PAPER-1: RFID Systems and Security and Privacy Implications

Sanjay E. Sarma, Stephen A. Weis, and Daniel W. Engels

Q1) What problems (with prior work or the lack thereof) were addressed or surveyed by the
authors?

ANS ) The authors discuss at length about how secure is the RFID technique. The tags used for RFID
must not compromise the privacy of their holders. Information should not be leaked to unauthorized
readers, nor should it be possible to build long-term tracking associations between tags and holders.
To prevent tracking, holders should be able to detect and disable any tags they carry. Publicly
available tag output should be randomized or easily modifiable to avoid long-term associations
between tags and holders. Private tag contents must be protected by access control and, if
interrogation channels are assumed insecure, encryption. Both tags and readers should trust each
other. Spoofing either party should be difficult. Besides providing an access control mechanism,
mutual authentication between tags and readers also provides a measure of trust. Session hijacking
and replay attacks are also concerns. Fault induction should not compromise protocols or open
windows to hijack attempts. Both tags and readers should be resistant to replay or man-in-the-
middle attacks.

Q2) What solutions were proposed or surveyed by the authors?

ANS) To address these deficiencies the authors proposed to adopt a policy of erasing unique serial
numbers at the point of sale. Consumer held tags would still contain product code information, but
not unique identification numbers. Unfortunately, tracking is still possible by associating
“constellations” of particular tag types with holder identities. Providing the stated security goals
requires implementing access control and authentication. Public key cryptography offers a solution.
A particular (type of) reader’s public key and a unique private key may be embedded into each tag.
During interrogation, tags and readers may mutually authenticate each other with these keys using
understood protocols. To prevent eavesdropping within the interrogation zone, tags may encrypt
their contents using a random nonce to prevent tracking. Unfortunately, supporting strong public
key cryptography is beyond the resources of low cost (US$0.05-0.10) tags, although solutions do
exist for more expensive tags.

Q3) What are the technical strengths and main contributions of the paper's proposed solutions?

ANS) The authors have proposed a design that partially satisfies some desired security properties,
but more secure implementations require several developments. One key line of research is the
further development and implementation of low cost cryptographic primitives. These include hash
functions, random number generators and both symmetric and public key cryptographic functions.
Low cost hardware implementations must minimize circuit area and consumption without adversely
affecting computation time. RFID security may benefit from both improvements to existing systems
and from new designs. More expensive RFID devices already offer symmetric encryption and public
key algorithms such as NTRU [10,13]. Adaptation of these algorithms for the low-cost (US$0.05-
0.10), passive RFID devices should be a reality in a matter of years.
Q4) What are the technical weaknesses of the paper's proposed solutions? What suggestions do you
have to improve upon the paper's ideas?

ANS) Though the roadmap towards cheap tags has been laid out, but like any research effort,
uncertainty is a part of the challenge. Several technology alternatives will need to be tested for each
component of the system before the optimal one is determined. Even after the first cheap tags have
been manufactured, scaling production to the volumes needed to meet expected demand will be a
challenge. It may be years before the supply meets the enormous demand that a technology of this
type is projected to generate. However, it is these very volumes that make it necessary for the
technology to be carefully thought out to save every fraction of a cent in the cost of a tag and to
ensure the security and privacy of its future users.

PAPER 2: RFID Security and Privacy: A Research Survey

Ari Juels

RSA Laboratories

28 September 2005

Q1) ) What problems (with prior work or the lack thereof) were addressed or surveyed by the
authors?

ANS) The problems of key management and implementation of primitives are extremely important
ones in this area. Other valuable research problems remain, however, of which the authors have
mentioned just a couple:

• Is it possible to construct a fully privacy-preserving, symmetric-key RFID identification scheme in

which the reader performs computation o(n), i.e., sub-linear in the number of tags? (Recall that use
of Hellman tables undermines privacy.) Alternatively, is it possible to prove that such a scheme is
impossible without the use of public-key cryptography?

• Nearly all of the schemes they have described presume a centralized model, namely that readers
have continuous access to a centralized database. This feature provides resistance to replay and
desynchronization attacks. What is the best way to engineer a system in which readers have only
intermittent connectivity? Indeed, what is the best way to model such a system?

Q2) What solutions were proposed or surveyed by the authors?

ANS) There is a straightforward but heavy weight solution to this privacy conundrum. A reader can
identify tags by means of key search. In loose schematic terms, the procedure is as follows.

Let fki [M] denote a keyed one-way function – either h(ki, M) or eki [M], for example. Let P be an
input value, a random session-specific value, that is, a nonce, or a static bitstring. (Different
proposed schemes involve different choices for P.) Reader identification of a tag encompasses the
following two steps, often at the heart of a larger protocol:
1) Tag Ti emits E = fkTi [P]. (For example, Ti might encrypt a nonce P under the key kTi .)

2) On receiving E from a tag, the reader searches the space of all tag keys K = {kTj }j for a key such
that fkTj [P] = E. (For example, the reader might try to decrypt E under every key in K until it obtains
P.) If the scheme is correctly parameterized, the reader will find only one key kTj that successfully
yields E. This key uniquely identifies the tag as Tj . To ensure the privacy of the tag, clearly the value
E emitted by the tag must vary from session to session, otherwise E is a static identifier. Thus, either
kTi or P (or both) must vary over time; different schemes involve different ways of varying these
values, as they shall see

Q3) What are the technical strengths and main contributions of the paper's proposed solutions?

ANS) The majority of the articles treated in this survey explore security and privacy as a matter
between RFID tags and readers. Of ourse, tags and readers lie at the fringes of a full-blown RFID
system. At the heart will reside a massive infrastructure of servers and software. Many of the
attendant data-security problems – like that of authenticating readers to servers – involve already
familiar data-security protocols. But the very massive scale of RFID-related data flows and cross-
organizational information sharing will introduce new data-security problems. The authors have
mentioned key-management and PIN distribution for tags as one such potential problem. Other
challenges will arise from the fluidity of changes in tag ownership. Today, domain names, for
example, do not change hands very frequently; the DNS can involve human intermediated access-
control. The ONS – should it indeed see fruition – will need to accommodate many, many more
objects that change hands with great frequency. Sensors are small hardware devices similar in flavor
to RFID tags. While RFID tags emit identifiers, sensors emit information about their environments,
like ambient temperature or humidity. Sensors typically contain batteries, and are thus larger and
more expensive than passive RFID tags.Between active RFID tags and sensors, however, there is little
difference but nomenclature.

Q4) What are the technical weaknesses of the paper's proposed solutions? What suggestions do you
have to improve upon the paper's ideas?

ANS) Vulnerability in OSK and ADO: A simple, practical attack against the privacy of the OSK and
ADO schemes has been recently noted . Both schemes involve key search across a window of time
steps of predetermined size m. By probing the window boundary, i.e., exploiting the fact that the
reader cannot identify tags with counter values greater than m, an attacker can learn a tag’s exact
current counter value. Consider a tag Ti with current counter value ci. The attacker queries the tag m
times, obtaining outputs E1 = Eci , E2 = Eci+1, ...Em = Eci+m. Then the attacker submits Em,
Em−1,...,E1 to the reader in that order, until the reader accepts a value Ej. The attacker concludes
that ci = j at the time of attack. For practical system parameterizations, e.g., m = 128 as proposed by
ADO, this attack is problematic. (Other systems, e.g., MSW, are similarly vulnerable in theory [68],
but practical parameterizations render such attacks infeasible.) 2) Forward secrecy: A main
contribution of OSK is a technique for achieving forward secrecy in tags. This property means that if
an attacker compromises a tag, i.e., learns its current state and its key, she is nonetheless unable to
identify the previous outputs of the tag. The technique is simple: The tag and reader refresh ki in
every time step by hashing it. Thus, in OSK, it is infeasible to compute previous keys and outputs
from the current key. Dimitriou uses the same approach in his later scheme.
PAPER- 3: Privacy and Security in Library RFID Issues, Practices, and Architectures

David Molnar and David Wagner †

June 8, 2004

Q1 What problems (with prior work or the lack thereof) were addressed or surveyed by the authors?

ANS)The authors expose privacy issues related to Radio Frequency Identification (RFID) in libraries,
describe current deployments, and suggest novel architectures for library RFID. Libraries are a fast
growing application of RFID; the technology promises to relieve repetitive strain injury, speed patron
self-checkout, and make possible comprehensive inventory. Unlike supply-chain RFID, library RFID
requires item-level tagging, thereby raising immediate patron privacy issues. Current conventional
wisdom suggests that privacy risks are negligible unless an adversary has access to library databases;
they show this is not the case. In addition, they identify private authentication as a key technical
issue: how can a reader and tag that share a secret efficiently authenticate each other without
revealing their identities to an adversary? Previous solutions to this problem require reader work
linear in the number of tags and cryptographic primitives such as collision-resistant hash functions or
pseudo-random functions. They give a scheme for building private authentication with work
logarithmic in the number of tags, and protocols that achieve private authentication without
expensive cryptographic primitives; they believe this scheme will be of independent interest beyond
RFID applications.

Q2 )What solutions were proposed or surveyed by the authors?

ANS)The authors use tree based activation system for privacy. It works as follows- Let us say they
have an upper bound N on the number of RFID tags they will need to support in a system. Now given
the existence of a sub protocol (G1, R1, T1) that is a private authentication protocol with constant
rounds, constant tag storage, and reader work linear in the number of tags, they build a new tree-
based private authentication protocol (Gtree, Rtree, Ttree). The protocol has reader work
logarithmic in the number of tags, O(log n) rounds of interaction, and O(log n) tag storage. They
consider the N tags as leaves in a balanced binary tree, then associate each edge in the tree with a
secret. Each secret is generated uniformly and independently. The reader is assumed to know all
secrets. Each tag stores the dlg ne secrets corresponding to the path from the root to the tag. The
reader, when it wishes to authenticate itself to a tag, starts at the root and uses R1 to check whether
the tag uses the “left” secret or the “right” secret. If the reader and the tag successfully authenticate
using one of these two secrets, the reader and tag continue to the next level of the tree. If the
reader fails to convince the tag on any level, the tag rejects the reader. If the reader passes all
secrets in the path, the tag accepts the reader. This tree-based scheme requires dlg ne invocations of
R1 and T1 with 2 secrets. Therefore the total scheme requires O(log n) rounds of communication and
O(log n) work for the reader. They note that nothing restricts the tree-based scheme to binary trees;
for instance, they can use larger branching factors to trade off reader work against the number of
rounds. In Appendix B they give pseudocode for the tree-based scheme. The main issue with their
scheme is the number of rounds of communication. Ramzan and Gentry have pointed out that it
may be possible to perform all levels of the tree in parallel, yielding a constant number of messages
with length O(log n) [14]. They have not investigated the 12 privacy of the resulting parallel tree
scheme. They could also generate the secrets using a PRF to trade storage against on-line
computation and effect of tag compromise. They note that the tree-based scheme itself does not
require a PRF. Instead, it works with any underlying private authentication scheme. By using the
enhanced password protocol of Section 4.2.2, they can achieve efficient private authentication even
on tags without support for cryptographic primitives.

Q3). What are the technical strengths and main contributions of the paper's proposed solutions?

ANS) The authors stress that static identifiers may include collision IDs that are not protected by
access control mechanisms intended to protect tag data. To avoid tracking tags by collision ID, some
mechanism for private collision avoidance must be used. Would their library RFID security and
privacy problems go away if tags advanced to the point where hash functions and symmetric
encryption on tags became feasible? Their results on identification via collision avoidance, private
authentication, and write locks show the answer is no. Careful design of the entire system is
required to support privacy-enabled RFID applications. What is more, libraries want RFID now. Over
130 libraries in North America alone have installed RFID technology, and more are considering it. The
American Library Association met in summer 2004 to discuss best practices for the library use of
RFID and the adoption rate among libraries rose. Waiting for next generation tags that support
cryptography may not be acceptable, especially at increased cost. Tag vendors, in addition, may be
unwilling to introduce special modifications for what is a comparatively small market.

Q 4.) What are the technical the technical weaknesses of the paper's proposed solutions? What
suggestions do you have to improve upon the paper's ideas?

ANS)Though the given specific proposals for improving privacy in current-generation RFID tags work
, unfortunately, such changes will require time, effort, and money, and no current library RFID
system supports them. There will be a substantial cost for privacy and security in the library RFID
setting. Is the cost of privacy and security “worth it?” Put another way, should a library refuse to buy
RFID until systems are available that resist these attacks? The authors cannot dictate answers to this
question. What they have done, instead, is provide the means for libraries and their communities to
make an informed decision, and the technical options to improve future library RFID systems.