intranet cea
Projet rfid-ap
 
 RFID-AP
 
  Deliverables
Mentions légales
  Portal > Deliverables > Pages web > Context and state of the art
Context and state of the art

 

 
 
Modified on 04/14/2008 at 15:46

The development of RFID-tag technology and its deployment is global. Standards bodies such as ISO and industry bodies such as EPCglobal [7] all help to promote the technology and its use. And the adoption of RFID-tag technology is accelerating; it is estimated that of the 3.752 billion RFID tags sold to date, 27% were sold in 2006 [9].  Yet, just as we are seeing this explosive rate of adoption, the lack of security features for RFID-tags is widely recognised. The threats to an RFID-tag deployment are not always obvious but they cover issues such as

 

  • denial of service attacks,
  • the problem of data authentication,
  • authenticating a tag and/or device reader,
  • protecting communication and information confidentiality,
  • consumer privacy.

 

The relative importance of these security threats will vary according to the application. For instance, for inventory control within the supply chain, the problem of tag and reader authentication might not be too significant. The value of many consumer items is small so the risk from fake tags is small. Further, deployment is often controlled and tags and readers are typically deployed within the same physically secure factories and warehouses. However the integrity of databases and records is vital to deliver the anticipated cost benefits. By contrast, if we use RFID-tags to track aircraft engine parts, the authenticity of the data on the tag and the authenticity of the tag itself are vital. The risks are so great that the security measures required are very different.

 

The relative importance of RFID tag deployment and associated security concerns has already spurred a considerable investment in research, with much taking place in the U.S.  One major research initiative is Auto-ID Labs [1], an academic counterpart to EPCglobal and consisting of seven universities around the world including M.I.T., U.S. and Cambridge University, U.K. The initiative RFID-CUSP (RFID Consortium for Security and Privacy) [14] is a joint-venture between UMass Amherst, John Hopkins University and RSA Laboratories, now a part of EMC.  In terms of European partnerships, the Framework VI ECRYPT Network of Excellence [6] consists of more than 30 academic and industry partners with a component focused on cryptography suitable for RFID deployments. As well as hosting the eSTREAM project which aims to identify encryption technologies for cheap tags, a series of annual workshops devoted to RFID have been established. On larger scale, Bridge [2] is a dedicated Framework VI Integrated Project that has grouped together members of GS1, the group charged with commercialising the work of EPCglobal, universities, users, and solution providers for a €7.5 million three-year project on the RFID-tag infrastructure.

 

A component of all this research work, and sometimes the primary focus, is security in RFID-tag enabled applications. In turn, much of this work is focussed on authentication and privacy.

 

Both of these security goals pose significant challenges though, as we will see in the work package description for RFID-AP, there is some interaction between them.

 

Within the research that has taken place, there are two distinct approaches.

 

  1. We might try and use conventional cryptographic solutions wherever possible to fulfil some security goal. The extreme environments in which we are forced to implement the algorithms makes this particularly challenging, but not without some reward [8, 11, 12].

 

  1. We might try and use the characteristics of the tag, device, and their interaction in increasingly novel and sophisticated ways. This has lead to proposals such as blocker tags [10] and noisy tags [3] and other innovations [4, 5, 15, 16] which offer considerable promise from new directions.

 

Within the proposed RFID-AP project, the intention is to pursue both types of solutions. But one goal is to explore, and to exploit, any synergies that there might exist between them. It is notable that both approaches in isolation may have only limited success; as we will explain in the work package description, solutions must not only be practical but to be realistic security solutions we may need to consider the implications on all layers of the protocol stack of implementing some solution.

 

The economic significance of research on RFID-tag authentication and privacy cannot be over-stated. This can be illustrated in two ways; first by referring to a contemporary application and, second, by pointing to future applications.

 

If we consider one particular sector today, that of medicines, we begin to see the opportunities and risks in an RFID-tag deployment. It has been estimated [13] that 10% of the current global pharmaceutical commerce is counterfeit. The sale of faked goods passed $40 billion in 2006 and is expected to reach $75 billion by 2010. The case for using RFID tags in attempt to fight this dangerous trade is already well-established and Drug Pedigree initiatives are already underway in the U.S. Criminals clearly see a market opportunity in false pharmaceuticals, and the introduction of RFID tags is likely to make an initial dent in their activities. However, if an RFID-tag deployment does not provide adequate protection against RFID-tag cloning and counterfeiting, then fake pharmaceuticals may be accompanied with fake RFID-tags. Thus, when we look to the future, not only will we see extensive RFID-tag deployments. But we will security features being added to tags as a way of protecting the initial investment and delivering the intended security goals.

 

Another way to consider the economic context of the proposed research is to consider how applications might evolve. Consider an RFID-tag embedded in a removable label on some clothing. The tag can easily be disabled either by using physical force or, in a more sophisticated manner, using a kill command such as that promoted within EPCglobal. In this way privacy can be maintained. However, in such situations the consumer would lose any future advantages that might be offered by an RFID-tag such as being able to interact with intelligent home appliances such as a washing machine or in providing warranty or recall protection for consumer items.

 

Thus even if we have some partial solutions today to some security threats, these may be inadequate for the future applications of RFID-tag technology. Instead, these will likely depend on the development of flexible and powerful security technologies, some of which may not exist today. Thus, to explore the full potential of RFID-tag technology and to safeguard the research and development investment that has been made to date, research on security and privacy – assurance – is likely to be essential.  

 

References

 

[1] Auto-ID Labs. http://www.autoidlabs.org/.

[2] BRIDGE: Building Radio Frequency Identification Solutions for the Global Environment.

http://www.bridge-project.eu/

[3] C. Castelluccia and G. Avoine. Noisy Tags: A Pretty Good Key Exchange Protocol for RFID Tags. In J. Domingo-Ferrer, J. Posegga, and D. Schreckling, editors, Smart Card Research and Applications, CARDIS 2006. Springer-Verlag. To appear.

[4] C. Castelluccia and P. Mutaf. Shake Them Up (A movement-based pairing protocol for CPU-constrained devices)! ACM/Usenix Mobisys, June 2005, Seattle, USA.

[5] H. Chabanne and G. Fumaroli. Noisy cryptographic protocols for low cost RFID Tags. ECRYPT RFID Workshop, 2005.

[6] ECRYPT. Network of Excellence in Cyptography. http://www.ecrypt.eu.org/.

[7] EPCglobal. http://www.epcglobalinc.org/home.

[8]M.Girault, G. Poupard, and J. Stern. On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order. Journal of Cryptology, vol.19, no.4, 2006.

[9] IDTechEx. RFID Forecasts: Players and Opportunities. http://www.idtechex.com/products/en/articles/00000521.asp

[10] A. Juels, R.L. Rivest, and M. Szydlo. The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy. In V. Atluri, editor, 8th ACM Conference on Computer and Communications Security, 103-111. ACM Press. 2003.

[11] M.McLoone and M.J.B.Robshaw. Public Key Cryptography and RFID. In M.Abe, editor, CT-RSA2007, Lecture Notes in Computer Science, vol. 4377, pages372-384. Springer-Verlag, 2007.

[12] M.McLoone and M.J.B.Robshaw. New Architectures for Low-Cost Public Key Cryptography on RFID tags. In N.Ling and G.Setti, editors, Proceedings of ISCAS 2007, to appear.

[13] R. Quirk. E-Pedigree's Evolution. http://www.rfidjournal.com/article/articleview/3109/3/82/.

[14] RFID Consortium for Security and Privacy. http://www.rfid-cusp.org/.

[15] F. Vacherand et al. New Technologies for Contactless Air Interfaces. e-Smart, Sophia Antipolis France, 2005

[16] F. Vacherand. New Technologies for RFID. sOc-EUSAI’05 Grenoble France 2005.