Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.7 A Structured Collection on Information and Literature on Technological and Usability Aspects of Radio Frequency Identification (RFID)
 |
Untitled THREATS |
 |
Falsifying reader ID
In a secure RFID system the reader must authenticate to the tag. If an attacker wants to read the data with his own reader, this reader must fake the “identity” of an authorized reader. Depending on the security measures in place, such an attack can be "very easy" to "practically impossible" to carry out. The reader might need access to the backend in order, for example, to retrieve keys that are stored there.
Security measures for falsifying the reader ID
To prevent readers to falsify their ID and obtain unauthorized access to a tag, an authentication method (when available at the tag) can be used to authenticate the reader towards the tag (ISO 1999). In authentication method called Basic Access Control, mandatory for European e-passports, the reader is authenticated to the tag based on key calculated from optical field, scanned directly from the passport. Therefore in order to retrieve data from passport, an attacker needs to know content of optical field. On the other hand, if the attacker once can see the optical field, he can get access to the data any time. Extended Access Control, applied for some e-passports, is more advanced authentication algorithm, based on asymmetric cryptography. In other words, a kind of digital signature is required from the reader to start communication.
Related costs
If no authentication method is deployed, falsification of reader ID is not difficult and can be done with relatively low cost. Authentication requires implementation both on the side of readers and tags, so it cannot be deployed in lowest cost solutions but average cost tags have often authentication method available, then the costs of switching it on are low and most expenses would go in the management of tags and readers which have to be loaded with cryptographic keys.
In the case of systems with authentication, in order to falsify the reader ID an attacker would have to obtain the secret key. The difficulty and costs for obtaining such a key depends on the implementation.
|
|
|
| |
   |
|
| Denis Royer | 16 / 46 |
