Secure ownership transfer for multi-tag multi-owner passive RFID environment with individual-owner-privacy

In this paper we propose a secure ownership transfer protocol for a multi-tag multi-owner RFID environment that provides individual-owner-privacy. To our knowledge, the existing schemes do not provide individual-owner-privacy and most of the existing schemes do not comply with the EPC Global Class-1 Gen-2 (C1G2) standard since the protocols use expensive hash operations or sophisticated encryption schemes that cannot be implemented on low-cost passive tags that are highly resource constrained. Our work aims to fill these gaps by proposing a protocol that provides individual-owner-privacy, based on simple XOR and 128-bit pseudo-random number generators (PRNG), operations that are easily implemented on low-cost RFID tags while meeting the necessary security requirements thus making it a viable option for large scale implementations. Our protocol also provides additional protection by hiding the pseudo-random numbers during all transmissions using a blind-factor to prevent tracking attacks.

A hybrid mutual authentication protocol for RFID

Out of the large number of RFID security protocols proposed in recent years none have proven to be truly secure and the creation of a truly secure security protocol for systems employing low cost RFID tags remains an open problem. In this paper we develop and present a RFID security protocol which not only allows mutual authentication and secure transmission of data between the reader and tag but is also secure against a number of common attacks.

Mutual authentication protocol for networked RFID systems

In this paper we address the problem of securing networked RFID applications. We develop and present a RFID security protocol that allows mutual authentication between the reader and tag as well as secure communication of tag data. The protocol presented uses a hybrid method to provide strong security while ensuring the resource requirements are low. To this end it employs a mix of simple one way hashing and low-cost bit wise operations. Our protocol ensures the confidentiality and integrity of all data being communicated and allows for reliable mutual authentication between tags and readers. The protocol presented is also resistant to a large number of common attacks.

A novel mutual authentication scheme with minimum disclosure for rfid systems

In this paper we present a novel approach to authentication and privacy in RFID systems based on the minimum disclosure property and in conformance to EPC Class-1 Gen-2 specifications. We take into account the computational constraints of EPC Class-1 Gen-2 passive RFID tags and only the cyclic redundancy check (CRC) and pseudo random number generator (PRNG) functions that passive RFID tags are capable of are employed. Detailed security analysis of our scheme shows that it can offer robust security properties in terms of tag anonymity and tag untraceability while at the same time being robust to replay, tag impersonation and desynchronisation attacks. Simulations results are also presented to study the scalability of the proposed scheme and its impact on authentication delay.

Securing RFID systems from SQLIA

While SQL injection attacks have been plaguing web applications for years the threat they pose to RFID systems have only identified recently. Because the architecture of web systems and RFID systems differ considerably the prevention and detection techniques proposed for web applications are not suitable for RFID systems. In this paper we propose a system to secure RFID systems against tag based SQLIA. Our system is optimized for the architecture of RFID systems and consists of a query structure matching technique and tag data cleaning technique. The novelty of the proposed system is that it's specifically aimed at RFID systems and has the ability to detect and prevent second order injections which is a problem most current solutions haven't addressed. The preliminary evaluation of our query matching technique is very promising showing very high detection rate with minimal false positives.

A serverless ultra-lightweight secure search protocol for EPC Class-1 Gen-2 UHF RFID tags

Radio Frequency Identification (RFID) is a technology that enables the non-contact, automatic and unique identification of objects using radio waves. Its use for commercial applications has recently become attractive with RFID technology seen as the replacement for the optical barcode system that is currently in widespread use. RFID has many advantages over the traditional barcode and these advantages have the potential to significantly increase the efficiency of decentralised business environments such as logistics and supply chain management. One of the important features of an RFID system is its ability to search for a particular tag among a group of tags. In order to ensure the privacy and security of the tags, the search has to be conducted in a secure fashion. To our knowledge not much work has been done in this secure search area of RFID. The limited work that has been done does not comply with the EPC Class-1 Gen-2 standards since most of them use expensive hash operations or sophisticated encryption schemes that cannot be implemented on low-cost passive tags that are highly resource constrained. Our work aims to fill this gap by proposing a serverless ultra-lightweight secure search protocol that does not use the expensive hash functions or any complex encryption schemes but achieves compliance with EPC Class-1 Gen-2 standards while meeting the required security requirements. Our protocol is based on XOR encryption and random numbers - operations that are easily implemented on low-cost RFID tags. Our protocol also provides additional protection using a blind-factor to prevent tracking attacks. Since our protocol is EPC Class-1 Gen-2 compliant it makes it possible to implement it on low-cost passive RFID tags.

A secure search protocol based on Quadratic Residues for EPC Class-1 Gen-2 UHF RFID tags

Radio Frequency Identification (RFID) is a technological revolution that is expected to soon replace barcode systems. One of the important features of an RFID system is its ability to search for a particular tag among a group of tags. This task is quite common where RFID systems play a vital role. To our knowledge not much work has been done in this secure search area of RFID. Also, most of the existing work do not comply with the C1G2 standards. Our work aims to fill that gap by proposing a protocol based on Quadratic Residues property that does not use the expensive hash functions or any complex encryption schemes but achieves total compliance with industry standards while meeting the security requirements.

Malware detection and prevention in RFID systems

The threat that malware poses to RFID systems was identified only recently. Fortunately, all currently known RFID malware is based on SQLIA. Therefore, in this chapter we propose a dual pronged, tag based SQLIA detection and prevention method optimized for RFID systems. The first technique is a SQL query matching approach that uses simple string comparisons and provides strong security against a majority of the SQLIA types possible on RFID systems. To provide security against second order SQLIA, which is a major gap in the current literature, we also propose a tag data validation and sanitization technique. The preliminary evaluation of our query matching technique is very promising, showing 100% detection rates and 0% false positives for all attacks other than second order injection.

Offline grouping proof protocol for RFID systems

Several grouping proof protocols have been proposed over the years but they are either found to be vulnerable to certain attacks or do not comply with EPC Class-1 Gen-2 (C1G2) standard because they use hash functions or other complex encryption schemes. Also, synchronization of keys, forward security, proving simultaneity, creating dependence, detecting illegitimate tags, eliminating unwanted tag processing and denial-of-proof (DoP) attacks have not been fully addressed by many. Our protocol addresses these important gaps and is based on Quadratic Residues property where the tags are only required to use XOR, 128-bit Pseudo Random Number Generators (PRNG) and Modulo (MOD) operations which can be easily implemented on low-cost passive tags and hence achieves EPC C1G2 compliance.

RFID tags : grouping proof with forward security

Several grouping proof protocols have been proposed over the years but they are either found to be vulnerable to certain attacks or do not comply with EPC Class-1 Gen-2 (C1G2) standard because they use hash functions or other complex encryption schemes. Among other requirements, synchronization of keys, forward security, dependence, detecting illegitimate tags, eliminating unwanted tag processing and denial-of-proof (DoP) attacks have not been fully addressed by many. Our protocol addresses these important gaps and is based on simple XOR encryption and 128-bit Pseudo Random Number Generators (PRNG), operations that are easily implemented on low-cost passive tags and hence achieves EPC C1G2 compliance.

A robust grouping proof protocol for RFID EPC C1G2 tags

Several grouping proof protocols for RFID systems have been proposed over the years but they are either found to be vulnerable to certain attacks or do not comply with the EPC class-1 gen-2 (C1G2) standard because they use hash functions or other complex encryption schemes. Among other requirements, synchronization of keys, simultaneity, dependence, detecting illegitimate tags, eliminating unwanted tag processing, and denial-of-proof attacks have not been fully addressed by many. Our protocol addresses these important gaps by taking a holistic approach to grouping proofs and provides forward security, which is an open research issue. The protocol is based on simple (XOR) encryption and 128-bit pseudorandom number generators, operations that can be easily implemented on low-cost passive tags. Thus, our protocol enables large-scale implementations and achieves EPC C1G2 compliance while meeting the security requirements.

Secure object tracking protocol for networked RFID systems

Networked systems have adapted Radio Frequency identification technology (RFID) to automate their business process. The Networked RFID Systems (NRS) has some unique characteristics which raise new privacy and security concerns for organizations and their NRS systems. The businesses are always having new realization of business needs using NRS. One of the most recent business realization of NRS implementation on large scale distributed systems (such as Internet of Things (IoT), supply chain) is to ensure visibility and traceability of the object throughout the chain. However, this requires assurance of security and privacy to ensure lawful business operation. In this paper, we are proposing a secure tracker protocol that will ensure not only visibility and traceability of the object but also genuineness of the object and its travel path on-site. The proposed protocol is using Physically Unclonable Function (PUF), Diffie-Hellman algorithm and simple cryptographic primitives to protect privacy of the partners, injection of fake objects, non-repudiation, and unclonability. The tag only performs a simple mathematical computation (such as combination, PUF and division) that makes the proposed protocol suitable to passive tags. To verify our security claims, we performed experiment on Security Protocol Description Language (SPDL) model of the proposed protocol using automated claim verification tool Scyther. Our experiment not only verified our claims but also helped us to eliminate possible attacks identified by Scyther.

Zero knowledge grouping proof protocol for RFID EPC C1G2 Tags

In this paper, we propose a novel zero knowledge grouping proof protocol for RFID Systems. Over the years, several protocols have been proposed in this area but they are either found to be vulnerable to certain attacks or do not comply with the EPC Class 1 Gen 2 (C1G2) standard because they use hash functions or other complex encryption schemes. Also, the unique design requirements of grouping proofs have not been fully addressed by many. Our protocol addresses these important security and design gaps in grouping proofs. We present a novel approach based on pseudo random squares and quadratic residuosity to realize a zero knowledge system. Tag operations are limited to functions such as modulo (MOD), exclusive-or (XOR) and 128 bit Pseudo Random Number Generators (PRNG). These can be easily implemented on passive tags and hence achieves compliance with the EPC Global standard while meeting the security requirements.