Security Aspects in Radio Frequency Identification Networks

Introduction

During the last decade RFID (Radio Frequency Identification) technology became ubiquitous; it can be used in almost every fields of our life. RFID solutions are dated back to World War II. Axis fighter pilots made special movements to modify the radar signals reflected from the surface of their planes, thus differentiated the Axis and Allied planes on the radar screen. On the other hand Allied planes were equipped with a so-called Friend or Foe identification system, which worked on the basis of a rudimentary challenge-response identification protocol over radio transmission.

Nowadays, a general RFID system consists of three main parts (Figure 1); a reader, which transmits RF signals; tags that are small integrated circuits with antennae, which use the energy gathered from the RF field to backscatter the data stored on them; and the back-end server, which verifies the tags and executes certain functions. This technology can be used in various applications, e.g., personal identification, payment system, access control, animal tracking, supply-chain management, and many more.

Figure 1.

Common RFID system architecture

Many kinds of RFID tags are available on the market, which vary in storage and computational capacity. From the cheapest one having very limited computational capacity and low memory, to the more expensive ones, which has its own battery, and has high computational capacity, the most suitable RFID tags for a given application might be found. However, all the tags have low computational capacity; hence the security mechanisms which are in use in computer networks are not suitable in this environment. For expensive tags with relatively large computational capacity many secure communication protocols were developed, for cheap low-end tags, only a few lightweight protocols exist.

Upon implementation of an RFID based management system many questions emerge concerning the security of sensitive business information as well as customer privacy. Let us consider a scenario in a typical commercial setup. A customer enters a shopping center to buy some clothes, books, etc. Since each product has a unique RFID tag, which is situated inside them, a malicious attacker with a portable RFID reader could check the customer’s bag in order to decide there is some valuable product inside or not.

This is just a simple scenario, where some pieces of information about a person or product can be obtained easily; unfortunately more serious problems have to be faced. Since more and more credit cards are supplied with RFID tags, in addition passports and ID cards contain RFID tags, rather sensitive information related to our bank account, or medical record can be accessed. Hence, the security issues of RFID systems are very important; authentication protocols, encryption methods are needed in order to guarantee the secure communication, moreover our privacy.

Background

Similar to other wireless networks, in RFID systems the communication between a reader and tags uses the air interface, which is an insecure media and could be eavesdropped easily. Unprotected communication between readers and tags via the radio channel may unfold sensitive information about a tag, e.g., its location, and indirectly the location of the user who possesses the tag. First, we introduce the attacker model in this section, and in possession of it the relevant security and privacy threats in RFID environment are discussed.