Title: TECHNICAL APPROACHES TO PRIVACY FRIENDLINESS

The following two phenomena are responsible for the existing privacy problems of RFID applications: 

1. Leakage of information about the object that an RFID tag is attached to: if there exists (a more or less publicly known) linkage between the data stored in the RFID tag (e.g. an ID as used in the EPC standards) and the information about the object (like the Object Name Service (ONS)), then by learning the data stored on the RFID tag one also gets information about the related object. Depending on the kind of object this might be a serious threat to privacy (just think of RFID tagged medicine). Note that this kind of threat does not require any long term attack and therefore does not need much effort.

2. Possibility of Tracking RFID tags: if an RFID tag emits somewhat static data / information (i.e. data which is specify for the given tag), then the attacker can trace the movement of an RFID tag and links additional (external) information which a related to that tag. An often cited example is that a customer buys an RFID tagged object using a credit card. If the attackers get knowledge about the credit card information, he can link the RFID tag to the identity of the customer and by this means track also the customer. Note that this type of attacks often requires some long-term effort. Also note, that even if a single tag does not emit enough identifying information, making it impossible to distinguish that tag from a bunch of similar tags, this would not be sufficient to prevent tracking attacks. One can assume that with increasing deployment of RFID tags a person will carry a whole mix of different tags. This mix in itself would then be distinguishable from other sets of RFID tags (and thus be traceable).

Besides the core privacy threats the current RFID technology is also vulnerable to authentication attacks. The latter problem is mentioned here because there exist some dependencies between both. In the authors state that:

“Loosely speaking, RFID privacy concerns the problem of misbehaving readers harvesting information from well-behaving tags. RFID authentication, on the other hand, concerns the problem of well behaving readers harvesting information from misbehaving tags, particularly counterfeit ones.”  

Moreover and of special importance is the fact that well designed RFID privacy will strengthen RFID authentication. This might be counterintuitive as privacy is often interpreted as a mechanism which weakens authentication. However, generally cloning an RFID tag requires scanning that violates the privacy of its holder. Or to say it the other way round: if privacy mechanisms prevent any unauthorised reading of RFID tags, then cloning of a tag becomes a much harder task for an attacker.

When designing security and privacy technology in the area of RFID, one has to deal with a great variety of RFID tags and RFID readers with different capabilities.  

An often cited statement is that a low-cost RFID tag should not cost more than 5 cent. According to that mean that the IC costs should not exceed 2 cents. In the authors conclude that at the end this would limit the number of gates to 7.5 to 15 K gates. Given that storing a 100 bit ID (like proposed by EPC) requires 5 to 10 K gates, there are only 2.5 to 5 K gates left for security mechanisms. This is by far too little for implementing the kind of cryptographic mechanisms and algorithms (like public-key cryptography) on which most of the known privacy enhancing technologies (in the area of usual computers) are based.

Moreover the high demand for very low-cost RFID tags hinders to implement any measures which strengthen against tampering. Therefore one has to assume that any RFID tag internal data (e.g. some secret key etc.) may be leaked through physical attacks. 

Another boundary condition is the transmission speed. For low-cost RFID tags it would limit the amount of data which could be transmitted to around 500 bits. Note that due to the wireless communication between RFID tag and RFID reader all data transmitted is vulnerable to eavesdropping.

Another important point one has to have in mind when designing or analysing security and privacy solutions for RFID is related to the various types of “ranges” which could be identified for the communication between RFID tags and RFID readers (mainly taken from ):

1. Nominal read range: RFID standards and product specifications generally indicate the read ranges at which they intend tags to operate. These ranges represent the maximum distances at which a normally operating reader, with an ordinary antenna and power output, can reliably scan tag data. ISO 14443, for example, specifies a nominal range of 10 cm for contact-less smartcards.

2. Rogue scanning range: The range of a sensitive reader equipped with a powerful antenna–or antenna array–can exceed the nominal read range. High power output further amplifies read ranges. The rogue scanning range is the maximum range at which a reader can power and read a tag.

3. Tag-to-reader eavesdropping range: Read-range limitations for passive RFID result primarily from the requirement that the reader powers the tag. Once a reader has powered a tag, a second reader can monitor resulting tag emissions without itself outputting a signal, i.e., it can eavesdrop. The maximum distance of such a second, eavesdropping reader may be larger than its rogue scanning range.

4. Reader-to-tag eavesdropping range: In some RFID protocols, a reader transmits tag-specific information to the tag. Because readers transmit at much higher power than tags, they are subject to eavesdropping at much greater distances than tag-to-reader communications.

5. Detection ranges: This is the distance at which an attacker can detect the presence of RFID tags or RFID readers.

Various technical problems must be overcome to secure RFID tags against the basic threats mentioned above. The proposed solutions could be roughly classified as follows: 

1. ID confidentiality: if the ID stored on an RFID tag could be kept secret against the attacker, then the information leakage problem would be solved

2. ID anonymity: all the data / information emitted by an RFID tag should either change on a regular base (additionally it has to be impossible for an attacker to link different data /information as belonging to the same tag) or a large group of RFID tags has to emit exactly the same data / information. Both principles are well known general privacy approaches. The first one can be seen as some kind of transactional pseudonym and the latter expresses the general anonymisation technique to make things equal. A special kind of ID anonymity can be achieved by making the tag output indistinguishable from truly random values.

Naturally the entire well known principles for designing (general purpose) security and privacy enhancing technologies should be respected when developing mechanisms for RFID systems. This covers for instance a property called forward security: even if an attacker learns some secret information, he should not be able to deanonymise or reveal secret information involved in past activities. Forward security is especially important in the area of low-cost RFID tags, as this kind of tags will not offer any tamper resistance. Therefore (as said above) it is reasonable to assume that an attacker may learn secrets stored on the RFID tag.  

In the next sections an extract of proposed RFID security and privacy mechanisms is presented. The goal of this is to describe the current state of the art. 

Privacy Enhancing Measures and Technologies

The following sections will introduce technical measures enhancing the privacy of users utilising RFID-tags. 

Preventing unauthorised read-outs

In order to prevent the read-out of a tag, the crudest method is destroying the tag. Another possibility is to remove the antenna from the RFID tag core (like IBM’s “Clipped Tag”).But these approach has several drawbacks, the biggest being, that, after the destruction, the tag cannot be used anymore. There are many situations, in which destroying the tag is not an option. Imagine the case where an RFID-tag is used to handle warranty, destroying it may cause the warranty to fail. Or the illustrious smart fridge. Maybe the user wants to prevent arbitrary scanning and recordings of the contents of his shopping bag, but at home he may want to benefit from the smart fridge, which relies on working tags. Another big drawback is that destroying a tag requires some active user interaction, which many are too lazy for, and that it may well be impossible to destroy a tag without destroying the product, too.

So destroying tags for privacy-measures seems to be an ill advice. Another solution could be to permanently deactivate the tag. As stated in chapter , tags adhering to the EPCglobal Class-1 generation 2 standard must implement a password-protected kill command for the deactivation. The password is necessary to prevent unauthorised tag-killing, which could lead to denial-of-service or similar attacks.

The Kill-Command

Killing a tag has several drawbacks. First of all, the kill-command is not secure. The secret to kill a tag is only 32 bit long; brute-force attacks could take place. Then, in many cases it cannot be controlled by the user whether the tag has been killed correctly or not, because the user cannot (visually) verify a successful kill. Thus, the user has to trust both the implementation of the kill command at the tag and the reader, which is responsible for sending the (correct) kill command to the tag