The information security problems in RFID applications can occur at all three levels: tag, network, and data, so this paper analyzes these three aspects of information security technology for RFID.
Tag on the "privacy"
Tag size is small, but its potential security problems can not be ignored. For organizations new to RFID, RFID tags can be easily manipulated by hackers, shoplifters, or disgruntled employees. Most passive tags that support the EPCglobal standard can only be written to once, but RFID tags that support other standards, such as ISO, have the ability to be written to multiple times. in the spring of 2005, a large number of RFID tags that support the EPCgolbal overclocking second-generation protocol were introduced to the market, and these tags also support the multiple-write function. due to the lack of write-protection, these passive tags can be Because they are not write-protected, these passive tags can be changed or written to "thousands of times," says Lukas Grunwald, a consultant at DN Systems Enterprise Internet Solutions.
A number of proposals, technologies and specifications have begun to emerge to address the security concerns of RFID tags.
For example, give each product a unique electronic product code, similar to the license plate number of a car, once someone wants to break the security, he gets only the information of a single product, in which case it is not worth the time to decode. However, Peter Regen, vice president of global visual trade programs at Unisys Corp, thinks the bar is too high for that approach, and no one would do it.
The new EPCgolbal Overclocking Second Generation protocol standard enhances the security of passive tags. According to Sue Hutchinson, director of product management at EPCglobal, the new standard not only provides password protection, but also the ability to encrypt the data as it travels from the tag to the reader, rather than encrypting the data on the tag.
Privacy and security concerns have been raised mainly in the context of RFID tags. One idea is a "soft blocker". It increases the protection of the customer's privacy preferences, but this is after the item has already been purchased. At the point of sale, the customer presents his or her membership card, through which data about his or her privacy preferences can be seen. "Immediately after the item has been purchased, the point of sale is updated with the privacy data to ensure that this data is not read by certain readers, such as supply chain readers." Dan Bailey, RFID solution architect at RSA Labs, said. A soft shield may be a good solution to the privacy concerns of RFID tags, which are incorporated in the second generation of EPCglobal tags.
Borrowing from other Web technologies
There are plenty of opportunities to overwrite or even modify the data on RFID tags in retail stores, or during the transportation of goods from one location to another. Such vulnerabilities also exist in the networks that companies use to handle RFID-tagged bins, pallets or other goods. These networks are located in the back office of a company's distribution centers, warehouses or stores. Unsecured wireless networks present an opportunity to intercept data. And with a very standardized Internet infrastructure at the back end of RFID readers, the security issues and their opportunities exist on the networks at the back end of RFID as they do on the Internet.
In the network at the back end of the reader, it is perfectly possible to draw on a variety of security techniques from the existing interconnected Internet.
The solution is to make sure that all readers on the network are authenticated before they transmit information to the middleware (which in turn transmits the information to the enterprise system), and to make sure that the flow of data between the reader and the back-end system is encrypted. There are some very practical measures that should be taken when deploying RFID readers to ensure that they are authenticated before connecting to the corporate network and that they are not transmitted in such a way that someone else can steal important information. For example, readers based on technology from companies such as Symbol Technologies and ThingMagic support standard network technologies, including built-in authentication methods that prevent unauthorized access.
One way to prevent people from eavesdropping on the higher-powered signals from RFID readers is to use an anti-snooping technique called "silent tree-climbing," which, within the limitations of the RFID wireless interface, says Burt Kaliski, chief scientist and director of RSA Labs. ensures that the reader never sends duplicate information from the tag. instead of being broadcast by the reader, the numbers on the RFID tag are referenced indirectly, and the middleware on the receiving end knows how to interpret them in a way that the eavesdropper doesn't.
"Transparency" triggers data crisis
While the use of RFID technology has increased transparency throughout the supply chain, it has also raised concerns about data security. Organizations need to feel very secure about their data, and for companies, their data, including information related to their business, is no longer just their own data, but also the data of their trading partners, said Beth Lovett, solutions marketing manager at VeriSign.
The BSI (Germany's Federal Office for Information Security) also has requirements for data protection in RFID systems, and according to the office's assessment, the requirement to include data security and anonymized personal information in the design of the system should be enforced as soon as possible, and in order to take full advantage of the opportunities presented by RFID while minimizing threats to privacy and security, data protection laws should be enacted early on in the design and marketing of RFID systems. data protection laws should be enacted.
To date, it has not been clearly established which standard will be used for data security on the EPCglobal network. Instead, the latest version, EPCglobal Certificate Profile V1.0, was officially published in March 2006 on the EPCglobal website. The security specification covers data security between all components of the EPCglobal Network, from the exchange of data between organizations through the EPCIS interface, to the communication between the RFID Reader and Middleware, and the Reader management system.
When data is exchanged on the EPCglobal Network, existing security tools such as firewalls and other access management technologies can be used to secure the data and ensure that only authorized persons have access to it. Some companies have good data security practices, and they can apply their experience to RFID projects.
There are also a number of technologies being developed regarding RFID data security.
For example, SAP is working with partners*** to develop new database-querying technology that would allow merchandise manufacturers and retailers to exchange RFID data without having to create copies of the data on servers that can't be controlled by the data owner, with some data stored in a centralized virtual repository and other important data queried separately. Amar Singh, vice president of global business development at SAP, said, "With our technology, retailers no longer have to publish queries somewhere in the virtual environment. They can get the query data directly from the manufacturer." The more places the data appears, the greater the risk.
Existing security methods, such as firewalls and other access management technologies, are expected to be used to keep data safe by making it available only to authorized parties as it is exchanged over the EPCglobal network.
Hewlett-Packard Labs' Pradhan observes: "The issues that we're talking about with respect to ****ing information between companies, such as how to make sure that it doesn't fall into the wrong hands, can be solved with the help of typical IT systems. Because as far as these systems are concerned, we know quite a lot about security." And further development is underway.
Link:RFID information security products
Most of the products for RFID information security are also based on the three dimensions of tags, networks and data.
Tag
RFID tag security products, mainly physical hardware nature.
In early 2004, RSA demonstrated its specially designed RSA Blocker Tag. By attaching this blocker to a shopping bag, the RFID reader would not be able to read the RFID tags of the goods placed in the bag, and the system would display a "denial of service".
IBM researchers mimicked the method of scratch-off lottery tickets to study a way to protect consumer privacy in the use of RFID tags. IBM's proposal is to attach an RFID antenna to the tag that can be partially destroyed so that consumers can remove part of the antenna after completing their shopping, and the tag as a whole will still function, but its readability is greatly reduced, thus protecting consumer privacy. Narrowed, so as to achieve the protection of consumer privacy, but also so that the interests of manufacturers and traders will not be damaged "win-win" purpose. Under the agreement, Printronix will continue to be used in IBM's line matrix and thermal bar code printers, and Printronix RFID encryption technology will be incorporated into IBM's product portfolio.
In September 2005, XINK developed a new ink that eliminates the potential for RFID tags to be counterfeited and thus have their encoding system duplicated, a theoretically invisible printing ink that has already been used on top of currency counterfeiting. By combining this ink with Creo's invisible labeling technology, concerns about counterfeiting of tags can be eliminated.
DuPont Authentication Systems (DAS) has created RFID tags with 3D imaging technology to enhance product security. 3D images can be used in conjunction with RFID tags because they provide visual proof of the authenticity of the information. If someone tries to remove the security label from a genuine product and stick it on a counterfeit, the 3D effect image is destroyed in its entirety.
Network
The two basic security technologies, secure shell and secure socket layer, are expected to become standards for RFID devices, said Kevin Ashton, vice president of ThingMagic. The company has begun to integrate these technologies into their RFID readers. The company developed RFID reader technology with built-in authentication to ensure that "malicious readers" can not steal data. And it must also ensure that all RFID readers on the network are authenticated before transmitting data to an intermediary device and then to the system.
The solution to the problem of information security in the RFID network at the back end of the reader can be based on the information security solutions available on the Internet and the existing products of companies with good experience.
The Data
In 2005, Columbitech, a developer of wireless security software, announced wireless VPN support for information security in RFID readers. The upgrade included a security architecture enhancement to provide special security protection for wireless communications in application units.
The integrated technology, jointly developed by AeroScout, Ekahau, Cisco and others, is based on active RFID systems that use Wi-Fi network frequencies, which allow end-users to utilize existing wireless data network facilities. In this technical framework, because the active RFID tags and Wi-Fi contacts between the conversation is very brief, so "eavesdropping" is almost impossible.