Evaluating RFID Research a Literature Review

Transcription

1 Evaluating RFID Research a Literature Review Franklin T. Warren Business Information Technology Virginia Polytechnic Institute and State University Fall 2007 A Paper in Partial Fulfillment of the requirements for Networks & Telecomm Business BIT 4554 Dr. Tabitha James

2 Introduction As we approach the end of the first decade of the 21 st Century, research pertaining to Radio Frequency Identification (RFID) has increased. RFID is an innovative information technology that allows organizations the ability to attain massive amounts of data related to products, assemblies, equipment, supplies, inventory, customer service, and machinery. The intended purpose of this paper is to further extend academic research and examine the literature related to Radio Frequency Identification. The literature reviewed has been subcategorized into the following groups: RFID technology development, implementation, privacy, and security. RFID Technology Development Radio frequency identification is a developing technology that uses several basic components in order to satisfy the needs of the implementing organization. Radio frequency identification (RFID) is not a new technology. It has been around since the early 1900 s and was utilized during World War II (Domdouzis, Kumar et al. 2007). Radio frequency identification is a technology that uses a few simple components. The ID tag, is composed of an antenna, integrated circuit, a reader that gathers information from the id tag, and a database system that is used to store the information gained through interrogating the id tag (Roberts 2006). Based upon the application, the identification tag can be active or passive. Active tags in addition to the circuit and antenna have a battery that powers the circuit and allows the tag to pg. 1

3 broadcast information that will be picked up by a reader (Roberts 2006). Passive tags collect and store power from the reader through the use of a capacitor located within the circuit. The circuit then utilizes the energy collected to transmit tag information to the reader(weinstein 2005). Low cost passive tags are the predominantly used form of identification tag. Deciding whether to use active or passive tags is an important component of the architectural design process. Architectural design of the RFID network is imperative when developing a RFID system. This system will be evaluated on the basis of how well it tracks objects. In their article Architecture design and performance evaluation of RFID object tracking systems, Jiann-Liang Chen, Ming-Chiao Chen, Chien-Wu Chen, and Yao-Chung Chang discuss the development of an RFID/IP gateway that uses the Object Naming Service (ONS) protocol to improve the performance of an RFID network (Chen, Chen et al. 2007). According to Solanas and Domingo-Ferrer, it is important to design a network that has the ability to scale in size and maintain data privacy (Solanas, Domingo-Ferrer et al. 2007). A quantitative analysis on a cell based network simulation was performed and the results were gathered for three different conditions to test the scalability of a private network. To meet application requirements autonomous RFID systems have been developed that have the ability to read tags from greater distances (Jedermann, Behrens et al. 2006). Developing RFID technology to support data privacy and the utilization of secret-key, public-key, symmetric and asymmetric cryptographic algorithms to protect the data transmitted via the id tag during interrogation by the reader is critical to the protection and integrity of the system (Robshaw 2006). Additionally, design systems that are interoperable with other technologies such as global positioning satellite pg. 2

4 technology will allow the deployment of RFID systems designed for unique situations (Song, Haas et al. 2007). Implementation Organizations have implemented RFID to make improvements in their materials management, distribution, and transportation processes. Wal-Mart is an example of an organization that initially piloted RFID and its effect to reduce out-of-stock incidences, track products, and cut costs along the supply chain (Angeles 2005). Since then, Wal-Mart announced a mandate that it will ask selected major suppliers to use RFID at the pallet and case levels by the year 2005 (Angeles 2005). The Department of Defense (DoD) will mandate the use of RFID for 100 of its top-tier supplier by the year 2005 as well. This will effect DoD suppliers such as Boeing, Lockheed Martin, Northrop Grumman, Raytheon, and other DoD suppliers that will need to tag all items supplied to the DoD (Twist 2005). RFID has also been used to develop a sushi management system. The technology was implemented to improve the following; food safety, inventory control, service quality, the efficiency of operations, and visibility of the data. Better tracking of raw materials for inventory purposes and real time tracking of sushi availability on the conveyor belt produced instantaneous benefits (Ngai, Cheng et al. 2007). Privacy Due to the invasive nature of RFID tags many privacy issues and concerns exist. An issue that moves to the forefront with the use of RFID tags deal with tracing and tracking of RFID tags. The tracing and tracking of data from tagged objects in the supply chain by competitors pg. 3

5 poses the threat of corporate espionage (Garfinkel, Juels et al. 2005). Tracing and tracking of data after the sale poses consumer privacy issues as tags can be well hidden in packaging (Ayoade 2007). Additionally, RFID tags respond to interrogation request from all readers allowing data to be gathered by others external to the organization (Juels 2006). There are many methods for disabling RFID tags and preventing data from being visible that are currently in use. Additional methods have been proposed for rendering RFID tags inoperable. Implementation of devices and methods such as blocking tags, clipping tags, soft blocking tags, selective blocking tags, and kill commands are used to block or impede the propagation of the RFID signals. Blocking tags are special devices/tags that interfere with the protocol that is used for communication between normal identification tags and readers (Ayoade 2007) and (Jules and Weis 2006). Tag clipping involves disabling the RFID device by removing or breaking the connection between the chip and the antenna. Gϋnter Karjoth and Paul Moskowitz identify several methods to effectively clip tags through the use of tags with removable electrical conductors, the use of tags with perforations, and the use of tags with a peel-off layer (Karjoth and Moskowitz 2005). Soft blocking is a variation on the blocking concept that operates through the utilization of software or firmware. Soft blocking provides for the possibility of utilizing privacy protocols (Juels and Brainard 2004). Selective blocking tags involves altering a blocker tag to prevent the transmissions of a selected set of tags (Juels, Rivest et al. 2003). The kill command is a method of permanently disabling an RFID tag as the tag moves into the hands of a private owner (Juels, Rivest et al. 2003). Additionally, the legal implications that are associated with the use of RFID technology must be addressed. John Ayoade in Privacy and RFID Systems Roadmap to solving security and pg. 4

6 privacy concerns in RFID systems states that RFID and technology should go hand and hand to protect consumers from surveillance (Ayoade 2007). The RFID Bill of Rights enumerated by Garfinkel, and Juels proposes the principle for the fair use of information practices to RFID systems deployment (Ayoade 2007). Security Radio frequency identification security as defined by Ranasinghe, Engels, and Cole is composed of the following components; confidentiality or message content security, integrity of message content, authentication of sender and recipient non-repudiation by the sender, and availability (Ranasinghe, Engels et al. 2004). However, this study will discuss security based upon the following criteria vulnerabilities, protocols, and cryptography. Radio frequency identification has security concerns that must be addressed pertaining to vulnerabilities and making sure that confidential data remains secure. In the article The Evolution of RFID Security, Melanie Rieback, Bruno Crispo, and Andrew Tanenbaum list the following as vulnerabilities to RFID system: replay-attack, man-in-the-middle attack, denial-ofservice attack, and spoofing (Rieback, Crispo et al. 2006). Additional vulnerabilities include tagto-reader eavesdropping, reader-to-tag eavesdropping, rouge scanning, and counterfeiting (Juels 2006). Security concerns for RFID are similar in nature to those posed for computer networks. Similar to the TCP/IP networking model used for computer networks, the RFID communication model consists of the following layers for both the RFID reader and RFID tag; Application Layer, Data Link Layer, and the Physical Layer (Knospe and Pohl 2004). The RFID model just like the TCP/IP model uses protocols to negotiate the transfer of data from the identification tag to the pg. 5

7 reader. Even though a single round protocol such as the Weise, Sarma, Rivest, and Engels uses a lock calculation, it is still susceptible to a replay attack (Piramuthu 2007) and is also vulnerable to a man-in-the-middle attack. However, the model purposed in the paper Security and Privacy Analysis of RFID Authentication Protocol for Ubiquitous Computing, utilizing a modified security protocol, is not vulnerable to a man-in-the-middle attack (Kim and Choi 2007). The RFID communication model utilizes protocols to facilitate the transfer of information between component devices. In order to resolve the vulnerability posed by unauthorized access, Martin Feldhofer developed the Simple Authentication and Security Layer protocol (Feldhofer 2004). Cryptography is used to increase security and reduce the vulnerabilities that RFID tags experience. However, with the low cost of passive RFID tags being utilized, it is difficult to develop an algorithm that can fit the storage capacity (Robshaw 2006). Leonid Bolotnyy and Gabriel Robins, in their paper Physically Unclonable Function-Based Security and Privacy in RFID Systems, they discussed the use of a PUF based tag protocol instead of a cryptographic algorithm (Bolotnyy and Robins 2007). Conclusion Advancements in RFID technology have surpassed the tracking of foreign and domestic airplanes during World War II. Industries that have implemented RFID have experienced both supplier-facing and customer-facing benefits. Examples of these benefits include improved product tracking and post sale warranty information. As the technology matures, existing and potential businesses will have to consider the overall return on investment of RFID. The widespread use of RFID technology may initially be limited to only a selected group of large pg. 6

8 companies like Gillette and Wal-Mart (Smith 2005). They have the financial resources and industry presence to completely implement this process. pg. 7

9 References Angeles, R. (2005). "RFID TECHNOLOGIES: SUPPLY-CHAIN APPLICATIONS AND IMPLEMENTATIONISSUES." Information Systems Management 22(1): 14. Ayoade, J. (2007). "Roadmap to solving security and privacy concerns in RFID systems." Computer Law & Security Report 23(6): Bolotnyy, L. and G. Robins (2007). Physically unclonable Function-Based Security and Privacy in RFID Pervasive Computing and Communications. Chen, J.-L., M.-C. Chen, et al. (2007). "Architecture design and performance evaluation of RFID object tracking systems." Computer Communications 30(9): Domdouzis, K., B. Kumar, et al. (2007). "Radio-Frequency Identification (RFID) applications: A brief introduction." Advanced Engineering Informatics 21(4): Feldhofer, M. (2004). An Authentication Protocol in a Security Layer for RFID Smart Tags. Electrotechnical Conference. Garfinkel, S., A. Juels, et al. (2005). "RFID privacy: an overview of problems and proposed solutions." IEEE Security & Privacy Magazine 3(3): 9. Jedermann, R., C. Behrens, et al. (2006). "Applying autonomous sensor systems in logistics--combining sensor networks, RFIDs and software agents." Sensors and Actuators A: Physical 132(1): Juels, A. (2006). "RFID Security and Privacy: A Research Survey." IEEE Journal on Selected Areas in Communications 24(2): 13. Juels, A. and J. Brainard (2004). Soft Blocking: Flexible Blocker Tags on the Cheap. WEPS'04. Washington, DC, USA. Juels, A., R. L. Rivest, et al. (2003). The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy. CCS'03. Washington, DC, USA: 9. Jules, A. and S. A. Weis (2006). "Defining Strong Privacy for RFID." Karjoth, G. and P. A. Moskowitz (2005). Disabling RFID Tags with Visible Confirmation: Clipped Tags Are Silenced. WPES'05 Alexandria, Virginia, USA: 4. Kim, H.-S. and J.-Y. Choi (2007). Security and Privacy Analysis of RFID Authentication Protocol for Ubiquitous Computing. Computer Communications and Networks. Knospe, H. and H. Pohl (2004). "RFID security." Information Security Technical Report 9(4): Ngai, E. W. T., T. C. E. Cheng, et al. (2007). "Mobile commerce integrated with RFID technology in a container depot." Decision Support Systems 43(1): Piramuthu, S. (2007). "Protocols for RFID tag/reader authentication." Decision Support Systems 43(3): Ranasinghe, D. C., D. W. Engels, et al. (2004). Low-cost RFID systems: confronting security and privacy. Proceedings of MIT Auto-ID Labs Research Workshop. Rieback, M. R., B. Crispo, et al. (2006). "The evolution of RFID security." IEEE Pervasive Computing 5(1): 7. Roberts, C. M. (2006). "Radio frequency identification (RFID)." Computers & Security 25(1): Robshaw, M. J. B. (2006). "An overview of RFID tags and new cryptographic developments." Information Security Technical Report 11(2): Smith, A. D. (2005). "Exploring radio frequency identification technology and its impact on business systems." Information Management & Computer Security 13(1): 12. Solanas, A., J. Domingo-Ferrer, et al. (2007). "A distributed architecture for scalable private RFID tag identification." Computer Networks 51(9): Song, J., C. T. Haas, et al. (2007). "A proximity-based method for locating RFID tagged objects." Advanced Engineering Informatics 21(4): pg. 8

10 Twist, D. C. (2005). "The impact of radio frequency identification on supply chain facilities." Journal of Facilities Management 3(3): 13. Weinstein, R. (2005). "RFID: A Technical Overview and Its Application to the Enterprise." IEEE IT Professional 7(3): 6. pg. 9