You are here: Resources > FIDIS Deliverables > HighTechID > D3.7: A Structured Collection on RFID Literature > 

D3.7 A Structured Collection on Information and Literature on Technological and Usability Aspects of Radio Frequency Identification (RFID)

threats  Untitled


threats for the reader


Falsifying reader ID 

In a secure RFID system the reader must authenticate to the tag. If an attacker wants to read the data with his own reader, this reader must fake the “identity” of an authorized reader. Depending on the security measures in place, such an attack can be "very easy" to "practically impossible" to carry out. The reader might need access to the backend in order, for example, to retrieve keys that are stored there.

Security measures for falsifying the reader ID 

To prevent readers to falsify their ID and obtain unauthorized access to a tag, an authentication method (when available at the tag) can be used to authenticate the reader towards the tag (ISO 1999). In authentication method called Basic Access Control, mandatory for European e-passports, the reader is authenticated to the tag based on key calculated from optical field, scanned directly from the passport. Therefore in order to retrieve data from passport, an attacker needs to know content of optical field. On the other hand, if the attacker once can see the optical field, he can get access to the data any time. Extended Access Control, applied for some e-passports, is more advanced authentication algorithm, based on asymmetric cryptography. In other words, a kind of digital signature is required from the reader to start communication.  

Related costs 

If no authentication method is deployed, falsification of reader ID is not difficult and can be done with relatively low cost. Authentication requires implementation both on the side of readers and tags, so it cannot be deployed in lowest cost solutions but average cost tags have often authentication method available, then the costs of switching it on are low and most expenses would go in the management of tags and readers which have to be loaded with cryptographic keys. 

In the case of systems with authentication, in order to falsify the reader ID an attacker would have to obtain the secret key. The difficulty and costs for obtaining such a key depends on the implementation. 






threats  fidis-wp3-del3.7.Structured_Collection_RFID_02.sxw  threats
Denis Royer 16 / 46