Abstract
Radio Frequency IDentification (RFID) is a method of remotely storing and retrieving data using small and inexpensive devices called RFID tags. Products labeled with such tags can be scanned efficiently using readers that do not require line-of-sight. This form of identification, often seen as a replacement of barcode technology, can lead to improved logistics, efficient inventory management, and ultimately better customer service.
However, the widespread use of radio frequency identification also introduces serious security and privacy risks since information stored in tags can easily be retrieved by hidden readers, eventually leading to violation of user privacy and tracking of individuals by the tags they carry.
In this chapter, we will start by building some background on the types, characteristics, and applications of RFID systems. Then we will describe some of the potential uses and abuses of this technology, discuss in more detail the attacks that can be applied to RFID systems and, finally, review some of the countermeasures that have been proposed to date.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
WalMart (2003) Wal-Mart Details RFID Requirement. Article appears in http://www. rfidjournal.com/article/articleview/642/1/1/
DoD(2003) U.S. Military to Issue RFID Mandate. Article appears in http://www.rfidjournal.com/article/articleview/576/1/1/
S.E. Sarma, S.A. Weis, and D.W. Engels (2002) RFID systems, security and privacy implications. Technical Report MIT-AUTOID-WH-014, AutoID Center, MIT
About the EPCglobal network. http://www.epcglobalinc.org/about/
B. Fabian, O. G ünther, and S. Spiekermann (2005) Security Analysis of the Object Name Service for RFID. In: Security, Privacy and Trust in Pervasive and Ubiquitous Computing
K.R. Foster and J. Jaeger (2007) RFID inside: The murky ethics of implanted chips. IEEE Spectrum, March 20–25. Available at http://www.spectrum.ieee.org/mar07/4939
Euro Bank Notes to Embed RFID Chips by 2005. Article appears in http://www.eetimes. com/story/OEG20011219S0016
ICAO (2004). Document 9303, Machine readable travel documents
A. Juels, D. Molnar, and D. Wagner (2005) Security and privacy issues in e-passports. In: D. Gollman, G. Li, and G. Tsudik, editors. IEEE/CreateNet SecureComm
Wired (2006) Hackers Clone E-Passports. Available at http://www.wired.com/science/discoveries/news/2006/08/71521
“Securing communications between mobile phones or other similar devices”, SHA-1 fingerprint: 0x17503346d69b83f1cc9c2c4a43ee748e250b29c4, MD5 fingerprint: 0xae8e0db-474913e9162e058521cae30a4, Version 2, Manuscript 2007
M. Usami (2004) An ultra small RFID chip:µ -chip. In: IEEE Asia-Pacific Conference on Advanced System Integrated Circuits AP-ASIC 2004, Fukuoka, Japan, pp. 25
R. Stapleton-Gray (2005) Would Macys scan Gimbels? Competitive intelligence and RFID. In: S. Garfinkel and B. Rosenberg, editors, RFID: Applications, Security, and Privacy, Addison-Wesley, Reading, MA, pp. 283–290
S. Garfinkel, A. Juels, and R. Pappu (2005) RFID privacy: An overview of problems and proposed solutions. IEEE Security and Privacy, 3(3): 34–43
S. Garfinkel and B. Rosenberg, editors, Reading, MA, (2005) RFID: Applications, Security, and Privacy. Addison-Wesley
K. Albrecht and L. McIntyre (2005) Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID. Nelson Current
Sanjay E. Sarma, Towards the five-cent tag, Technical Report MIT-AUTOID-WH-006, MIT Auto ID Center, 2001. Available from http://www.autoidcenter.org
S.C. Bono, M. Green, A. Stubblefield, A. Juels, A. D. Rubin, and M. Szydlo (2005) Security Analysis of a Cryptographically-Enabled RFID Device. In: Fourteenth USENIX Security Symposium
J. Westhues (2005) Hacking the Prox Card. In: S. Garfinkel and B. Rosenberg, editors, RFID: Applications, Security, and Privacy, Addison-Wesley, Reading, MA, pp. 291–300
Z. Kfir and A. Wool (2005) Picking Virtual Pockets using Relay Attacks on Contactless Smartcard Systems. In: First IEEE/CreateNet International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm)
G. Hancke and M. Kuhn (2005) An RFID distance bounding protocol. In: First IEEE/ CreateNet International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm)
R. Want (2004) RFID: A key to automating everything. Scientific American, 290(1): 56–65
A. Juels, R. Rivest, and M. Szydlo (2003) The blocker tag: Selective blocking of RFID tags for consumer privacy. In: Vijay Atluri, editor, ACM Conference on Computer and Communications Security CCS03, Washington, DC, USA, pp. 103–111
RFID Journal (2003) NCR prototype kiosk kills RFID tags. Available online at http://www.rfidjournal.com/article/articleview/585/1/1/
Consumers Against Supermarket Privacy Invasion and numbering-CASPIAN (2003) RFID Position paper. Available at http://www.privacyrights.org/ar/RFIDposition.htm
S. Garfinkel (2002) An RFID bill of rights. In: Technology Review, Available at http://www. technologyreview.com/articles/02/10/garfinkel1002.asp
G. Avoine Security and Privacy in RFID Systems. Online at http://lasecwww.epfl.ch/gavoine/rfid/
A. Juels (2008) RFID security and privacy: A research survey. IEEE Journal on Selected Areas in Communication, Volume 24, Issue 2, Feb. 2006, Pages 381–394.
G. Avoine (2005) Cryptography in Radio Frequency Identification and Fair Exchange Protocols. PhD Thesis, EPFL
G. Avoine and P. Oechslin (2005) RFID traceability: A multilayer problem. In: Andrew Patrick and Moti Yung, editors, Financial Cryptography FC05, Volume 3570 of Lecture Notes in Computer Science, Springer, Berlin, pp. 125–140
S. Weis, S. Sarma, R. Rivest, and D. Engels (2003) Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In: First International Conference on Security in Pervasive Computing (SPC)
M. Ohkubo, K. Suzuki, and S. Kinoshita (2003) Cryptographic Approach to Privacy-friendly Tags. In: RFID Privacy Workshop, MIT, MA, USA
G. Avoine and P. Oechslin (2005) A Scalable and Provably Secure Hash Based RFID Protocol. In: The Second IEEE International Workshop on Pervasive Computing and Communication Security (PerSec), IEEE Computer Society Press, Washington, DC, pp. 110–114
T. Dimitriou (2005) A Lightweight RFID Protocol to protect against Traceability and Cloning attacks. In: First IEEE/CreateNet International Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm)
D. Molnar, A. Soppera, and D. Wagner, A Scalable, delegatable pseudonym protocol enabling ownership transfer of RFID tags, Selected Areas in Cryptography, 2005
T. Dimitriou, A Secure and Efficient RFID Protocol That Could Make Big Brother (partially) Obsolete, in Fourth IEEE International Conference on Pervasive Computer and Communications (PerCom), 2006
K. Nohl and D. Evans (2006) Quantifying Information Leakage in Tree-Based Hash Protocols. In: Eighth International Conference on Information and Communications Security (ICICS), USA
L. Lu, Y. Liu, L. Hu, J. Han, and L. Ni (2007) A Dynamic Key-Updating Private Authentication Protocol for RFID Systems. In: Fifth IEEE Conference on Pervasive Computing and Communications (PerCom)
M. Feldhofer, S. Dominikus, and J. Wolkerstorfer, Strong authentication for RFID systems using the AES algorithm, Workshop on Cryptographic Hardware and Embedded Systems, 2004
M. Jung, H. Fiedler, and R. Lerch (2005) 8-bit microcontroller system with area efficient AES coprocessor for transponder applications. In: Ecrypt Workshop on RFID and Lightweight Crypto
I. Vajda and L. Butty án (2003) Lightweight Authentication Protocols for Low-Cost RFID Tags In: Second Workshop on Security in Ubiquitous Computing
A. Juels (2004) Minimalist Cryptography for RFID Tags. In: C. Blundo, editor, Security of Communication Networks (SCN)
B. Defend, K. Fu, and A. Juels (2007) Cryptanalysis of Two Lightweight RFID Authentication Schemes. In: Fourth IEEE International Workshop on Pervasive Computing and Communication Security (PerSec)
Nokia unveils RFID phone reader. RFID Journal, 17 March 2004. Available at http://www.rfidjournal.com/article/view/834
M. Rieback, B. Crispo, and A. Tanenbaum (2005) RFID Guardian: A Battery-powered Mobile Device for RFID Privacy Management. In: Australasian Conference on Information Security and Privacy, vol. 3574 of LNCS, pp. 184–194
A. Juels, P. Syverson, and D. Bailey (2005) High-power proxies for enhancing RFID privacy and utility. In: Center for High Assurance Computer Systems - CHACS
T. Dimitriou (2008) Proxy Framework for Enhanced RFID Security and Privacy. 5th IEEE Consumer Communications and Networking Conference (CCNC 2008), Las Vegas, USA
M. Weiser (1991) The computer for the 21st century. Scientific American 265(3): 94–104
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Dimitriou, T. (2008). RFID Security and Privacy. In: Kitsos, P., Zhang, Y. (eds) RFID Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-76481-8_3
Download citation
DOI: https://doi.org/10.1007/978-0-387-76481-8_3
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-76480-1
Online ISBN: 978-0-387-76481-8
eBook Packages: EngineeringEngineering (R0)