Radio Frequency Identification

(Part-II)

By

Ram Gopal Soni

MSCLIS Semester-I

Indian Institute of Information Technology, Allahabad

 

Standards

ISO 14223/1 – Radio frequency identification of Animals, advanced transponders – Air interface

ISO 14443: This standard is a very popular HF (13.56 MHz) standard for HighFIDs which is being used as the basis of RFID-enabled passports under ICAO 9303.

ISO 15693: This is also a very popular HF (13.56 MHz) standard for HighFIDs widely used for non-contact smart payment and credit cards.

Air Interface (frequency) standards:

ISO/IEC 18000: Information technology — Radio frequency identification for item management:

o Part 1: Reference architecture and definition of parameters to be standardized

o Part 2: Parameters for air interface communications below 135 kHz

o Part 3: Parameters for air interface communications at 13,56 MHz

o Part 4: Parameters for air interface communications at 2,45 GHz

o Part 5 – Parameters for Air Interface Communications at 5.8 GHz.

o Part 6: Parameters for air interface communications at 860 MHz to 960 MHz

o Part 7: Parameters for active air interface communications at 433 MHz

 

RFID and Wireless Sensor Networks

In RFID technology the systems simply provide a tag that can remotely identify an object by returning an ID when interrogated over short ranges. As RFID become more popular in industries its advance use come into picture that is sensor network. There is likely to be a natural progress for RFID that includes the widespread incorporation of sensor functionality and then such devices will be able to make measurements of their surroundings and physical location about such variables as pressure, temperature, flow rate, speed, vibrations etc. They can be networked either through RF technologies or through other wireless Communications systems and these networks are often referred to as sensor nets, or wireless networked sensors. These types of networked, RFID enabled objects can become more valuable because they will be able to have signature, histories (e.g. every time they are accessed they will record the details of that access). These RFID-based sensors will need to communicate in order to participate in the network so they will be able to available the information in any place. However, there are many other computational devices which not necessarily using radio frequency for communication. Some other protocols currently aimed or developed some of them are ZigBee, Near Field Communication Technologies (NFC), Bluetooth and Wifi. Zigbee is focused on individual devices (such as smoke detector, lamps and consumer electronics) that need a robust, low bandwidth, low cost, low power, peer6 to-peer communication. NFC is designed for very short-range communication (the devices have to almost closest to the signalling systems to work).

Current Application of RFID

The most common application through the use of RFID are :

1. Passports

2. Human implants

3. Supply-chain tracking of inventory – visibility of location/condition

4. Homeland security – container tampering

5. Livestock history – where has that cow been?

6. Pet ownership – tags injected under the skin

7. Passport biometrics – match data in tag to measurement at port

8. Access control – contactless smart card

9. Electronic payment systems (tolls, point-of-sale) – automatic payment

10. Tracking children and their belongings – Japanese/CA schools

11. Marathons – track position of runners

12. Games – theme park ride reservations, playground games

13. Museums – security and index to information

14. Luggage tracking in airports – no line-of-sight requirements

15. Clothing – receipt-less returns, smart closet, consumer buying habits

16. Libraries – tracking of books and reshelving assistance

17. Hospitals – patient and medication tracking, automated checking

18. Handicapped – shopping assistance for the visually-impaired

RFID Security issue

(1) Security Objectives

The communication between RFID reader and tag are wireless communication so security objectives are such as:

  1. Confidentiality,
  2. Integrity,
  3. Availability,
  4. Authentication,
  5. Authorization,
  6. Non-repudiation and a
  7. Anonymity.

Are often can not be achieved unless special security mechanisms are integrated into the system. The privacy aspect of RFID system has gained special attention. Consumers may carry objects with silently communicating transponders without even realising the existence of the tags. Passive tags usually send their identifier without further security verification when they are powered by electromagnetic waves from a reader. The ID information can also be linked to other identity data and to location information. Consumers might employ a personal reader to identify tags in their environment but the large number of different standards may render this difficult. Companies are facing customer fears and the privacy issues may become a major obstacle to further RFID development.

(2) Security Properties

Confidentiality

The communication between reader and tag is unprotected in most cases (except only ISO 14443 systems). Eavesdroppers may thus listen in if they are in the range. Furthermore, the tag’s memory can be read if access control is not implemented.

Integrity

Except high-end ISO 14443 systems which use message authentication codes (MAC), the integrity of transmitted information cannot be assured. Checksums (CRC) are often employed on the communication interface but protect only against random failures. Except this the writable tag’s memory can be manipulated if access controlis not implemented.

Availability

Any RFID system can be disturbed by frequency jamming. But, denial-of-service (DOS) attacks are also feasible on higher communication layers. The “RFID Blocker” can exploit tag singulation (anti-collision) mechanisms to interrupt the communication of a reader with all or with any specific tags.

Authenticity

The tags are generally not temper resistant so the unique identifier (UID) of a tag can be spoofed or manipulated.

Anonymity

The UID can be used to trace a person or an object carrying a tag in time and space. Even this is not be noticed by the traced person. This collected information can be merged and linked in order to generate a person’s profile. Similar problem can be occurs in supply-chain applications where undesired product scans are possible.

Security Mechanisms and Proposals

Effective security mechanisms can provide protection against the described threats. But there is a inverse proportional relation in secure and cheap RFID system. It should be taken into account that the primary purpose of the RFID technology is to make available cheap and automated identification. Thus security mechanisms can hardly be implemented because of their complexity as well as the constrained tag computing resources. AES, SHA-1 and other publickey protocols like NTRU are too elaborate for low-cost tags. So it’s possible to develop security mechanism by using these protocols and standards.

Access Control and Authentication

The tags can implement access control mechanisms for their read/write memory. Access to the UID is often unrestricted, and the strength of memory access control procedures varies a lot (e.g. nothing, clear text password, challenge-response protocol).

Some tags (e.g. ISO 14443 and MIFARE® tags) enforce authentication mechanisms before granting read or write access to specific memory blocks. Here, either a simple password authentication or a challenge-response authentication [e.g. ISO 9798-2] with symmetric key.

Authorization depends on the key which is used by the reader. For the forthcoming part 4 of the ISO 15693 standard a challenge-response authentication protocol with DES or 3DES is proposed.

In a Hash-Based Access Control Protocol the tag is first in a ‘locked’ state and transmits only the hash value of a key. An authorized reader looks up the corresponding key in a backend system and sends it to the tag. The tag verifies the key by hashing it, returns the clear text ID and remains only for a short time in an‘unlocked’ state. This would provide reader authentication and a modest level of access security.

Randomized Access Control in another mode of operation where tags respond with a randomized hash value. Since the reader would have to compute hash values for all IDs, but this would only be feasible with a small number of tags.

Tag authentication

There are also proposals for protocols which authenticate the tag to the reader and protect against tag counterfeiting. There should be some lightweight tag authentication protocols with AES encryption and analyses the hardware requirements. One option would be to ‘kill’ the tag after it has been used. But this would also destroy valuable information and delete information which may still be useful. The blocker can be used for privacy protection but it can also be misused for mounting denial-of-service attacks.