College of Engineering
                                           Computer Engineering Department


                      ...
Agenda

1.        What is RFID? .............................................................................................
1. What is RFID?

RFID (Radio Frequency Identification) is employed to track, identify, detect or get information
about a ...
RFID Tag


                   Reader                                                       Chip

                         ...
2. The use of RFID

       RFID can be applied in several applications. The current uses of RFID are:

       -   In the p...
-   The EPC IS (Electronic Product Code Information Service) represents the database of a
       company that contains the...
4. Security

When we talk about security, there are four principles to respect:

   -   Confidentiality: to be sure that o...
b. Solutions

Cryptographic is known as a good way to protect the data. Therefore, the idea of creating
encrypted RFID is ...
Upcoming SlideShare
Loading in …5
×

Report

547 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
547
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Report

  1. 1. College of Engineering Computer Engineering Department Masters in Software Engineering CMPE 209 – Network Security Fall 2008 Instructor: Richard Sinn Assignment: An Analysis of RFID security Group: IHouse Students: Victor Tsang-Hi (005875311) & Patrick Hetroy (005872997) Due Date: 09/30/2008
  2. 2. Agenda 1. What is RFID? ........................................................................................................................................ 3 2. The use of RFID ..................................................................................................................................... 5 3. EPCglobal architecture .......................................................................................................................... 5 4. Security ................................................................................................................................................. 7 a. An overview of possible attacks........................................................................................................ 7 b. Solutions............................................................................................................................................ 8 5. Conclusion ............................................................................................................................................. 8 2
  3. 3. 1. What is RFID? RFID (Radio Frequency Identification) is employed to track, identify, detect or get information about a person or an object. The purpose of RFID is to store some data or information and to retrieve it remotely by using radio waves. The communication happens between a reader and a device called RFID tag (fig 1) or transponders. Fig1: An RFID tag (source: http://electronics.howstuffworks.com/rfid.htm) The RFID Tag is a chip composed of an integrated circuit containing the information that is stored and an antenna for emitting and receiving the radio waves. There are three types of RFID tags: passive, semi-active and active. In general, each tag works in the same way: 3
  4. 4. RFID Tag Reader Chip Data Antenna www.trevise-consulting.com 1. RFID tag contains a chip where are stored some data and information 2. A radio wave is emitted by a RFID reader to activate the chip of the RFID tag 3. The tag’s antenna will receive the wave from the RFID reader and will activate the tag to send the data stored in the chip to the reader. 4. The reader will receive the response of the RFID tag and will interpret the data. The difference between a passive, semi-active and active RFID tag are: - The passive tag has no internal power. It is the reader that will initiate the communication and will send the signal that will provide the power source for the passive tag to send a response. - The active tag has its own internal power. The active tag can initiate the communication and can broadcast a radio wave to the reader. An active tag can be read in a greater distance than a passive tag. - The semi-active tag has also its own internal power but the power isn’t used to broadcast a signal. The power source is used to get a greater sensitivity to the wave than a passive tag. The storage of the data in a RFID tag can be classified into three types: - Read-Write: data on the RFID tag chip can be added or overwritten - Read-Only: data on the RFID tag chip cannot be added or overwritten - WORM (write one, read many): data on the RFID tag chip can only be added once and cannot be overwritten. 4
  5. 5. 2. The use of RFID RFID can be applied in several applications. The current uses of RFID are: - In the passport called e-passport where the RFID tag contains personal information of the owner of the passport and also a digital picture. - In supply chain management, the RFID system is used to track and manage the products - For animal identification, RFID tags are implanted on animals to identify and also track them. - In the credit card, RFID tags are used in the MasterCard Pay pass, American Express ExpressPay… etc to provide a fast payment. - In the library, RFID tags begin to replace the traditional bar code system. A RFID tag placed in a book can contain more information than a bar code like the book’s title, how many times the book has been lend… etc. RFID tags tend to replace the bar code system. The bar code is a read only system; it is not possible to send information from it. Also using the bar code involves a repetitive process of scanning each item. Using RFID tags present several advantages like the possibility to store more data, the ability for the reader to read many tags at once (quick reading) without placing the object very close to the reader, capabilities for the reader to read and overwrite the data… etc. However, due to the high cost of RFID tags, the replacement of the bar code is only a possibility in a near future. Also, there is no standardization of RFID. Every country can use the frequency they want and implement their own set of rules. But, an organization called the EPCglobal try to standardize and to create standards for RFID. 3. EPCglobal architecture The EPC network components are: - The EPC (Electronic Product Code) is a serial number attributed to an object and it is supposed to replace the bar code. It is designed to identify a unique object and not a class of products. - The ONS (Object Naming Service) is a mechanism used to transform the EPC into an URL to access to a database. The mechanism looks like a DNS (Domain Name System) that associates an IP address into a hostname. 5
  6. 6. - The EPC IS (Electronic Product Code Information Service) represents the database of a company that contains the information about the product identified by the EPC. In the RFID tag’s chip is stored an EPC that corresponds to a unique product. When the RFID reader is going to send a radio wave signal, the RFID tag is going to send his EPC as a response to the signal of the RFID reader. The RFID reader is going to send the EPC to the ONS. The ONS will translate the EPC into an URL that points to the EPC IS. The information about the product is retrieved from the database of the manufacturer. http://www.rfidjournal.com/ This system is powerful and allows several applications for the future: - At the supermarket, you won’t need to wait in a long line to pay. With this system, a tag reader will calculate the cost of all the products of your shopping cart and will send the bill to your bank. - The supermarket keeps a trace of what you bought. Based on this information, it can know your preference and send you a newsletter created just for you. - The future refrigerator will be equipped of a tag reader. The refrigerator will track all the food you store on it. It can know that you have no more milk and automatically order a list of missing items. Also, it can know which products are getting close to the due date and inform you. The possibility with the EPC system is infinite. Unfortunately, hackers and criminals are also interested in this system and are willing to exploit potential RFID weaknesses. 6
  7. 7. 4. Security When we talk about security, there are four principles to respect: - Confidentiality: to be sure that only authorized people can access data - Integrity: the assurance that data have not been modified and are authentic - Availability: data are accessible when it is needed - Non-Repudiation: the insurance that the parties cannot refute the contract that is set up RFID technology has many disadvantages not only in privacy but also in security. As mentioned above, a huge use of RFID would harm people privacy because companies would know exactly who you are by tracking your buys. This privacy problem might be also increased by the lake of security that RFID systems have. a. An overview of possible attacks Many attacks are due to the fragility of the radio system. The radio frequencies can be disrupted by a deliberate transmission of radio signals that reduces the original signal to a noise signal. This is called Radio Jamming. Another way to prevent the RFID system to work properly is to repeat signals until the reader gets unavailable. This is one of the methods of Denial of Service. Also, because of the ease of eavesdropping, a malicious person may intercept RFID query by sniffing the signals exchanged between the RFID tag and the reader. The data may be intercepted and reused to perform different malicious actions or these signals could be replayed. We are in a classic hack of Replay Attack. For instance, when a money transfer is done by RFID, the signal of the transfer can be recorded and replayed many other times without any approbation of the buyer. Attacks can be due to data manipulations In a read/write RFID tag, when data have to be stored, a malicious third party could corrupt the data that have to be stored by changing their values or even by replacing them by empty data. There are cases when the data send from the RFID tag to the reader may disrupt the EPC system. As a matter of fact, if a malicious user wants to attack the back-end RFID middleware database, he could send from the tag a dangerous command to the EPC system like “drop table <tableName>” that would compromise the system. This technique is called SQL injection. 7
  8. 8. b. Solutions Cryptographic is known as a good way to protect the data. Therefore, the idea of creating encrypted RFID is a way to reduce the threats in a RFID communication and to assure the confidentiality of the information. Encrypted RFID exits in two forms: asymmetric key and symmetric key algorithms. Symmetric key used the same key to encrypt and decrypt the data and asymmetric key used a public key to encrypt and a private key to decrypt. However, it is necessary to embed the keys on tags for encrypted RFID. So, encrypted RFID can be the target of physical attacks and can lead to a RFID clone tag. Using a physical shield can be a way to counter the eavesdropping. The physical shield is going to block the radio wave signal and the tag won’t be read unless the physical shield is removed. This mechanism is used in the e-passport. When the passport is closed, it is not possible to read the data stored inside. It is necessary to open the passport to read the tag’s data. An authentication system can be set up to ensure readers and tags identities. When a reader wants to communicate with the tag, it needs to send a pin number to be authenticated by the tag. There are solutions for the security issues of the RFID system. However, when a solution is set up to counter a threat, another issue appears. It is not easy to secure a system but encryption is a good mechanism to reduce the attacks if it is well implemented. 5. Conclusion RFID gets more and more importance and it is applied in a lot of applications. Some new possibilities by using RFID are still in study because of the security issues. It is easy for a hacker to perform an eavesdropping and screw up all the system. The encryption is a good solution to reduce the threats but due to the limitation of the technology and the cost it is difficult to develop a complex encryption system. In a university, a group of researchers succeeded to crack the key of an encrypted RFID because of the weak implementation of the encryption system. There are a lot of security issues in RFID system and it is necessary to fix it to not get rejected by the business and the consumers. 8

×