitous network environment will make society be able to conveniently access better services anywhere and at any time. The Radio Frequency Identification (RFID) technology will most likely be part of such a manageable society. However, more and more deployment of RFIDs may create some threats to user privacy; therefore privacy protection has become an important issue nowadays. In this thesis, we propose a mutual authentication protocol to enhance the privacy protection, which uses the dynamic identification scheme. In this way, we want to reform some weaknesses which have in the past, or will in the future allow breaches by adversaries. We present a security protocol to prevent some attacks using cryptographic one-way hash functions on the passive tags. Therefore, our proposed method could be deployed in many applications without strong symmetric or asymmetric encryption. We believe that the proposed approach will be available to enhance the protection of a user's privacy. Key words: Radio Frequency Identification (RFID), Dynamic Identification, Hash Function, Security, Privacy 1. INTRODUCTION Recently, Radio Frequency Identification (RFID) has been called the next generation bar code, which is a revolution in automatic identification and contactless accessing data method. The RFID system is commonly applied to manufacturing, such as supply chain management and inventory control. For instance, Wal-Mart has recently attempted to use RFID systems popularly; all incoming inventory items from their manufacturers contain RFID tags (Cavoukian, 2003). Therefore, the pervasive RFID systems will establish a ubiquitous network environment. There are two main types of RFID tags: active and passive. An active tag contains a small on-board battery and generates power itself, whereas a passive tag does not contain any power source and uses the power generated by the reader (Allied Bus, 2002). Although passive tags have blocked computation power and shorter transmission scope, their life cycle is not limited, while the cost is low. Since the RFID systems are applied in generally all trades and professions, security and privacy issues advocates should be concerned. The most applications use passive tags due to 1

3 cost problems, and the acceptable cost of passive tags should be about 5 cents. However, at such a cost, a passive tag that is limited for security only contains roughly 2,500 to 5,000 gates (Ohkubo et al, 2003). For instance, DES needs 10,000 gates and AES implementation needs 5,000 gates (Phillips, T., 2005), thus most cryptographic approaches can not be implemented. In this proposed scheme, we present a security protocol to prevent some attacks using cryptographic a one-way hash function on the passive tags. Therefore, our proposed method could be deployed in many applications without strong symmetric or asymmetric encryption. This paper is organized as follows. We discuss the RFID personal privacy issues in section 2. The related works of security and privacy protection protocol for RFID system are introduced in section 3. Our proposed approach is given in section 4. In section 4, we define the hash-based function to design the protocol. The basic idea and working mechanisms are presented based on randomly ID-Refreshed Identification. 2. RFID PERSONAL PRIVACY ISSUES RFID provides us with many benefits but also irks us with many issues regarding privacy. Since RFID signals are transmitted over the air, attackers can always sniff the messages between the readers and the tags to get private information on tags. Privacy issues are mainly classified into data privacy and location privacy. Data privacy Attackers can use a reader to scan individuals for RFID tagged items without their knowledge remotely. If attackers can associate the output of the tags with the item which the tag is affixed to, then attackers can get a shopping list and even a preference list of individuals without their consent. Even worse, if attackers associate the output of a tag with the individual who carries it, personal identification becomes another issue. Moreover, attackers might scan individuals to know the private item that they carry. Thieves may also use a reader to choose a rich victim by scanning for individuals who carry high value items. Location privacy Persons who carry RFID tags and vehicles with RFID are under the threat of tracking. If attackers can predict the output of a tag (some tags always output the same message), they can associate the tag and its owner. By scanning items with tags, attackers can track an 2

4 individual with readers. Therefore, no one can sense the radio frequency signal and a RFID provides contactless identification; individuals can hardly know that he or she is being tracked remotely by someone. 3. Related Works In RFID systems pervasive deployment of tags may create new security and customer privacy issues. For instance, an attacker could discover an individual s informational preferences without their permission if they carry items with RFID tags, revealing privacy information by linking an ID of a tag to a person in a database system. Therefore, there are many research projects proposed with different schemes to protect user privacy for RFID. In this section, we introduce the previous schemes for RFID privacy issues, and also discuss the advantages and drawbacks of those methods. Hash lock scheme This scheme proposes an access control protocol for RFID (Weis 2003). In this proposed scheme, we want to lock the tag so that the tag stores the hash of a random key K as the tag metaid, i.e., metaid = h (K). Then the back-end database stores random keys which correspond with a metaid of each tag in this system. When the reader queries the tag, the tag sends the metaid value to the back-end database. If we want to unlock the tag, query the metaid from the tag, and look up the appropriate key in the database and transmit it. The tag hashes the key and compares it to the stored metaid. If both values match, the tag unlocks itself. This procedure is shown in Fig. 1: Fig.1 Hash lock scheme This scheme is very practical method for low-cost RFID tag, because only on hash function needed. However, the tag could be easily tracked by an adversary via its fixed metaid. Furthermore, there is no mechanism to protect the RFID system against spoofing in this scheme. Randomized hash Lock scheme When the reader queries a tag, the tag responds with a random number and the hash value of its identity makes contact with the random number (Weis et al, 2003). Then the reader forwards these messages to a database; the database computes the hash value of the identity 3

5 of each tag in contact with the random number to find the appropriate identity of the tag. This procedure is shown in Fig. 2: Fig. 2 Randomized hash lock scheme even though this scheme improved the location tracking problem of hash lock schemes, it is neither private nor secure against passive eavesdroppers, and an adversary can query a tag to learn (R, h (ID k, R)), with which the adversary later can impersonate the tag to the reader (Molnar et al, 2004). Re-encryption scheme In this scheme (Juels et al, 2003), re-encrypted serial numbers of bank notes in tags are used with a public key. It is proposed in order to reduce the linkage of different appearances. Then, in another scheme (Golle et al, 2004) for re-encrypting tags, it is proposed using multiple public keys to re-encrypt a cipher-text without knowing the associated public key. Although both foregoing schemes protect data privacy and make strong protection of location privacy, they require an external computing environment and need many resources (Juels et al, 2003). Other approaches There are other different approaches to resolving data privacy issues. Here we show them. (1) Kill command feature: This scheme is proposed by EPC global and has been ratified (EPC global Inc., 2007). Even thought the privacy problems can be resolved completely in this way, users can not benefit from RFID system after killing the tag, therefore it is not recommended. (2)Blocker tags scheme (Juels et al, 2003): The main idea is to interfere with communication if protected tags are being read. However, this scheme is limited, since blocker tags can not protect the protected tag while out of the transmission scope. 4. THE PROPOSED SCHEME To protect the data confidentially for low-cost RFID tags, cryptography such as DES, AES, and RSA are not feasible due to the cost issue. The computation power needed is beyond low-cost tags. Instead of general cryptography, exclusive-or operation and hash function are much more practical for low-cost RFID tags. 4

6 Here we introduce a randomly ID-Refreshed Identification scheme. This approach protects data privacy and location privacy for low-cost RFID tags under the threats of replay attack, eavesdropping, spoofing, and man-in-the-middle attacks. First, we describe the initial stage of the proposed protocol, and then we introduce the details of the communications protocol. The initialization stage First of all, in our proposed protocol, two hash functions are given: Y 1 =h(x 1 ) and Y 2 =f(x 2 ). Then we introduce that our proposed protocol has some computation and initialization values in the database, reader, and tag which are based on the EPC standard as an initial step: (1) ID is the identity of a tag which is stored in both the database and every tag. (2) MID (Meta-ID) is generated by each tag dynamically. (3) Time stamp (T 1, T 2 ) is transmitted between the reader and tag which enhances the security. (4) CID (Checking-ID) is generated by the database and tags dynamically. (5) UID (Updating-ID) is initially generated by database which is then stored both in the database and the tag. The initial step is shown in Fig. 3: Database Reader Tag Select random A UID=A Store (ID, UID) (ID, UID) (ID, UID) Store (ID, UID) Fig. 3 The initialization stage of the proposed protocol The details of the proposed protocol In this section, we would like to introduce a dynamic identity scheme. This method protects data and location privacy for low-cost RFID tags. We feel that this proposed scheme can help to allay fears from the threat of eavesdropping, replay attacks, spoofing and man-in-the-middle attack. In our approach, the tag has a random number generator and the computation power to compute hash functions. This scheme is: (1) When the reader wants to access the tag, it sends the signal with the inquiry information first. (2) After the tag receives the query signal, it selects a random number B, hashes ID by Y 1 =h(x 1 ), sends back MID= h (ID B) and time stamp T 1 to the reader which is forwarded to the database. 5

7 (3) Then the database also hashes all the stored ID i by the hash function: Y i =h(x i ), searches and checks that Y matches MID that is from the tag. Therefore, the database can acquire the values (ID, MID, UID). (4) The database generates the random number C and computes CID=h(ID C); then sends the values (CID, UID, C) to the reader, then the reader adds a time stamp T 2 and sends ( CID, UID, C, T 2 ) to the tag. (5) When the tag receives the values, it computes Y=h (ID C). If Y matches the received CID and the UID value also matches, the tag unlocks itself. (6) The database and tag both update the UID value finally. The proposed scheme is composed by the following steps as presented in Fig. 4: Database Reader Tag 1. Compute: all ID i (where i = 1 n ) Y=h(ID B) 2. Searching & Checking Y=MID (3) MID, B (1) Query (2) MID, B, T 1 1. Pick random number B 2. Compute: MID=h(ID B) 3. Acquire the values (ID, MID, UID) 4. Pick random number C CID=h(ID C) 1. Updating: UID=f(ID C) Compute : (4) (5) 1. Y=h(ID C) CID, UID, C CID, UID, C, T 2 2. if Y=CID & UID is also matched then unlock itself 3. Updating: UID=f(ID C) Fig. 4 Diagram of the proposed privacy protection mechanism using dynamic identity scheme 5. SECURITY ANALYSIS In this section, we introduce the proposed protocol that can protect the location privacy and data privacy under the threats of replay attack, eavesdropping, spoofing, and man-in-the-middle attack; we also use a one-way hash function to protect all the messages. We can express the issues: Location privacy An adversary can track the tag, if the tag outputs the fixed information or has predictable messages over the protocol. In the proposed scheme, the same tag changes the information for each legitimate reading session. However, the dynamic messages from the tag ensure safety against tracking attacks. 6

8 Against replay attack Because adversaries can always eavesdrop in the air, record the messages, and replay those messages at any time, the database and tag must check the updating of messages. In the proposed protocol, the replay attack is prevented by establishing the valid time stamps T 1 and T 2. This is a key to against the replay attack. Against eavesdropping Since RFID signals are transmitted over the air, attackers can always eavesdrop on the messages between tags and readers. But in the locked status, the tags only send back the MID=h (ID B) for any enquiries, so that tags can not offer the functionalities to the eavesdroppers. Against spoofing In most situations, if there is no mechanism of checking that the tags are valid, the adversary could simulate the tags and spoof the database. In the proposed protocol, a tag randomizes a value B and contacts the tag s ID which is hashed by a one-way hash function, i.e., MID=h (ID B). Since the adversary cannot find the authentication of the tag, they cannot get the information. Against man-in-the-middle attack For an adversary, it is easy to intercept the replied signal from a tag, and tries to use this signal to get information from a reader; they could also unlock the tag. He or she may pretend to be a legitimate reader to deceive tags at any time, or other. In the proposed protocol, we dynamically update the UID each session and deny attackers who wish to unlock the tag, since the UID value can not match. Therefore, man-in-the-middle attack can not work to break the proposed scheme. 6. CONCLUSION RFID system can identify an object or a person using wireless transmission. Adopting RFID in a variety of daily applications is a benefit, such as toll collection, library management, warehouse management, and telemedicine (Yang et al, 2006), etc. Therefore, an RFID system is a universal, beneficial, and convenient technology; but it poses many threats to the security and privacy of organizations or individuals. In this paper, we proposed a scheme based on dynamic identification to ensure data privacy and location privacy. Thus, the output of tags changes each time. Finally, we also analyzed that the approach can prevent threats of reply attacks, eavesdropping, spoofing, and man-in-the-middle attack. References Allied Bus Intelligence, (2002) RFID White Paper. 7

9 Cavoukian, A. (2004) Tag, You re It: Privacy Implications of Radio Frequency Identification (RFID) Technology, Information and Privacy Commissioner, Ontario, Toronto, Feb. EPC global Inc. (2007), [online], Sep. 17 Golle, P., Jakobsson, M., Juels, A. and Syverson, P. (2004) Universal Re-encryption for Mixnets, RSA Conf. Cryptographers Track 04, LNCS 2964, pp , Springer-Verlag Juels, A. and Pappu, R. (2003) Squealing Euros: Privacy Protection in RFID-Enabled Banknotes, Financial Cryptography 03, R. Wright, Ed., Springer-Verlag. Juels, A., Rivest, R. L. and Szydlo, M. (2003) The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy, Proc. ACM Computer and Communications Security 03, pp Molnar D. and Wagner, D. (2004) Privacy and Security in Library RFID Issues, Practices, and Architectures, Proc. ACM Computer and Communications Security 04, Washington DC, USA, October Ohkubo, M., Suzuki, K. and Kinoshita, S. (2003) Cryptographic Approach to Privacy-Friendly tags, In RFID Privacy Workshop, MIT, USA. Phillips, T., Karygiannis, T. and Kuhn, R. (2005) Security Standards for the RFID Market, IEEE Security and Privacy, Vol. 3, no. 6, pp , Nov.-Dec Weis, S. A. (2003) Radio-Frequency Identification Security and Privacy, Master's thesis, M.I.T. June Weis, S. A., Sarma, S. Rivest, R. and Engels, D. (2003) Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems, Proc. First International Conference on Security in Pervasive Computing, LNCS 2802, pp , Springer-Verlag Yang Xiao, Xuemin Shen, Bo Sun, and Lin Cai, (2006) Security and Privacy in RFID and Applications in Telemedicine, IEEE, Communications Magazine, Vol. 44, pp , April. 8