Radio Frequency Identification (RFID) is a means to efficiently and quickly, auto-identify objects, assets, pets, people, etc. RFID technology is poised to automate the supply chain management system for businesses. Very soon it would become economical to attach RFID tags to items and consumer goods. As a result we can anticipate many electronic appliances including mobile/smart phones to have a RFID-reader-tag component/chip embedded in them. Such developments would allow RFID technology to also assist people in their daily lives. In this thesis we focus on three specific RFID applications that are beneficial to businesses and consumers.
At the outset this thesis focuses on RFID-based supply chain management system that adheres to the standard EPCglobal Architecture Framework specification [11]. We approach this framework with a security point-of-view. The EPCglobal Architecture Framework is composed of entities like RFID Tag, RFID Reader, RFID Middleware, Electronic Product Code Information Service (EPCIS) Repository, EPCIS Accessing Application, Object Naming Service, and Subscriber uthentication. We analyze the various security threats that affect each of these entities and their communication interfaces. We arrive at some possible security quirements and needed security solutions to ward off these threats.
After our thorough security assessment of the RFID-based supply chain management system, we narrowed down our research focus on RFID: Tag←Reader→Server/EPCIS security. We realized that cloned fake RFID tags, malicious RFID readers and consumer privacy violation pose a major threat to RFID-based supply chain management system. Fake tags can be attached to counterfeit products and medicines. Malicious readers can corrupt genuine tags and mount man-in-middle attacks on the communication channel between genuine tags and readers. A consumer carrying a tagged item can be identified, tracked and traced based solely on the tag's unique identity number. To deal with these security problems, the use of cryptographic protocols is required. However, designing cryptographic protocols for RFID tags is a challenging task as a low-cost RFID tag has very limited computational resources. As a result, in this thesis we propose two light-weight cryptographic protocols which use only light-weight primitives such as 16 bit: random number generator, cyclic redundancy check and exclusive-OR (XOR) functions and provide RFID Tag←Reader→Server/EPCIS mutual authentication, communicating-data confidentiality and integrity, secure key-distribution and key-protection, and tag anonymity.
The promising and beneficial RFID technology would eventually lead to the development and deployment of electronic appliances and devices that are RFID-reader-tag-enabled, e.g., RFID-reader-enabled book shelves, mobile/smart phones and PDAs. Here the devices and objects, dispersed through our surroundings, can identify and communicate with each other, providing real-time information about themselves, locations, and ambient conditions around them. Therefore RFID technology will have a tremendous impact on our society assisting people in their daily lives. A right step in this direction is Mobile-RFID (mRFID) technology, where a mobile/smart phone apart from having the usual voice/data communication facilities would also have an embedded RFID-tag-reader
chip thus allowing to behave as a RFID reader and a tag.
Mobile payment is a payment method, where a mobile phone is used to pay for merchandize and services. Mobile payment is gaining popularity especially in Asia and Europe. Currently, efforts are being put to deploy a mobile payment model that precisely mimics the Contactless (RFID) Card Payment model, where an mRFID-enabled mobile phone behaves as a contactless credit/debit card. However this thesis emphasizes that credit/debit card payment transactions do not protect the privacy of the customer. Once the card is handed over to the merchant for payment processing, customers are "no longer in control" on how their card details and money are handled. This leads to card fraud, identity theft, and customer profiling. Therefore for those customers who value their privacy and security of their payment transactions, this thesis proposes a choice - an alternate mobile payment model called "Pre-Paid Mobile HTTPS-based Payment model". In the proposed payment model the customer obtains the merchant's bank account information into his/her mRFID-enabled smartphone, then the customer using the smartphone instructs his/her bank to transfer the money to the merchant's bank account. The proposed payment model utilizes partially blind signature scheme to hide the customers' identity from the bank. Therefore the proposed payment model provides the customer with complete control on his/her payments and privacy protection from both the bank and the merchant.
It is anticipated that RFID technology would also play a major role in an Smart Home environment. With the availability of RFID-reader-tag-enabled devices and appliances, consumers can make use of the RFID tags attached to their purchased items in their homes. For example, a display screen on a RFID Reader-enabled refrigerator can list out the details of all the RFID tagged items inside the refrigerator, such as item name, ingredients, manufacturing date, expiry date, etc. This example is just one of the many RFID applications that would very soon become common in a Smart Home environment. However, to securely deploy such RFID applications in a smart home environment is not as straight forward as it seems to be. Therefore this thesis describes some of the RFID applications that are applicable to smart home environment. It then identifies their related privacy and security threats and security requirements and also proposes a secure approach, where RFID-tagged consumer items, mRFID-enabled mobile/smart phone, RFID-reader enabled appliances (e.g., refrigerator), and home server would securely interact among themselves. At the moment this approach is just a conceptual idea, but it sheds light on very important security issues related to RFID applications that are beneficial for smart home environment.
RFID는 사람, 동물, 재산 등과 같은 개체를 효과적이며 빠르게 자동 식별하기 위한 수단이기에 비즈니스 분야에서 공급망 관리는 대표적인 응용분야이다. 조만간 RFID는 모든 상품에 부착될 것으로 기대되며, 스마트폰과 같은 대다수의 전자기기들은 RFID 리더 혹은 태그가 부착되어 나오기 때문에 사용자들의 다양한 일상생활에 응용될 수 있을 것으로 예측된다. 본 졸업논문에서는 비즈니스 및 사용자들에게 유용한 세가지RFID 응용분야를 중점적으로 살펴보고자 한다.
먼저, EPCGlobal 표준화 구조 프레임에 적한한 RFID 기반의 공급망 관리에서의 보안에 대해 살펴보고자 한다. 이를 위해 표준화 프레임워크의 각 개체 별 통신 인터페이스 보안 위협 및 미치는 영향을 분석하였으며, 위조된 RFID 태그 복제, 악의적인 RFID 리더, 사용자 프라이버시 침해가 RFID 기반의 공급망 관리 시스템의 주요 위협으로 파악되었다. 상호인증, 기밀성, 무결성, 안전한 키 분배 및 보호, 태그 익명성과 같은 보안 요구사항을 도출하였다. CRC 검사, XOR 함수, 난수 생성기를 활용해 두 가지 경량화 암호화 프로토콜을 제안하였다.
앞으로 RFID가 모바일 폰 혹은 스마트폰에 추가됨에 따라 새로운 결제 방법이 가능하다. 기존에 신용카드 기반의 결제 시스템에서 발생가능 한 신용카드 사기, 도난, 사용자 프로파일링과 같은 문제가 발생하기에 본 졸업논문에서는 RFID 기반의 모바일 결제 시스템을 새롭게 제안해 기존 기법에서의 문제를 해결할 수 있는 하나의 대안을 제안하였다. 제안된 기법은 모바일 HTTPS를 활용해 선결제 시스템이며, Android SDK를 활용해 제안 기법을 구현해 제안 기법의 효율성을 보여주었다.
RFID 태그 기반의 전자기기가 활성화 됨에 따라 사용자들이 RFID 태그가 부착된 제품을 자신들의 집에서 활용할 수 있기에 본 졸업논문에서는 새로운 보안 프레임워크를 제안하였다. 이를 위해 발생 가능한 각종 위협 파악 및 보안 요구사항을 도출하였다. 제안된 보안 프레임워크를 통해 사용자들은 RFID 태그가 부착된 제품을 자신들의 집에서 재활용할 수 있기에 RFID 태그 기반의 전자기기의 활용성을 증가시킬 수 있다.