report

CMPE 209 Research Paper – RFID Security

Submitted to: Prof Richard Sinn

Snehal Patel – 005921682 Hitesh Patel – 005820360


INDEX

1. What is RFID? ………………………………………………..…………………………........ 32. How RFID works? …………………………………………………………………………… 33. Security Concerns of RFID …………………………………...……………………………… 64. Vulnerability of RFID security…………………………...…...……………………………… 75. Conclusion ……………….…………………………………...…………………………...… 106. References………………...…………………………………...…………………………...… 10

2


1. What is RFID?

RFID is an acronym of Radio Frequency Identification. RFID is the most prevalent technology in tracking of goods these days. RFID has replaced the traditional barcodes. Wal-Mart has spent millions of dollars in late 1990 for research on RFID. RFID is all about getting the real time information like present location, planned destination and the contents of the product being tracked.

2. How RFID works?

RFID is not a new technology. It is very similar to the barcodes. Since all the different business required to share the information about the product, each unit was required to read a common code. RFID uses EPC (Electronic Product Code) that is very similar to barcodes. This EPC is a unique number associated with each RFID tags.

The EPC number on the tag is unique, but all the EPC systems run a protocol called, EPC protocol. The EPC protocol specifies two things 1.) How to separate and store information in the tags. This is called the numbering scheme. 2.) Decide how the tags and the readers communicate.

The RFID system consists of a RFID reader, RFID tag and an antenna. The antenna is a passive device and is required only to send and receive the signals efficiently. The essential components of RFID system are RFID reader and RFID tag. The essential of RFID system is the communication between the RFID reader and the tags over the air interface at a particular frequency. Figure 1 below shows all the basic components of an RFID system.

Figure 1 – RFID tags, reader and an antenna.

3


a) RFID reader:RFD reader is actually a transreceiver. It sends as well as receives the signals. It radiates signals via the antenna over the air at a particular frequency. Those signals are received by the tag and the tag sends back the response. RFID reader then receives this response.

b) RFID tag:RFID tags are the main component in the RFID system. The RFID tags are made up of a chip or an Integrated Circuit (IC). The chip has the unique EPC on it. The chip also has the logic to take a particular action when it is in front of the receiver. There are two types of tags i.) Active tags and ii.) Passive tags.

i.) Active tags: They have a power supply of their own. They need continuous power supply. They are capable of storing 128 kb data.

ii.) Passive tags: They do not need any power supply. Instead they gather power from electromagnetic field generated by the waves from the reader. Their range is less and stores very small amount of 128 bytes of data.

Further the tags are classified in Class 0 and Class 1. Class 0 tags are read only type. The information once written on them cannot be modified. One has to use the number written by the manufacturer. Class 1 tags are tags are programmable. Usually they are of the type WORM (write once, read many). Depending upon the manufacturer, the tags can store 64 96, 128, 256 or 512 bytes of data. Also depending on the class and generation of the tags, data on it can be encrypted.

The traditional barcodes uses what is called UPC (Universal Product Code). A UPC scheme is shown below in Figure 2.

4


Figure 2 – The UPC scheme in barcode.In UPC scheme, the empty spaces and the black lines holds the data. These lines actually represent a UPC generic number. The UPC number code consists of 4 parts. The first part is a single digit and represents the numbering system that is followed. The second part consists of 5 digits and is the manufacturer ID number. This is unique for each manufacturer. The next 5 digits represent the item number and the last digit is the module check character that works pretty much like checksum. All these parts are shown in Figure 2.

RFID uses EPC (Electronic Product Code). This is shown below in Figure 3.

Figure 3 – The EPC scheme used by RFID.

The EPC can store a lot more information compared to that of UPC. The EPC scheme consists of 4 fields. The first field is of 8 bits and is called the Header field. It tells the reader of the type of numbers that follows. The next field is of the EPC manager and represents the company name. The next field is the object class and represents the type of an item. The last field is the serial number and represents the serial number of the item that is represented by the object class field.

The total length of EPC number is 96 bits and this is a very large number and that number will never be repeated. Hence each tag has a unique number.

5


3. Security concerns of RFID

The main security concern of RFID is that world readable tags can be read by unwanted entities. These tags are usually not encrypted and their illicit reading cannot be prevented. The EPC tags from a so called global network of the items being tracked. This EPCglobal network is susceptible to DoS attacks.

The tag is the source of information. This tag has limited memory and limited or no power at all. Due to these limitations it is difficult to use encryption mechanism in RFID tags. Encrypted tags can also be used. In such cases, the information of the tag is never sent over the insecure wireless channel. Instead the reader sends an encrypted challenge to the tag and the tag sends back a reply using its cryptographic circuit. These algorithms can by symmetric key or public key. Such tags that support cryptography are very costly and need a considerable amount of power.

RFID enabled credit cards are widely used these days. Using a simple gadget available for mere 8$ on Amazon.com, all the details of a credit card can easily be stolen. The attacker has to come just near the owner of credit card and the sensitive details can easily be sniffed. Many countries have issued RFID enabled passports. These passports contain an RFID enabled chip. The encryption of the chip in UK passport was broken in 48 hours.

There are many readymade tools available e.g. RFDump. These tools can easily read the data from RFID tags. One such tool is shown below, in Figure 3.

6


Figure 3 – RFDump GUI.4. Venerability of RFID securityA. CIA in RFID

1. Privacy: - Most of data transfer between tag and tag reader is in plain text format. So anybody

can sniff the data. - Any tag reader can read tag within reading range without tag owner’s permission.

- Pallet/Create tagging is used by most of application. In this case, attacker can change tag and harm any echo system.

- Even in case of Encrypted data transfer, unique tag number transmitted in plain text. This unique tag identity create problem where personal information is attach with that tag identity. For example: when we buy any item from shop using credit card that RFID enable bill is attach with our credit card information. If attacker has access to use that relational database then by getting simple bill he can theft personal information.

2. Data integrity:- As we discussed, most of data transfer is in plain text between tag and tag reader.

Anybody can change data in between and tag reader gets wrong information. - Tag does not provide any support to identify the data tempering. Anybody can change

reader query.

3. Authentication

7


- Passive tag is very sensitive to reader. it will reply arrogantly without alerting there owner.

- Most of case, tag cannot Authenticate the reader which is trusted reader or not.

- Reader can identify the tag using unique identity but can not authenticate data transferred by tag.

B. Possible Attack on RFID System1. Man in middle attack

Because of no-encryption in data transfer, attacker can sniff data and use that with miscellaneous way.

2. DoS attack (tag killing attack)Behavior of tag is very arrogant to reader. Attacker can send large no of quires to tag and make tag useless.

3. Replay attack

Attacker sniffs data from communication between tag and reader and tempers that data and send back to tag or reader. There is no security for that kind of attack in preset solution.

4. Physical attack on tagAttacker can tamper tag data by physical attack on tag. Tamper resistant memory is not possible for tag.

C. Future Enhancement

1. Hash LockHash lock in tag is similar to light weight access control mechanism. In this, we install lock in the tag and after that it can be reader which has the key of that lock.Steps to lock the tag:- Reader select random key and calculate hash of key : MetaID = HASH(key)

- Reader write MetaID into tag.

- Now tag is in lock state.

- Reader stores its key and tag key into backend database or locally.

8


Figure 4 - Unlocking processes for HASH lock tag

One tag is in lock state, reader need to follow the below step to read tag.- Reader send query for MetaID

- Tag sends MetaID

- Reader find pair [key,MetaID] and send key to tag

- Tag calculates the hash of key and compare with MetaID. If HASH(key) == MetaID then it will unlock itself.

Benefits: - Lock tag will not send data to every reader.

- Gives protection from DoS attack.Problem:

- It will not provide security from any sniffer or any data integrity issues. But every reader is

2. Randomized Hash Lock

In this mode, tag will not respond to unauthorized reader. In this method tag requires random number generator with key. Here are steps to unlock the tag:

- Reader send Query to tag

- Tag generates random number and calculates HASH of tag id and random number.

- Tag sends the random number with hash value of id and random number.

- Reader calculates hash of all id and random number and matches with hash which tag sent.

- Reader sends id back to tag

- Tag compares it with its id and if both are equal then it unlock.

9


Figure 3 - Unlocking process of randomized HASH lockBenefits:

- Lock tag will not send data to every reader as before.

- Gives protection from DoS attackProblem:

- Reader needs to calculate hash for all available tag ids. So this method is not good for owner who has large number of tags.

- This slow compare to first method.

Conclusion: RFID is famous and widely used because it is very cheap. In most of the cases, passive RFID tags are used. But passive tags have limited power and limited computational resources. This puts security at stake. It is difficult to implement security features in limited resource system. Hence even though RFID is widely used, RFID systems can easily be attacked, leaking out the sensitive information.

References

1. Venkatalakshmi, V. Akilandeswari and R. Karthick Narayanan “Emulated RFID Security without Extensive Cryptography”

2. Miyako Ohkubo, Koutarou Suzuki and Shingo Kinoshita “Cryptographic Approach to Privacy-Friendly Tags”

3. Avoine, G., Dysli, E. and Oechslin, P., “Reducing time complexity in RFID systems. In SAC 2005, volume 3897”

4. Stephen August Weis “Security and Privacy in Radio-Frequency Identification Devices“

10


5. RFID for Dummies by Patrick J Sweeney II

6. http://en.wikipedia.org/wiki/RFID

7. http://www.technovelgy.com/ct/Technology-Article.asp

8. http://www.kensavage.com/archives/rfid-hacking/

11

report

Documents