Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
 |
Title: TECHNICAL AND ORGANISATIONAL SECURITY ASPECTS |
 |
General security risks
As already said in the introduction the backend system comprise typical server based infrastructures. Therefore the well known and studied security mechanisms for that type of infrastructure could be applied. Besides the simple fact that these mechanisms really have to be applied no speciality of RFID based scenarios exist. Therefore the following analysis of security mechanisms for RFID will concentrate on the more challenging parts of the core RFID infrastructure: the RFID tags, the RFID readers and the communication between them.
One can list five general security risks when using RFID technology:
Sniffing: eavesdropping on the communication between tag and reader.
Spoofing: forged RFID-tags can be used to simulate other tags, thus gaining their privileges. This is illustrated in Scenario 2 where a proximity card is spoofed.
Unauthorised writing: the information or part of the information on the tag is altered or information is added by an unauthorised party.
Replay-Attacks: after a sniffing attack an attacker can use the eavesdropped data to replay the communication.
Denial-of-Service Attacks: every attack which disturbs the wanted and authorised communication, like jamming the radio or destroying tags.
Privacy Risks in relation to Security
The goal of the EPC-standard is to provide each single RFID-tag with a unique identifier. This will give the vendors and operators many opportunities to monitor and track their products, but it also presents new risks for the privacy of the users and consumers. Without any security measures, it is easily possible to read-out all the tags a person carries in a split of a second, for example whilst this person is walking through the doors of a grocery store. The store could then display personalised advertisement or provide a virtual shopping guide which addresses the preferences of the user. These read-outs can in theory also take place from distances of a couple meters.
An attacker may also eavesdrop on the connection between reader and back-end, thus gaining information about requested product information or other data. The scanning of tags on a person may in addition lead to the creation of movement-profiles, when the person is scanned frequently. Of course this implies a highly pervaded RFID-infrastructure.
So the attacks on the privacy of people via RFID can be categorised to be:
unauthorised detection of properties of persons,
tracking and identifying of persons, and
profiling of persons.
Information Security
Information security is an essential basic for privacy in IT systems. It has to be noted though, that information security is required, but not sufficient to ensure privacy.
One can distinguish between open and closed RFID systems. Closed systems are characterised by homogeneity, locality, known operators and users as well as a central administration and little interaction and cross-linking to other networks. Open systems are the contrary of the described closed systems. A typical example for a closed system is a single library, whereas a library in combination with other libraries and book-stores could be seen as an open system. It is evident, that closed systems are easier to secure in terms of privacy than open systems.
Information security has three central goals: confidentiality, integrity and authenticity, as well as availability. Confidentiality can be divided into confidentiality of communication contents (e.g. e-mail text) and confidentiality of communication circumstances (e.g. anonymity of sender and receiver or location privacy).
The gained security of a given system is dependant on the following factors:
Can established security schemes and methods be used with or at the deployed devices?
Is a scalable key management (as needed by most of the known cryptographic protocols) possible?
Is the design of systems and protocols secure?
Is there a correct and valid implementation of the designed system?
Can the system be used in a hands-on way (usability)?
Are the users adequately informed and trained?
Without doubt there are a number of security issues for RFID systems. The security discussion in this section will be, as mentioned earlier, centred on the tag/reader aspects since, the security issues of the backend system are similar to standard computer systems. In order to classify them, we used the standard ISO 13335-1 grouping for the different security issues. In some cases these issues are (as noted previous) essential for privacy as well as security while they in other cases might be a threat or a hindrance for privacy mechanisms.
Building up an integrated security concept for an RFID system according to international standards such as the ISO/IEC 27000-series requires managed control and clearly assigned responsibilities with respect to technical components used in the system and the users’ and administrators’ behaviour with respect to the implementation of organisational security measures. In this context RFID systems share many characteristics of systems publishing services via the internet (lack of control with respect to users’ behaviour and client-security) and WLANs (lack of control with respect to the physical communication layer according to the OSI layer model of network communication). Security measures applied for the central components of RFID- and backend systems need to take into account these characteristics.
Confidentiality aspects
The confidentiality requirements on an RFID system are highly context dependent. If the information stored and transmitted by the system is personal, can be considered as personal during some part of the tag’s life or is sensitive in some other way (e.g. classified information within one organisation), then the information in the RFID chip or the backend system should not be revealed to unauthorised parties. This is even true for the very simple RFID systems since just the plain serial numbers could give competitors, stalkers or thieves information on the content of containers, boxes or the bearer of the tag ,. Having access to the information also makes it possible to clone the tag as illustrated by scenario S2 or make use of the information to fool different types of peers or servers in e.g. service or payment protocols. Traditionally cryptography is used in order to assure confidentiality, but this will only work in chips or systems that have the capability of performing advanced calculations. Cryptography will also introduce the problem of key handling as stated in Section . These problems, especially weak implementation of cryptography and key handling issues can be observed in the context of Basic Access Control (BAC) and RFID chip used in Machine Readable Travel Documents (MRTDs) [25].
For cheaper systems maybe other and more economical mechanisms need to be developed. Within this area some suggestions have already been proposed that partly solve the confidentiality problem: Fishking and Roy suggests using the signal to noise ratio of the reader to determine the distance to the reader in order to thwart remote unwanted monitoring . Juels et al. suggest using blocker tags to make it harder for readers to gain unwanted assess to the tag . Juels also suggests using tag pseudonyms in order to prevent illicit tracking of tags and discusses other mechanisms in . Needless to say that if the information is protected on the tag it needs to keep at least that protection, albeit maybe not with the same mechanism, in the whole chain i.e. the radio link, the reader, the middleware and the backend system. The confidentiality problem in RFID might also be time dependent since one entity that is authorised to read the information at a specific point in time might not be authorised at an earlier or later time in the life of the tag. This will make key management even harder. Blocker tags might be a solution here but we probably still need encryption to guarantee confidentiality in the whole chain e.g. protecting against eavesdropping on the radio interface or in the communication within the backend system.
Integrity aspects
Integrity must be seen as essential in most applications of RFID systems since the whole idea is to use some of the information stored on the tag as an identifier for a specific purpose and the other part as attributes in some way associated with that identifier. From this follows that nobody should be able to alter a tag (or any other part of the system) in an uncontrollable way. Failure in integrity might lead to a number of issues e.g. virus attacks as illustrated by scenario S1, insertion attacks , forgery, remarking of products to gain a lower price, change expiration dates and storage conditions or theft in the distribution chain without the possibility to trace where it took place or even worse be able to blame other links in the chain. An obvious solution to this problem is to use read only tags. However, (as is pointed out in Section 4.4.4) the quest for cheep production of tags might imply the read only tags are only crippled versions of general purpose tags where it might be possible to reverse the read only state of the tag. Signing of data is also on possible solution but brings on the issues of PKI (Public Key Infrastructure) handling amongst a large number of entities. Just as with confidentiality integrity needs to be maintained throughout the chain.
Availability aspects
We believe that the problem of availability in the RFID context is centred on the ability to read the tag in any authorised situation. Attacks in this context are targeted towards the tag or the reader. In the tag case it probably will consist of either shielding or destroying the tag, something that, from a security perspective, unfortunately is not hard to do. Regarding the reader case, it can be flooded, jammed or destroyed. An example of a flood attack is the blocker tag which gives the reader more information than it can handle. Jamming usually strives in breaking or disturbing the radio link. Even though blocker tags can be used by individuals to protect their data, availability attacks for malicious purposes might also lead to e.g. theft of goods or denial of service or exclusion for persons. These types of attacks tend to be very difficult to protect against and are usually solved in traditional computer systems on the logical level by redundancy, over provisioning or intelligent filtering and on the physical level by locking in or in some other way physically protect the entities. This might be a though problem to solve on the radio link.
Accountability aspects
The whole purpose of accountability is to make people or organisations liable for their actions (e.g. for accessing personal data of other persons) and to be able to trace events “after the fact”. This is usually accomplished with the help of immutable log files or digital signatures or a combination of both. Logging in an RFID environment might be a problem due to the limited storage space on the tag. It might be possible to create some form of central logging system in specific cases. However, if the tag travels through many different organisations during i.e. distribution this might be cumbersome or even politically impossible to achieve. On the other hand using digital certificates would require every entity in the chain to have its own certificate and of course a PKI to handle the certificates. This might be an administrative nightmare. There might be possibility to combine technologies to a feasible solution or it might be possible to use ideas from the DRM (Digital Rights Management) field. If we want to have a chance to see who retrieved personal information and two whom it was passed we need accountability and it needs to be compulsory and not voluntary. More aspects on how such privacy supporting logging can be done will be discussed in the upcoming FIDIS deliverable D 14.6 “From regulating access control on personal data to transparency by secure logging”.
Authenticity aspects
The authenticity of the information is interesting from both a pure security perspective and a privacy perspective. Which of the perspectives that is dominant depends on the viewpoint taken and on the application. On the privacy side are the issues of identity theft and all the problems associated with it. On the security side is the question on how much trust one should put in the information e.g. as an identifier in transactions or as a token of authenticity. If the information is possible to clone or modify in an unauthorised manner then we have no use of it as an identifier and cannot guarantee its authenticity . The same argument holds if it is possible to remove or exchange the tag on the item it is supposed to identify . This area calls for both logical and physical security measures.
| |
   |
|
| 24 / 38 |
