Abstract
Recent emergence of RFID tags capable of performing public key operations motivates new RFID applications, including electronic travel documents, identification cards and payment instruments. In this context, public key certificates form the cornerstone of the overall system security. In this paper, we argue that one of the prominent challenges is how to handle revocation and expiration checking of RFID reader certificates. This is an important issue considering that these high-end RFID tags are geared for applications such as e-documents and contactless payment instruments. Furthermore, the problem is unique to public key-based RFID systems, since a passive RFID tag has no clock and thus cannot use (time-based) off-line methods.
In this paper, we address the problem of reader certificate expiration and revocation in PKI-Based RFID systems. We begin by observing an important distinguishing feature of personal RFID tags used in authentication, access control or payment applications – the involvement of a human user. We take advantage of the user’s awareness and presence to construct a simple, efficient, secure and (most importantly) feasible solution. We evaluate the usability and practical security of our solution via user studies and discuss its feasibility.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Download to read the full chapter text
Chapter PDF
References
Nokia e51 specifications, http://europe.nokia.com/find-products/devices/nokia-e51/specifications
Nokia n95 specifications, http://www.nokiausa.com/find-products/phones/nokia-n95-8gb/specifications
Display enabled identification and payment instruments (November 2009), http://sprout.ics.uci.edu/projects/usec/survey.html
Blundo, C., Persiano, G., Sadeghi, A.-R., Visconti, I.: Resettable and Non-Transferable Chip Authentication for ePassports. In: Conference on RFID Security (2008)
Brooke, J.: Sus - a quick and dirty usability scale. Usability Evaluation in Industry (1996)
Bundesamt fur Sicherheit in der Informationstechnik. Advanced Security Mechanisms for Machine Readable Travel Documents : Version 2.0 (2008)
Cheon, J.H., Hong, J., Tsudik, G.: Reducing RFID Reader Load with the Meet-in-the-Middle Strategy. Cryptology ePrint Archive, Report 2009/092 (2009)
Czeskis, A., Koscher, K., Smith, J.R., Kohno, T.: Rfids and secret handshakes: defending against ghost-and-leech attacks and unauthorized reads with context-aware communications. In: Computer and Communications Security – CCS (2008)
Goodrich, M., Tamassia, R.: Efficient authenticated dictionaries with skip lists and commutative hashing, US Patent App. 10/416,015 (May 7, 2003)
Heydt-Benjamin, T., Bailey, D., Fu, K., Juels, A., O’hare, T.: Vulnerabilities in first-generation RFID-enabled credit cards. Financial Cryptography and Data Security (2007)
Hoepman, J.-H., Hubbers, E., Jacobs, B., Oostdijk, M., Wichers Schreur, R.: Crossing Borders: Security and Privacy Issues of the European e-Passport. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S.-i. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 152–167. Springer, Heidelberg (2006)
Housley, R., Ford, W., Polk, W., Solo, D.: RFC 2459: Internet X.509 public key infrastructure certificate and CRL profile (January 1999)
Infineon Technologies AG, AIM CC. Preliminary Short Product Information: Chip Card and Security IC’s (2006)
International Civil Aviation Organization. Machine Readable Travel Documents: Specifications for Electronically Enabled Passports with Biometric Identification Capability (2006)
Juels, A., Molnar, D., Wagner, D.: Security and privacy issues in e-passports. In: Security and Privacy for Emerging Areas in Communications Networks – SECURECOMM (2005)
Kaliski, B.: Future directions in user authentication. In: IT-DEFENSE (2005)
Karjoth, G., Moskowitz, P.A.: Disabling rfid tags with visible confirmation: clipped tags are silenced. In: Workshop on Privacy in the Electronic Society – WPES (2005)
Kobsa, A., Sonawalla, R., Tsudik, G., Uzun, E., Wang, Y.: Serial hook-ups: a comparative usability study of secure device pairing methods. In: Symposium on Usable Privacy and Security – SOUPS (2009)
Kocher, P.C.: On certificate revocation and validation. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 172–177. Springer, Heidelberg (1998)
Kugler, D., Ullman, M.: Contactless security tokens - enhanced security by using new hardware features in cryptographic based security mechanisms. In: Dagstuhl Seminar Proceedings of Foundations for Forgery - Resilient Cryptographic Hardware (July 2009)
Kumar, A., Saxena, N., Tsudik, G., Uzun, E.: Caveat eptor: A comparative study of secure device pairing methods (2009)
Lewis, J., Sauro, J.: The factor structure of the system usability scale. In: Proceedings of the Human Computer Interaction International Conference (HCII 2009), San Diego CA, USA (2009)
Merkle, R.C.: Secrecy, authentication, and public key systems. Technical report, Stanford University (1979)
Micali, S.: Efficient certificate revocation. Technical Memo MIT/LCS/TM-542b, Massachusetts Institute of Technology (1996)
Micali, S.: Certificate revocation system. United States Patent, US Patent 5,666,416 (September 1997)
Monnerat, J., Vaudenay, S., Vuagnoux, M.: About Machine-Readable Travel Documents. In: Conference on RFID Security (2007)
Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: Internet public key infrastructure online certificate status protocol- ocsp (1999)
Naor, M., Nissim, K.: Certificate revocation and certificate update. Technical report (1999)
Narasimha, M., Solis, J., Tsudik, G.: Privacy preserving revocation checking. International Journal of Information Security 8(1), 61–75 (2009)
Oren, Y., Feldhofer, M.: A Low-Resource Public-Key Identification Scheme for RFID Tags and Sensor Nodes. In: ACM Conference on Wireless Network Security – WiSec (2009)
Saxena, N., Uddin, M. B., Voris, J.: Treat ’em like other devices: user authentication of multiple personal rfid tags. In: SOUPS (2009)
Scholz, P., Reihold, C., John, W., Hilleringmann, U.: Analysis of energy transmission for inductive coupled rfid tags. In: International Conference on RFID (2007)
Ullman, M.: Personal communication (September 2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nithyanand, R., Tsudik, G., Uzun, E. (2010). Readers Behaving Badly. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds) Computer Security – ESORICS 2010. ESORICS 2010. Lecture Notes in Computer Science, vol 6345. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15497-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-15497-3_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15496-6
Online ISBN: 978-3-642-15497-3
eBook Packages: Computer ScienceComputer Science (R0)