Overview of the hottest RFID information security

  • Detail

Overview of RFID information security technology

the information security problems existing in RFID applications may appear at the three levels of tag, network and data

many information security technologies and standards have been well applied in other existing systems. These technologies and standards can be used for reference for RFID information security. For example, in applications such as bank card authorization and building access system, many security standards have been adopted, such as iso15693 data authentication standard. RFID technology has its own characteristics, so the current security specifications may also cause some problems if applied to RFID systems. For example, if the tag is encrypted, it will greatly consume the processing capacity of the tag and increase the cost of the tag

the information security problems existing in RFID applications may appear in the three levels of tag, network and data, so this paper analyzes the information security technology of RFID in these three aspects

The "privacy" on the label is small, but its potential security problems cannot be ignored. For enterprises that have just used R, which is also an invisible protection FID for experimental equipment, RFID tags are easy to be manipulated by hackers, shoplifters or dissatisfied employees. Most passive tags that support the EPCglobal standard can only be written once, but RFID tags that support other standards such as ISO have the function of writing multiple times. In the spring of 2005, RFID tags supporting the second generation of epcgolbal overclocking protocol were launched in large numbers. These tags also support multiple write functions. Because there is no write protection function, these passive tags can be changed or written "thousands of times", said Lukas Grunwald, a consultant of DN system enterprise interconnection solutions

in order to deal with the security problems of RFID tags, many suggestions and technical specifications have begun to appear

for example, giving each product a unique electronic product is a code for a general plastic part, which is similar to the license plate number of a car. Once someone wants to destroy safety, he gets only the information of a single product. In this case, it is not worth spending time decoding. However, Peter regen, vice president of Unisys Corp's global visual trade program, believes that this approach is too high a threshold, and no one will do so

the new epcgolbal overclocking second generation protocol standard enhances the security performance of passive tags. According to sue Hutchinson, director of product management at EPCglobal, the new standard not only provides password protection, but also encrypts the process of data transmission from the tag to the reader, rather than encrypting the data on the tag

privacy security issues are mainly reflected in RFID tags. One idea is "soft blocker". It can increase the protection of customers' privacy preferences, but this is after the goods have been purchased. At the point of sale, customers will show their membership card, through which they can see the data of their privacy preferences. "After the purchase of goods, the point of sale will immediately update the privacy data to ensure that these data will not be read by some readers, such as the supply chain reader." Said Dan Bailey, RFID solution architect at RSA lab. Soft shield may be a good way to solve the privacy problem of RFID tags. This function is added to the second generation of EPCglobal tags

$page break $learn from other networking technologies

in retail stores, or in the process of transporting goods from one place to another, there are many opportunities to overwrite or even modify the data on RFID tags. This vulnerability also exists in the network used by companies to handle containers, pallets or other goods with RFID tags. These networks are distributed in the company's distribution center, warehouse or backstage of the store. Wireless networks that have not been safely processed have brought opportunities to intercept data. The back-end of RFID reader is a very standardized interconnection infrastructure. Therefore, the security problems and opportunities of RFID back-end network are the same as those of interconnection

in the network at the back end of the reader, we can learn from various security technologies of the existing interconnection network

the solution is to ensure that all readers on the network must pass verification before transmitting information to the middleware (which then transmits the information to the enterprise system), and ensure that the data flow between the reader and the back-end system is encrypted. When deploying RFID readers, we should take some very practical measures to ensure that we can connect to the enterprise network after verification, and will not be stolen by others because of transmission. For example, readers based on the technologies of companies such as symbol technologies and thingmagic support standard network technologies, including built-in authentication methods to prevent unauthorized access

in order to prevent someone from eavesdropping on the high-power signals sent by RFID readers, one way is to adopt an anti eavesdropping technology called "silent tree climbing". Burt kaliski, chief scientist and director of RSA laboratory, said that within the limits of RFID wireless interface, this method can ensure that the reader will never send the information on the tag repeatedly. The numbers on the RFID tag are not broadcast by the reader, but are indirectly referenced. The middleware at the receiving end knows how to interpret these numbers, but the eavesdropper does not know

data crisis caused by "transparency"

although the application of RFID technology has improved the transparency of the entire supply chain, it has also raised concerns about data security. Enterprises need to have a strong sense of security for data. For enterprises, their data, including information data related to their business, is not only their own data, but also the data of their trading partners, said Beth Lovett, solution marketing manager of VeriSign

in 2005, experts from Johns Hopkins University and RSA laboratory announced the password vulnerability of using RFID technology in high security car keys and gas station payment systems

a major concern in the RFID industry is that RFID tags may be counterfeited and its coding system may be copied. Xink's new ink can eliminate this hidden danger, which is a kind of theoretically invisible printing ink. By combining this ink with Creo's invisible label technology, the fear of labels being counterfeited can be eliminated

most RFID industry owners are aware of the importance of the confidentiality of tag data. Some manufacturers have made great efforts to the privacy of RFID and provided several feasible solutions, such as:

● use detectors to detect the presence of other RFID readers to prevent the exposure of the data

● program RFID tags so that they can only communicate with authorized RFID readers

● adopt the kill tag protocol advocated by EPCglobal to prohibit data from remaining on discarded labels

● adopt stronger encryption and security functions

$page break $possible solutions

because many experts believe that there are two main security threats in the RFID network. One is that the network vulnerability from the reader to the background poses a potential threat to the system and background information. The other is that the background network of the RFID system relies on standard interconnection facilities. Therefore, the security problems in the RFID background network are the same as the interconnection. Therefore, radio frequency identification (RFID) technology is facing network security challenges, which is the consensus reached by the guests participating in the RFID related seminar of techbiz connection

for the first threat, Laura koetzle, an analyst at Forrester, a research institution, pointed out that if competitors or intruders put the "malicious tags" they developed on unsecured networks, they can transmit all the scanned data. This is a system leak caused by network vulnerabilities. In addition, Wang Yuezhong, executive vice president of other China Packaging Federation, said, "the main problems to be solved by express packaging are excessive volume, excessive function and excessive materials. Similar to wireless technology, there are security risks for companies that do not use devices with built-in protocols such as containment and safety slot layer to ensure the security of their RFID network. Because for the supply chain application network of wireless platform "It's very easy to break it."

for the second threat, three computer researchers recently published a paper on how computer viruses infect RFID at a conference held in Pisa, Italy. Therefore, RFID middleware developers must make some appropriate checks to prevent RFID from repeating the mistakes when it is attacked by vulnerabilities on the Internet. They also wrote in the paper: "manipulating RFID data with less than 1000 bits on the tag can open up security loopholes to affect RFID middleware and secretly carry out sabotage activities; in serious cases, it may endanger the security of the whole computer or the whole network." Fortunately, RFID middleware can connect the hardware that monitors RFID signals with the enterprise software that can use RFID information in the background. More importantly, it can inherit the security advantages of traditional middleware and help RFID applications reduce security risks

Andrew S. Tanenbaum, Bruno crispo and Melanie R. rieback, researchers at the Free University of Amsterdam, also discussed this problem and concluded that RFID malware is a "Pandora's box". Because for researchers, the typical attack target is RFID middleware, and the data from RFID tags can be used to attack the back-end software system

when data is exchanged on the EPCglobal network, users hope that some existing security means, such as firewalls and other access management technologies, can also be used to protect the data security in the network and ensure that only authorized persons can access the data, VeriSign's technicians said. VeriSign is currently assisting in solving these problems

$page break $solution to protect RFID data security

on the other hand, if the system is associated with consumers, there are similar risks in the above consumer applications. The security risk of RFID applications in national defense and military fields is similar to that of enterprise applications, but it is completely related to the safety of the samples used in the national metal material compression and destruction experiment

since the data stored in the reader or back-end system belongs to the scope of traditional information security, the data security in the tag and the communication security between the tag and the reader need corresponding solutions. As shown in the table

for some tagged targets that do not need to be moved frequently, access to tags can be restricted through conventional physical security means. Unfortunately, tagged targets generally need to move

◆ read only tags

this method eliminates the risk of data being tampered with and deleted, but it still has the risk of being illegally read

◆ limit the communication distance between the tag and the reader

using different operating frequencies, antenna design, tag technology and reader technology can limit the communication distance between the two and reduce the risk of illegal access to and reading the tag, but this still cannot solve the risk of data transmission at the cost of damaging the deployability

◆ realize the proprietary communication protocol

it is effective to realize the proprietary communication protocol under the condition of high security sensitivity and low interoperability. It involves the implementation of a set of non-public

Copyright © 2011 JIN SHI