1
中 華 大 學 碩 士 論 文
題目:針對消費者加強的 RFID 安全威脅模型
Enhanced RFID Security Threat Model for the Consumer
系 所 別:資訊工程學系碩士班 學號姓名:M09602037 蘇俊豪 指導教授:吳林全 博 士
中華民國 九十八 年 八 月
1
摘要
無線射頻辨識(RFID)對於物件識別而言是個發展中的新技術,未來這項新
技術也將成為無所不在的基礎建設。雖然 RFID 技術對人們帶來很多的好處,但
是這項技術也包含一些缺點,因為富有經驗的敵人可以使用惡意的攻擊來追蹤消 費者的標籤以及侵犯消費者的個人隱私。因為,RFID 的標籤都具有一個唯一的 ID,而這個 ID 稱做產品電子編碼(EPC)。
最近 Shantanu 等人提出了RFID 的安全威脅模型,但在他們的模型裡面並沒
有設計多種的個人威脅。因此,在這篇論文裡我們針對消費者設計出一個加強的 RFID 系統的安全威脅模型。我們建立 RFID 系統的安全威脅模型的目的,是希望
能讓消費者瞭解在使用 RFID 技術時會產生的各種威脅情形。並且,在我們的安
全威脅模型裡,我們提供有效的建議方法來保護消費者。
為了能有效地保護消費者的安全性問題,在我們的安全威脅模型裡定義了一
些準則,將本文中介紹的個人隱私威脅分成三個等級。在 RFID 系統的安全威脅
模型裡,我們也針對現在已有的 RFID 保護機制進行分類,分別地保護各種消費
者的個人隱私,並且可以用來測定使用的保護機制是否能安全地保護RFID 系統。
關鍵詞:無線射頻辨識(RFID)、隱私、產品電子編碼 (EPC)、威脅、安全性。
2
誌謝
在這裡我要衷心地感謝我的指導老師吳林全教授,在這兩年來經過教授的悉 心指導與寶貴的建議,使我在兩年的研究生涯中獲益不少。尤其在本篇論文中經 過教授不斷的在觀念上指引我往正確的方向,才能使我得以順利完成研究結果,
在此致上最誠摯的謝意。
而在這段日子裡,教授不僅教導我們專業領域的相關知識,並且時常提醒我 們往後畢業時在工作階段應該注意的事項以及應有的工作態度,這讓我未來在社 會工作時更是受用無窮。
論文的完成,我另外也要感謝實驗室內的同學戴瑞成、劉冠廷以及學弟蔡定 國、吳嘉恩、邱煥訓等在這段時間給予的幫助與建議,讓我得以順利完成研究。
最後特別感謝我的家人,有了家人們給予的鼓勵與全力的支持,是我這二年能完 成學業的最大動力。
3
目錄
摘要 ... 1
誌謝 ... 2
目錄 ... 3
第一章 簡介... 4
第二章 背景... 5
第三章 消費者的 RFID 威脅 ... 6
第四章 RFID 安全威脅的評估 ... 7
第五章 建造 RFID 系統的安全威脅模型 ... 8
第六章 結論... 9
英文附錄 ... 10
4
第一章 簡介
無線射頻辨識(RFID)技術未來將取代傳統的條碼技術成為無所不在的基礎 建設。RFID 技術的應用非常廣泛,像是門禁管理、車輛防竊取系統、動物追蹤 裝置、醫療管理、供應鏈管理系統等。RFID 系統使用無線射頻訊號,在標籤和
讀取器間進行資料的傳輸,所以傳輸的資料有可能會遭到截取。因此,造成RFID
系統有一些安全性和隱私性的問題。現今,很多研究者已經開始注意到 RFID 系
統的安全性問題。Garfinkel 等人針對 RFID 系統提出了不同的安全性威脅,在
這裡我們是針對消費者的個人隱私威脅做描述。在本篇論文中,我們會根據 ISO 27001 的精神來定義一些準則,將個人隱私威脅分成高、中、低三個等級。另外,
我們會針對消費者設計出一個加強的 RFID 安全威脅模型。在這一章節我們簡單
的介紹本篇論文的研究動機和目的,而有關 RFID 的背景將在第二章介紹,第三
章裡我們介紹RFID 的環境裡消費者所面臨到的威脅種類,第四章則是針對 RFID
的安全威脅做評估,並且把現有的 RFID 保護機制做分類,分別保護不同種類的
個人威脅,第五章將介紹我們建造RFID 系統的安全威脅模型,第六章則是結論。
5
第二章 背景
無線射頻辨識(RFID)是一種最新的自動辨識技術,未來將取代傳統的條碼。
RFID 技術主要的優點:
(1)資料可更新性與重複使用性。
(2)儲存資料的容量大。
(3)可同時讀取數個資料。
(4)資料方便辨識及讀取。
RFID 系統使用無線訊號進行通訊,它是由四種元件組成:RFID 標籤、讀取 器、中介軟體和後端資料庫。RFID 標籤裡儲存著 ID,這個 ID 也稱做產品電子編 碼(EPC),具有唯一性的特性。讀取器是用來辨識標籤的資料,它會接收從標籤 傳送的資料,之後再將接收到的標籤資料傳送給後端資料庫。後端資料庫儲存著 不同的標籤資訊。中介軟體則是在讀取器和後端資料庫間進行通訊,而且中介軟 體必頇具有協調性,提供一致的介面以因應不同廠商的應用系統。
6
第三章 消費者的 RFID 威脅
因為 RFID 標籤具有一個唯一性的 ID,而這個 ID 會與消費者個人的身份產
生關聯,而影響到消費者的隱私性。在這個章節裡,我們根據 Garfinkel 等人所 提出的七種個人隱私威脅做描述,並且將這七種個人隱私威脅做分類。我們將個 人隱私威脅分成識別資訊威脅(Threats of Identification Information)、行 為資訊威脅(Threats of Behavior Information)以及行蹤資訊威脅(Threat of Track Information)。識別資訊威脅包含關聯威脅(Association Threat)、群聚 威脅(Constellation Threat)、麵包屑威脅(Breadcrumb Threat)。行為資訊威 脅包含動作威脅(Action Threat)、喜好威脅(Preference Threat)、交易威脅 (Transaction Threat)。行蹤資訊威脅包含位置威脅(Location Threat)。
7
第四章 RFID 安全威脅的評估
我們根據 ISO 27001 的精神來定義一些準則,將RFID 威脅分成高、中、低
三個階層,之後利用我們定義的準則來評估個人隱私威脅。我們評估威脅的結果 是把消費者的識別資訊威脅分類成高等威脅,消費者的行為資訊威脅分類成中等 威脅,消費者的行蹤資訊威脅分類成低等威脅。
另外,為了能有效地保護消費者的隱私性,我們針對不同的保護機制進行分 類。我們將保護機制分成以協定、軟體、硬體為基礎,分別保護消費者的識別資 訊、行為資訊以及行蹤資訊。以協定為基礎的保護機制包含雜湊鎖方式(Hash Lock Protocol) 、 標 籤 密 碼 保 護 (Tag Password) 、 標 籤 假 名 保 護 (Tag Pseudonyms)。以軟體為基礎的保護機制包含標籤加密(Tag Encryption)、標籤 銷毀/休眠指令(Tag Kill/Sleep Command)、軟體阻擋(Soft Blocking)。以硬體 為基礎的保護機制包含阻擋標籤(Blocker Tag)、法拉第籠子(Faraday's Cage)、
代理機制(Proxy mechanism)。
8
第五章 建造 RFID 系統的安全威脅模型
我們建造RFID 系統的安全威脅模型的目的是希望消費者在使用 RFID 技術時
能明確地知道可能會產生的威脅種類。之前,Shantanu 等人也提出了RFID 安全
威脅模型,但他們主要是依據標籤的類型來判斷 RFID 系統是否安全,而且在他
們的安全威脅模型裡並沒有設計多種威脅。因此,我們提出一種針對消費者加強
的RFID 安全威脅模型。在我們的 RFID 安全威脅模型裡有設計三種威脅等級,我
們是根據 ISO 27001 的精神來定義一些準則,並針對個人隱私威脅進行評估。另
外,在我們的RFID 安全威脅模型裡已經分類了現存的 RFID 保護機制,分別解決
不同的個人隱私威脅。最後,在我們的 RFID 安全威脅模型裡有判斷我們所分類
的保護機制是否能有效地防止敵人惡意的攻擊。
9
第六章 結論
RFID 技術是使用無線射頻訊號在標籤和讀取器之間進行資料的傳輸,而且 使用者無法感覺到無線射頻的傳播。因此,RFID 技術會造成一些隱私性和安全
性的問題。現今,安全性和隱私性威脅變成RFID 技術裡一個重要的議題。
在本篇論文裡,我們主要是比較 Garfinkel 等人所提出的七種個人隱私威
脅,而且也針對消費者提出一種加強的 RFID 安全威脅模型。另外,我們將現存
的 RFID 保護機制進行分類,我們分類的保護機制可以有效地防止敵人竊取或假
冒消費者的隱私資訊。
10
英文附錄
1
Enhanced RFID Security Threat Model for the Consumer
By
Chun-Hao Su
Advisor: Dr. Lin-Chuan Wu
Department of Computer Science and Information Engineering
Chung-Hua University Hsinchu, 30067, Taiwan
August 2009
I
Abstract
Radio Frequency Identification (RFID) is the developing technology for object
identification as a ubiquitous infrastructure. Though RFID brings a lot of advantages to people but it also has disadvantages, the sophisticated adversary can use malicious attacks to track the consumer's tag and violate consumer's individual privacy. Since the RFID tag has a unique ID is also called Electronic Product Code (EPC).
Shantanu et al. presented the RFID security threat model, but it does not have the design of multiple threat levels recently. Therefore, we present an enhanced security threat model of RFID system for the consumer in this paper. Our contribution is building the RFID system security threat model for the consumer that can understand the all kinds of threats by using RFID technology. Furthermore, we offer the effective method to protect the consumer in our security threat model.
In order to protect the security problems for the consumer efficiently, our model defines some criteria to classify into three threat levels. We also classify the existing RFID protection mechanisms to protect the different personal privacy threats and
determine whether RFID system is secure in the model.
Keywords: Radio Frequency Identification (RFID), Privacy, Electronic Product Code (EPC), Threats, Security.
II
Table of Contents
Abstract ... I
Table of Contents ... II
List of Figures ... IV
List of Tables ... V
CHAPTER 1 Introduction ... 1
1.1 Motivation ... 1
1.2 Objective ... 2
1.3 Thesis Organization ... 3
CHAPTER 2 Background ... 4
2.1 RFID Architecture ... 4
2.1.1 RFID Tag ... 5
2.1.2 Reader ... 6
2.1.3 Middleware ... 7
2.1.4 Back-End Database ... 7
2.2 Terminologies ... 9
CHAPTER 3 RFID Threats for the consumer ... 11
3.1 Threats of Identification Information ... 13
III
3.2 Threats of Behavior Information ... 14
3.3 Threat of Track Information ... 15
CHAPTER 4 Assessment of RFID Security Threats ... 16
4.1 Building the threat levels to RFID system ... 16
4.2 Comparisons of RFID Threats ... 18
4.3 RFID Security Threats Protection mechanisms ... 22
4.3.1 Protocol-based Protection mechanisms ... 22
4.3.2 Software-based Protection mechanisms ... 24
4.3.3 Hardware-based Protection mechanisms ... 25
CHAPTER 5 Building the Security Threat Model of RFID System ... 28
5.1 Shantanu et al.'s RFID Security Threat Model ... 28
5.2 Our RFID Security Threat Model ... 30
CHAPTER 6 Conclusions ... 35
References ... 36
IV
List of Figures
Figure 2-1 RFID System ... 5
Figure 3-1 Threat contexts in EPC deployment ... 12
Figure 5-1 Shantanu et al.'s RFID security threat model ... 29
Figure 5-2 The Security Threat Model of RFID System ... 32
V
List of Tables
Table 2-1 Electronic Product Code: 96-bits. ... 8
Table 4-1 The Threat Levels of RFID System ... 18
Table 4-2 The Categories of RFID Threats ... 21
1
CHAPTER 1 Introduction
1.1 Motivation
Recently, Radio Frequency Identification (RFID) is the developing technology for object identification and it will replace traditional bar code technology for the ubiquitous infrastructure in the future. RFID technology is used in a wide variety of applications such as highway toll system, vehicle anti-theft systems, animal tracking devices, entry cards, medical management, supply chain management and other specialized applications. Therefore, we can know that RFID brings a lot of advantages to people.
RFID system uses the radio frequency (RF) signal that is providing non-contact
identification for data transmission between a “tag” and a “reader”. So it is vulnerable to be intercepted for data transmission in nature. Moreover it also provides unique identification or serial number of an object. For this reason RFID system may cause some security and privacy issues. Therefore, RFID technology has some difficulties that have to be overcome, such as the cost of tag and personal privacy, etc. On the personal privacy security, because RFID system uses the radio frequency (RF) signal and may make the consumer in an environment monitored. Then, the consumer's
2
personal privacy suffered many threats. Today, security and privacy issues arises, many researchers are being paid attention to security issues of RFID system.
Based on Garfinkel et al.[10] describe the various security threats to RFID system, we know that RFID threats can be classified into inside the supply chain, transition zone, and outside the supply chain. Threats can also be divided into primarily affecting corporations, other organizations and individuals. Here, we focus on the consumer's personal privacy threats and present instances to illustrate the different influences for the consumer. Therefore, we must design the security threat model of RFID system in order to let the consumer understand all kinds of threat levels more efficiently.
1.2 Objective
Shantanu et al.[8] presented the RFID security threat model, but it does not have the design of multiple threat levels recently. Therefore, we will present an enhanced security threat model of RFID system for the consumer in this paper. Our security threat model can be used to classify the RFID threats and determine whether RFID system is secure. According to ISO 27001 meanings [1, 12], we define some criteria to classify threat levels into high, middle, and low. We also compared the seven kinds of personal privacy threats that are proposed by Garfinkel et al.
3
The researchers have proposed various protection mechanisms to overcome the security and privacy of RFID system. In order to protect the security effectively for the consumer, we classify the existing RFID protection mechanisms.
1.3 Thesis Organization
The rest of this thesis is organized as follows. In Chapter 2, we briefly survey the background of RFID system. We introduce the RFID threats for the consumer in Chapter 3. We assess the threat levels of RFID system will be discussed in Chapter 4.
The security threat model of RFID system will be presented in Chapter 5. Finally, we give the conclusions in Chapter 6.
4
CHAPTER 2 Background
The Radio Frequency Identification (RFID) technology is the latest Automatic Identification and Data Capture (Auto-ID) technology that is used to replace the
traditional bar code in the future. RFID is a non-contact and non-line-of-sight automatic identification technology which can automatically identify object by using radio frequency (RF) signals. RFID systems can be used in variety of applications due
to their low cost and compact size. The main advantages of RFID technology are listed as follows.
(1) The data are renewable and reusing.
(2) The capacity of storing the data is large.
(3) It can read the several data at the same time.
(4) It is convenient to identify and read the data.
2.1 RFID Architecture
The RFID system uses radio signals to communicate and it consists of the four basic components: Tag, Reader, Middleware and Back-End Database. RFID tag has the ability to store data, and it can be read without line of sight. Furthermore, RFID tag has been respond to reader requests. Therefore, the reader queries the tag for some
5
identifying information. RFID reader receives the data transmitted from a tag, and sends the data to a back-end database. The back-end database stores the various information of each tag. Middleware is used to communication between reader and back-end database. The structure of RFID system is shown in Figure 2-1.
Middleware
Back-End Database
RFID Tag
Figure 2-1 RFID System
2.1.1 RFID Tag
The RFID tag contains the following items:
(1) Antenna
(2) Memory
(3) Power supply
(4) Semiconductor chip
(5) Communications control
Usually according to the battery have or not, the tag can divide into two kinds of
6
active and passive. The passive tag has no on-board power sources. The passive tag accepts the energy that the reader conveys, and transform within the electronic tag the circuit operates the electric energy. Therefore, the passive tag does not need external
battery and it has the advantage of volume small, price cheap, and long-lived. But the passive tag’s read the distance is less than the active tag. The active tag contains
on-board power, and it also has more memory can use. Then, the active tag can provide more complicated circuitry for data storage, encryption functions, and provide a long communication range.
2.1.2 Reader
The RFID reader contains the following items:
(1) Antenna
(2) Control electronics module
(3) RF electronics module
(4) Power supply
Utilizing the high-frequency electromagnetic wave to transmit energy and signal, the speed of distinguishing of the electronic tag can be up to more than 50 per second.
It also can utilize the wired or wireless communication mode and combined with back-end database. Furthermore, the complex RFID reader is able to authenticate tag
7
that has been prevented adversary use unauthorized reader access to the system. The data should be encrypted by reader in order to protect the integrity of data.
2.1.3 Middleware
The RFID middleware is used to communication between reader and back-end database, and it sustains the stability and security of the business system. RFID middleware was mainly through wired or wireless mode to gather digital data of tag.
It also utilize this method to cooperate with different applications, it can combine the function of network to applied medical management, logistics, storage, etc.
2.1.4 Back-End Database
The back-end database uses to store and process various information of each tag in RFID system. Include the type of the products, Manufacturer, Manufacture date and expiration date, etc. Since the tag has a unique ID is also called Electronic Product Code (EPC), hence RFID systems will utilize a back-end database to associate with information of tag and is used to verify the tag's identity.
The Electronic Product Code (EPC) is considered the RFID replacement for the Universal Product Code (UPC). Today, Electronic Product Code (EPC) is also called
Next Generation Barcode, it have the advantage of the number size is large, hence the designer have ability to extend. However, most common form is EPC system
8
managed by EPCglobal Inc. The Electronic Product Code uses the EPCglobal organization’s General Identifier (GID-96) format. Under the GID-96 standard, it has
96 bits of data and contains four parts. The structure of Electronic Product Code is shown in Table 2-1.
Table 2-1 Electronic Product Code: 96-bits.
Header EPC Manager (Manufacturer)
Object Class (Product)
Serial Number
8 bits 28 bits 24 bits 36 bits
(1) Header: It is used to guarantee the uniqueness of the EPC system.
(2) General Manager Number: It identifies the company or organization.
(3) Object Class: It breaks down products into groups.
(4) Serial Number: It is unique to the individual object.
According to the introduction in the above, we know RFID tag has unique ID and RFID system uses the radio frequency (RF) signal that is providing non-contact identification for data transmission. Besides, RFID system includes both tags and readers can be covertly embedded in the special place. Therefore, RFID tag can be read by the adversary and may cause the user to have security and privacy threats.
Most of privacy threats arose from the user. Because RFID tag has unique identifier can be easy to associate with a person's identity. Main personal privacy threats are describe in next chapter.
9
2.2 Terminologies
We described in detail some terminologies as follows.
(1) Privacy: Provides a user with protection against discovery and misuse of his or her identity by other users. For example, the password is protected using encryption algorithm.
(2) Threat: A potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security and cause harm.
For example, RFID technology poses unique privacy and security concerns because the user cannot sense the RF radiation used to read RFID tag, and the tag typically maintain no history of past readings. Further, both tags and readers can be covertly embedded in the environment; short-range readers can be small enough to fit into a cell phone.
(3) Vulnerability: Vulnerability refers to causing the easy degree of threat. The
vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system. For example, vulnerabilities may result from weak passwords, software bugs, a computer virus, a script code injection or a SQL injection.
10
(4) Protection mechanism: Protection mechanisms support the enforcement of
security policies to guarantee the confidentiality, integrity, and availability for the user.
(5) Security Threat model: The security threat model is based on the notion that any
system or organization has assets of value worth protecting, and it provides appropriate security countermeasures to mitigate the threats of these assets.
11
CHAPTER 3
RFID Threats for the consumer
The adversary will utilize the weakness of RFID system to violate the user's privacy and cause different security threats.Based on Garfinkel et al.[10] describe the various security threats to RFID system, we know that RFID threats can be classified into inside the supply chain, the transition zone, and outside the supply chain. Inside the supply chain, it includes factories where tagged objects are manufactured, transportation systems, and distribution center. The transition zone, it includes retail store, store shelf, and checkout, where tagged items change hands from the vendor to the customer. Outside the supply chain, it includes all locations and including customer homes.
Threats can also be divided into primarily affecting corporations and other organizations, and individuals. Here, we focus on the consumer's personal privacy threats. The threat contexts in EPC deployment is shown in Figure 3-1.
12 Manufacturing Transportation
Distribution
center Retail store Store shelf Checkout World Customer's home
Action threat
Association threat
Location threat
Preference threat
Constellation threat
Transaction threat
Breadcrumb threat Inside the supply chain Transition zone Outside the supply chain
Figure 3-1 Threat contexts in EPC deployment
Because RFID tag has unique ID that has been associated with the consumer's identity to affect the consumer's privacy. In this chapter, we focus on the consumer's personal privacy threats. Based on Garfinkel et al.[10] describe the seven kinds of personal privacy threats to RFID system, we divide personal privacy threats into three parts. They are separately threats of identification information, behavior information,
13
and track information. We classify the threats and present instances to illustrate the different influences for the consumer as follows.
3.1 Threats of Identification Information
(1) Association Threat: Because of RFID tag has the unique electronic product code
to each product that has been associated with the consumer's identity. Adversary can use this technology to obtain the consumer's privacy. For example, someone is suffered from an illness of heart and buy medicines in the drugstore. Because of Tag ID is attached to the medicine bottle, hence Tag ID will be detected by adversary and can know what kind of medicine. And then consider the consumer may suffer from this disease.
(2) Constellation Threat: This kind of threat is not to consider the tag carried by an
individual. Because of RFID tag form a shadow or constellation around an individual result in adversary have been used this technology to track the individual location and do not have specially to know individual identity. For example, someone usually purchased some goods of Michael Jordan so we can infer that the consumer is one of Jordan's fans. Adversary can use malicious RFID reader to observe whether have the goods of Michael Jordan or not, hence the identification information of the consumer can be known by adversary.
14
(3) Breadcrumb Threat: This kind of threat was extended from an association threat.
When the consumer purchases an item from a retail store, an item's EPC tag associated with the consumer's identity and this association information was stored in the retailer's corporate database. When the consumer discards these electronic breadcrumbs in the future, the association information is not broken. This threat arises when the consumer discarded breadcrumbs are adversaries used. It may be causing the original consumer could get in trouble with law enforcement.
3.2 Threats of Behavior Information
(1) Action Threat: This kind of threat that has been inferred the intention from the
consumer by way of monitoring the action of a group of tag. For example, the consumer hired a car (tagged with RFID) recently by detecting for adversary. An adversary can infer that have been intended to travel for the consumer recently.
(2) Preference Threat: An adversary can scan RFID tag to reveal the consumer's
preference since the EPC tag on an item contains manufacturer, the product type, and the tag's unique serial number. This kind of threat is also a value threat when the adversary can easily determine the item's monetary value. For example, a thief can use this method to scan the consumer who likes to buy jewels of high value. After a thief gained this preference information and can proceed to steal from the consumer.
15
(3) Transaction Threat: This kind of threat is by observing movement of tagged
objects from one constellation to another. It could be inferred that two group of tag's possessors might be proceeded to transact. Therefore the adversary can use this method to know trade behavior by the consumer, and he/she will use such information to destroy in next time.
3.3 Threat of Track Information
(1) Location Threat: Because when the association between a tag and an individual
is known result in individual carrying uniquely tag can be monitored and individual location revealed by malicious reader. For example, RFID tag is attached to the consumer's cell phone, and the consumer associated with tag is known by adversary.
Then, the adversary has been used malicious reader to track the movement of cell phone and the location for the consumer will be revealed.
16
CHAPTER 4
Assessment of RFID Security Threats
We described the threats of RFID system for the consumer in last chapter, but the various threats caused the consumer have different influence. Therefore, we design the threat levels to RFID system and also used these criteria to classify the seven kinds of personal privacy threats to RFID system. The purpose that we categorized RFID threats is to offer some criteria of classification for the consumer, and offer the consistent criteria to the consumer as the basis of threats classification in the future.
4.1 Building the threat levels to RFID system
According to ISO 27001 meanings [1, 12, 13], we define some criteria to classify threat levels into high, middle, and low in this chapter. ISO 27001 is a new international standard of risk management that have been verified a methodical approach to establish a system to assure the information security.
BS7799 is the ancestor of ISO 27001 information security, and BS7799 is an international information security audit standard. BS7799 is mostly divided into BS7799-1 and BS7799-2. ISO17799:2005(BS7799-1) mostly is utilized as reference document that supplies broad security control measure as the best operation method
17
for the present information security. However, these are not utilized as the standard for certification and assessment. BS7799-2:2005 was emended as ISO27001:2005 information security management system international standard in 2005. This standard is Information Security Management System (ISMS) and it establishes the specific requirement for implementation. According to the requirement of the organization, the requirements for the implementation of security control measures are specified and it is utilized as the standard for certification and assessment.
For this reason, according to ISO 27001 meanings and the degree of threatening influence to the consumer, we define some criteria to classify threat levels of RFID system. Furthermore, we designed the criteria to classify RFID threat levels, but these criteria are unable to classify the corporate data security threats. We classify RFID threats for the consumer into three levels and show each criterion of threat levels in Table 4-1.
18
Table 4-1 The Threat Levels of RFID System
Threat levels Criteria
Low
1. The frequency of attacks happened may exceed one times every month.
2. The cost of attack is greater than the benefit obtained by adversary.
Middle
1. The frequency of attacks happened may exceed one times every week.
2. The cost of attack is approximate the benefit obtained by adversary.
High
1. The frequency of attacks happened may exceed one times every day.
2. The cost of attack is less than the benefit obtained by adversary.
4.2 Comparisons of RFID Threats
We assess the threat levels of RFID system must accord to criteria of Table 4-1.
For example, the threat levels of RFID system are high when the frequency of attacks happened may exceed one time every day and the cost of attack is less than the benefit obtained by adversary. The result that we classify all kinds of personal privacy threats are listed below.
(1) The consumer's identification information threats:
The data about the consumer's personal identification are most confidential and important. Because RFID tag have a uniquely ID that adversary can according to tag ID and utilize malicious attacks to getting information about the consumer's personal
19
identification. Once the data of the consumer's personal identification will be stolen by adversary, the adversary can proceed to all kinds of attack acts and can know the consumer's personal privacy further. The information about the consumer's personal identification is stolen easily by adversary. Because of the adversary can utilize RFID reader directly to obtain data of RFID tag. Therefore, this kind of attack happened may exceed one times every day, and the frequency of attack happened is the highest.
Besides, this kind of attack does not need to cost extra manpower too much. The cost of attack is usually less than the benefit obtained by adversary.
(2) The consumer's behavior information threats:
Once the data of the consumer's personal identification will be stolen by adversary, the adversary can utilize malicious attacks to observe the goods that are bought by the consumer. Then, the adversary can gather shopping information from the consumer and can know the consumer's behavior information further.
The adversary must utilize RFID reader first to obtain data of the consumer's identification information and must spend some time to observe the consumer's shopping circumstances. Therefore, we know attack about the consumer's behavior privacy is harder to proceed than the consumer's identification privacy. Then, this kind of attack happened may exceed one times every week. Because of the adversary must spend some time observing the consumer's shopping circumstances, hence it is
20
need to cost some extra manpower. For this reason, the cost of attack is usually approximate the benefit obtained by adversary.
(3) The consumer's track information threat:
The adversary can utilize reader to know the consumer's personal location, but the adversary must utilize RFID reader first to obtain data of the consumer's identification information. When the adversary proceeded to track the consumer, the adversary can know the consumer's track habits further. But limited by the ability of RFID system, the reader can only detect to the tag in few meters of range. In other
words, the adversary must proceed to track the consumer for a long time that has been known the consumer's track route. Therefore, the consumer's track attack is harder to implement than other attacks. Then, it is resulted in the frequency of attack happened may exceed one times every month. Because of the adversary must proceed to track the consumer for a long time, hence it also need to cost extra manpower. The cost of track information attack is the highest, and it is usually greater than the benefit obtained by adversary.
According to above-mentioned reasons, the levels of the consumer's identification information threats are high. The levels of the consumer's behavior information threats are middle. The levels of the consumer's track information threat
21
are low. Therefore, the threat levels that we compared seven kinds of personal privacy threats are shown in Table 4-2.
Table 4-2 The Categories of RFID Threats Degree of threat
The kinds of threats
High Middle Low
Action threat ○
Association threat ○
Location threat ○
Preference threat ○
Constellation threat ○
Transaction threat ○
Breadcrumb threat ○
RFID tags do not contain any mechanism to protect the data that is stored on the
tag. RFID security and privacy issues have increased, and causing the consumer have been dreaded and also rejected the goods of RFID tagging. Therefore, many researchers have proposed various protection mechanisms to overcome the security and privacy of RFID system. Finding a solution to protect the consumer in RFID technology has become a major concern.
22
4.3 RFID Security Threats Protection mechanisms
The researchers have proposed various protection mechanisms to overcome the security and privacy of RFID system. In order to protect the privacy effectively for the consumer, we classify the existing protection mechanisms of RFID system in this section. The protection mechanisms are classified according to the Protocol-based, the Software-based, and the Hardware-based. Accordingly, the protection mechanisms are effective to protect the consumer's identification privacy, the behavior privacy, and the track privacy.
4.3.1 Protocol-based Protection mechanisms
Because threats of identification information are classified high threats, hence the protection mechanisms should be the most significant. We proposed protocol-based protection mechanisms to prevent the identification information that is stolen or spoofed by adversary, and it is need to guarantee the confidentiality and integrity of data. The protocol-based protection mechanisms are able to use the authentication protocol to proceed to access control of data so the RFID tag must use the active tag. Accordingly, the protocol-based protection mechanisms are listed as follows.
(1) Hash Lock Protocol: "Hash Lock Protocol"[11] is a protocol-based protection
mechanism that is used to access control of data, and it is based on one-way hash
23
functions. The tag is provided with a hash function and have a part of memory reserved for a temporary metaID that have been operated in either a locked or unlocked state. A tag on locked state that is refused to disclose its ID until it is unlocked. This scheme can prevent the malicious attacker to access the data.
Accordingly, the data will not be stolen or spoofed by adversary.
(2) Tag password: "Tag password method"[2] is a protocol-based protection
mechanism and it can prevents identification information that is stolen or spoofed by adversary. RFID tag can implement authenticate PINs or passwords because the tag have enough resources. The tag could emit important information when received the correct password. Therefore passwords mechanism can provide the privacy protection effectively for the consumer.
(3) Tag pseudonyms: The "tag pseudonyms scheme"[4] is give each tag a set of
pseudonyms. Thus each tag contains a set of pseudonyms and it turned these pseudonyms as its identifier, releasing a different one on each reader query.
Authorized reader can identify the tag because they shared the full pseudonym set with tag beforehand. The tag pseudonyms scheme is also guarantee the confidentiality and integrity. The unauthorized reader is hard to getting identification information from the consumer.
24
4.3.2 Software-based Protection mechanisms
Because threats of behavior information are classified middle threats, hence the protection mechanisms are significant. We proposed software-based protection mechanisms to prevent the behavior information that is stolen by adversary, and it is also need to guarantee the confidentiality and integrity of data. Accordingly, this mechanism can prevent unauthorized reader to violate privacy for the consumer. The software-based protection mechanisms are listed as follows.
(1) Tag encryption: The "tag encryption method"[4] is a software-based protection
mechanism and it can be used to prevent unauthorized read. The complex tag encryption is more effective to prevent the stolen or spoofed by adversary. But the complex tag encryption method has the problems of key management and the cost of RFID tag would increase.
(2) Tag kill/sleep command: The EPCglobal standard specifies EPC kill command,
which disables functionality of the tag. Kill command technology is the most straightforward method to the protection of the consumer's privacy. Because when an EPC tag receives a "kill" command from a reader, it deactivated itself and cannot be
reactivated. Therefore, it rejects all of the post-sale benefits for the consumer and it cannot be used to guarantee the availability of data. Sleeping tag [5] and killing tag [5]
are very like, but the deactivated tag that could be activated by "wake up" command.
25
In other words, the software mechanism can be provided privacy protection for the consumer when tag receives sleep command.
(3) Soft blocking: "Soft blocking"[6] is an enhancement and alternative to "blocker
tag" approach and is an "opt-in" policy. Full privacy is the default. Furthermore, soft blocking is a software-based protection mechanism and it is embedded in the reader or at software application level. This technology involves software modules that are used to offer a flexible range of privacy policies to protect the consumer. The soft blocker tag transmits a policy statement. It enforces security policies on readers and monitors them in case they violate these policies. This approach requires co-operation from RFID reader. Soft blockers have the advantage of supporting external audit
procedures. Audit mechanisms to assess RFID reader compliance should be in place, therefore soft blocking does not need to modify in currently deployed RFID systems.
4.3.3 Hardware-based Protection mechanisms
Because RFID tag has unique ID that has been associated with the consumer, hence the location information may be revealed by adversary. Threat of track information is classified low threat so the protection mechanisms are less significant.
Accordingly, we must reduce the cost of tag to protect the data. And the unprotected RFID system can be interrupted the communication by frequency jamming likes
denial-of-service attacks. Therefore, we proposed the hardware-based protection
26
mechanisms are able to prevent frequency jamming and location information by unauthorized read. In the hardware-based protection mechanisms, the RFID tag does not need to use the active tag so it can reduce the cost of tag. The hardware-based protection mechanisms are listed as follows.
(1) Blocker tag: "Blocker tag"[7] is proposed by Juels et al. and it's also be used to
enhance privacy protection. In order to interrupt the communication with all tag or tag within a specific ID range, the blocker tag exploits the anti-collision protocol which causes RFID reader to block. Therefore, the blocker tag can be used to prevent unauthorized scanning of location information for the consumer. But it cannot be used to guarantee the availability of data when blocker tag protection mechanism is implemented.
(2) Faraday's Cage: "Faraday's Cage"[7] is using a thin metal foil to shelter the tag
that could not be pierced by RF signal. When the consumer used Faraday's cage surrounded RFID tag, the tag didn't operate well because the communication between a reader and the tag were prevented by cage. Therefore, the device can be used to prevent the location information that is detected by adversary. But it cannot guarantee the availability of data when faraday's cage protection mechanism is implemented.
(3) Proxy mechanism: Proxy is a device that is used to prevent direct communication
between a reader and the tag. Rather than relying on public RFID readers to enforce
27
privacy protection, the consumer can use their own privacy protection devices such as mobile device for privacy enforcement and increased protection against all kinds of attacks. Therefore, the proxy can detects malicious reader scans and reacts immediately that can be used to prevent location privacy will be revealed. Nowadays, the various proxy mechanisms such as "Watchdog Tag"[3], "RFID Guardian"[9] have been presented by researchers.
28
CHAPTER 5
Building the Security Threat Model of RFID System
Our contribution is building the RFID system security threat model for the consumer that can understand the all kinds of threats by using RFID technology. In our security threat model, the purpose that we categorized RFID threats is to offer some criteria of classification for the consumer, and offer the consistent criteria to the consumer as the basis of threats classification in the future. Furthermore, we offer the effective method to protect the consumer in our security threat model.
5.1 Shantanu et al.'s RFID Security Threat Model
In this section, we describe the Shantanu et al.[8] presented the RFID security threat model. They present a threat model that could be used by the end-users to assess the extent of privacy/security threat caused by a specific RFID system. Their threat model consists of three different parts. Include identification of threat source, identification of nature of threat, and providing methods to mitigate the threat. The model is shown in Figure 5-1.
29
Is the device enabled with RFID?
Active/Passive TAG
Is security mechanism enabled?
Is RFID-Guard enabled?
Determine the degree of privacy information
associated with the TAG RFID System
Secure
RFID System Not Secure RFID System
Secure
RFID Security concerns not applicable Yes
Yes Yes
No No
No
Active
Passive
High
Low/None
Figure 5-1 Shantanu et al.'s RFID security threat model
We will explain the procedure of Shantanu et al.'s RFID security threat model.
Firstly, it needs to be identified when evaluating the threat posed by the RFID system is the type of the tag being used. Because RFID tag depends on the type, the amount of information stored varies. For the active tag, it has inbuilt power and it is necessary to implement security mechanism. The security mechanism likes encryption to protect
30
data of the consumer. These security mechanisms may not be applicable for the passive tag because they do not have enough computing power. For the passive tag, it depends on the degree of privacy information associated with the tag. The devices like RFID Guard need to be deployed when the degree of privacy information of the tag is
high. RFID system is secure because RFID Guard can protect the tag from the unauthorized reader. On the contrary, RFID system is not secure when RFID Guard is not to be deployed.
Shantanu et al. presented another major parameter which is not explicitly listed in their RFID security threat model. The parameter is the location of the tag. If the tagged device present in a private location, the privacy and security concerns can be ignored. However, if the device is located in a public area and no security mechanisms are deployed, and therefore the degree of security threats of RFID system could be very high.
5.2 Our RFID Security Threat Model
Shantanu et al.[8] presented the RFID security threat model, but it does not have the design of multiple threat levels. Therefore we present an enhanced security threat model of RFID system for the consumer in this section, and the model is shown in Figure 5-2. We proposed the RFID security threat model is hoping that the consumer can understand the all kinds of produced threats while using RFID technology.
31
Our security threat model has the design of multiple threat levels. Furthermore, the personal privacy threats are classified in our security threat model is according to ISO 27001 meanings. Therefore, our security threat model supplies the criteria for classification of threat to the consumer. And the model is not only used to classify the personal privacy threats of RFID system, but also can determine whether RFID system is secure. Besides, we also classify the existing RFID protection mechanisms to solve the different personal privacy threats in our security threat model.
32
Is the device enabled with RFID ?
(1.2)
Determine the degree of threatening influence
for the consumer (1.3.1)
Yes
RFID security concerns can not be applied
(1.3.2)
The consumer's identification information threats
(1.4.1)
The consumer's behavior information
threats (1.4.2)
The consumer's track information
threat (1.4.3)
High Middle Low
RFID system secure
(1.7.1)
RFID system not secure
(1.7.2)
Yes No
START (1.1)
No
END (1.8)
Based on ISO 27001
Is protection mechanism effective?
(1.6) Protocol-based
Protection mechanisms
(1.5.1)
Software-based Protection mechanisms
(1.5.2)
Hardware-based Protection mechanisms
(1.5.3)
Figure 5-2 The Security Threat Model of RFID System
33
According to the security threat model of RFID system, we will explain the model procedure. The flowchart of security threat model consists of the blocks and the details are described as follows.
Step1. Firstly, we must to be identified the device whether enabled with RFID or not
(Block 1.2). The security concerns can not be applied (Block 1.3.2) when the device enabled without RFID. On the contrary, we will do next step when the device enabled with RFID.
Step2. We need to be determined the degree of threatening influence for the consumer
(Block 1.3.1) based on ISO 27001. We classify seven kinds of personal privacy threats into three levels respectively high, middle and low. The high threat level is about the consumer's identification information threats (Block 1.4.1) that are consisted of association threat, constellation threat and
breadcrumb threat. The middle threat level is about the consumer's behavior information threats (Block 1.4.2) that are consisted of action threat, preference threat and transaction threat. The low threat level is about the consumer's track information threat (Block 1.4.3) that is location threat. These threats have their own protection mechanisms respectively Protocol-based protection mechanisms (Block 1.5.1), Software-based protection mechanisms (Block 1.5.2), and Hardware-based protection mechanisms (Block 1.5.3).
34
Step3. Finally, we must to be identified the protection mechanism whether effectively
(Block 1.6). The protection mechanism is effectively that it can solve RFID threats completely of the consumer or reduce the threat levels of RFID system.
For example, the consumer used the protocol-based protection mechanisms to prevent the identification information that is stolen by adversary. The data is hard to be stolen by adversary when the protection mechanism could against malicious attacks. Therefore, it resulted in the cost of attack is greater than the benefit obtained by adversary, and subsequently the frequency of attacks happened may reduce. Then, the levels of the consumer's identification information threats become low. In other words, the RFID system will be secure (Block 1.7.1) when the protection mechanism could against malicious attacks effectively. However, when the protection mechanism could not effective to against malicious attacks, the privacy threats caused by the RFID system could be very high. Then, the RFID system will not be secure (Block 1.7.2).
35
CHAPTER 6 Conclusions
RFID technology uses radio frequency (RF) signal to communicate data between
a tag and a reader, and the user cannot sense the RF radiation. Therefore, RFID technology caused some privacy and security concerns. Nowadays, security and privacy threats are becoming one of the major concerns of RFID technology.
The work in this paper that we aimed to compare to threats are based on Garfinkel et al. describe the seven kinds of personal privacy threats to RFID system.
We also proposed an enhanced security threat model of RFID system for the consumer's security and privacy. Our contribution is building the RFID system security threat model for the consumer that can understand the all kinds of threats by using RFID technology. Furthermore, we have classified the existing protection mechanisms of RFID system to protect the consumer in our security threat model. The proposed protection mechanisms can efficiently prevent the adversary to steal or spoof the privacy information of the consumer.
36
References
[1] BSI GROUP, ISO-IEC-27002: ISO standards,
http://www.bsi-global.com/en/Assessment-and-certification-services/manageme nt-systems/Standards-and-Schemes, 2007.
[2] EPCGlobal, “EPCTM Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communications at 860 MHz- 960 MHz version 1.09, ” 2005.
[3] C. Floerkemeier, R. Schneider, and M. Langheinrich, “Scanning with a purpose- supporting the fair information principles in RFID protocols,” Second International Symposium on Ubiquitous Computing Systems UCS, 2004.
[4] A. Juels, “Minimalist Cryptography for Low-Cost RFID Tags,” 4th Conference Security in Communication Networks (SCN), C. Blundo and S. Cimato, eds., Springer-Verlag, pp.149-164, 2004.
[5] A. Juels, “RFID Security and Privacy: A Research Survey,” IEEE Journal on selected areas in communication Vol. 24, No. 2, 2006.
[6] A. Juels and J. Brainard, “Soft Blocking: Flexible Blocker tags on the Cheap,”
Wireless Privacy in the Electronic Society (WPES’04), 2004.
37
[7] A. Juels, L. Rivest and M. Szydlo, “The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy,” In Proceedings of 10th ACM Conference on Computer and Communications Security (CCS), 2003.
[8] S. Rao, N. Thanthry, and R. Pendse, “RFID Security Threats to Consumers:
Hype vs. Reality,” IEEE 41st Annual Security Technology International Carnahan Conference, pp. 59-63, 2007.
[9] M. Rieback, B. Crispo, and A. Tanenbaum, “RFID Guardian: A battery-powered mobile device for RFID privacy management,” in Australasian Conference on Information Security and Privacy (ACISP), 2005.
[10] G. Simson, J. Ari and P. Ravi, “RFID Privacy: An Overview of Problems and Proposed Solutions,” IEEE Security and Privacy, Vol. 3, No. 3, pp.
34-43, 2005.
[11] S. E. Sarma, S. A. Weis, and D. W. Engels, “RFID Systems and Security and Privacy Implications,” In Workshop on Cryptographic Hardware and Embedded Systems, pp. 454–469. Lecture Notes in Computer Science, 2003.
[12] Wikipedia, ISO/IEC 27001, http://en.wikipedia.org/wiki/ISO_27001 [13] Wikipedia, BS 7799, http://en.wikipedia.org/wiki/BS_7799
