Ebook: Radio Frequency Identification System Security

This volume contains the papers presented at the 2014 Workshop on RFID Security (RFIDsec'14 Asia) held in Hualien, Taiwan on November 27–28, 2014. The workshop was hosted by the Department of Information Management at National Dong Hwa University (NDHU) and the TaiWan Information Security Center (TWISC@NTUST) at National Taiwan University of Science and Technology (NTUST). The General Chairs were Wei-Pang Yang, Tzong-Chen Wu and Robert H. Deng.

RFIDsec'14 Asia is aligned with the RFID security workshop (RFIDsec) which has been organized as a series of workshops held in Graz (2005/06), Malaga (2007), Budapest (2008), Leuven (2009), Istanbul (2010), Amherst (2011), Nijmegen (2012), Graz (2013) and Oxford (2014). RFIDsec'14 Asia is the sixth edition of the series of workshops held in Asia followed by RFIDsec'09 Asia in Taipei (2009), RFIDsec'10 Asia in Singapore (2010), RFIDsec'11 Asia in Wuxi (2011), RFIDsec'12 Asia in Taipei (2012) and RFIDsec'13 Asia in Guangzhou (2013).

RFIDsec'14 Asia aims to provide researchers, enterprises and governments a platform to investigate, discuss and propose new solutions on security and privacy issues of RFID/IoT (Radio Frequency Identification/Internet of Things) technologies and applications. In this year, we had an excellent program consisted of 5 high-quality papers which were selected after a rigorous reviewing process by the Program Committee members and external reviewers. Covered are many interesting topics, such as the implementation of passive UHF RFID tag, practical NFC privacy-preserving applications, the design of multi-ownership transfer protocol, and lightweight authentication on RFID. This year we have the formal proceedings published by IOS Press in the Cryptology and Information Security Series to include these 5 excellent papers.

RFIDsec'14 Asia was made possible through the contributions from many individuals and organizations. First, we thank all the authors who submitted papers. We also gratefully acknowledge the Program Committee members and external reviewers for the time and effort on the submission review process. Finally, we further thank the sponsors, Department of Information Management at NDNU and TWISC@NTUST, of RFIDsec'14 Asia for hosting the workshop.

Nai-Wei Lo, Yingjiu Li and Kuo-Hui Yeh

November 2014

This paper presents a single-chip implementation and evaluation of a passive ultra-high frequency (UHF) RFID tag that uses hash-based mutual authentication protocol. Implementation details of the silicon chip including analog power block, analog clock block, cryptographic block, volatile and non-volatile memory blocks will be introduced as well as the evaluation results of the chip about area, execution time, and power consumption. To the best of our knowledge, this work is the first single-chip implementation and the first feasibility verification of a fully functional passive UHF RFID tag chip running the hash-based mutual authentication protocol with forward privacy-preservation. We expect our experience is helpful for the future design of the privacy-preserving RFID system from both academic and industrial points of view.

Radio Frequency IDentification (RFID) is a radio communication technique. It identifies specific targets and acquires related data from the backend database by using radio frequency signal and no physical touch needed. Because of its advantages of low cost and remote identity-recognition, this technology has been widely used in many applications. However, the information, which is transmitted via radio signal, is easily eavesdropped and traced by an attacker. Therefore, it is important to design a secure RFID protocol which can ensure the authentication of the origin and the integrity of the transmitted information. Researchers have put their efforts into this field and proposed many solutions to deal with these issues. In particular, in 2012, Bassil et al. introduced an ultra-lightweight RFID protocol based on a physical unclonable function (PUF), which means that the tags in the RFID architecture are unclonable. However, the insecurity of the scheme has been pointed out recently. In this paper, we will propose a new ultra-lightweight RFID protocol based on PUF that can overcome the security loopholes occurs in Bassil et al.'s protocol.

As advances of smartphones and near field communication (NFC) technologies, sellers can deliver e-invoices to buyers' smartphones via NFC to reduce paper consumption. Therefore, buyers can use the received e-invoices for further warranty service as well as for returning and exchanging products. To identify buyers of e-invoices, current e-invoicing systems usually embed identities of buyers in e-invoices. Therefore, a merchant can make sure that a person is the buyer of a transaction based on the buyer identity in an e-invoice associated to the transaction. However, from the privacy perspective, one may not wish his identity to be recorded in an e-invoice. Even the identity in an e-invoice contains no personal identifiable information, people may still worry that retailers track their purchasing behaviors based on the buyer identities in e-invoices. Therefore, people may prefer to paying cash and using traditional paper-based invoices. To address this issue, this work proposes a privacy-preserving scheme for customers to generate secrets for different transactions and use the secrets to generate identities for e-invoicing. Therefore, a customer can claim that he is the recipient of an e-invoice by proving that he owns the secret to generate the identity in the e-invoice without revealing the secrets.

Moreover, this study implements the proposed scheme with commercially available devices. Based on the experimental results, a customer can generate secrets for further verification, transmit the secrets to a merchant, and received a generated e-invoice from the merchant via Simple NDEF Exchange Protocol (SNEP), a NFC P2P communication standard, in seconds. While the proposed scheme enhancing the convenience and privacy of current e-invoicing systems, more customers may wish to accept e-invoices.

In order to fulfill system security and computation limitation of low-cost RF tags at the same time, the research of the lightweight RFID authentication has promptly become one of the hottest topics in recent years. Recently, Morshed et al. proposed an authentication scheme, called SUAP3, to achieve the security and efficiency under ubiquitous RFID-based systems. Later, Safkhani et al. and Wang et al. had demonstrated that SUAP3 is insecure against full-disclosure attack and tag traceability attack. However, these attacks are based on powerful assumptions, and the feasibilities of the two attacks are thus a little doubtful. In this paper, we present a real passive tag-tracking attack without any specific assumptions. An adversary can exploit a series of challenge-response procedures to derive the secrets maintained at the tag. With the cryptanalysis proposed by us, the insecurity of SUAP3 is truly proved. In addition, we present a novel and robust ubiquitous authentication scheme for RFID based application systems.

Radio frequency identification (RFID) is a contactless automatic identification technology that is used in various fields. Its easy-to-read feature is particularly suitable for applications in logistics supply chain management, and it permits business partners in a supply chain to effectively control their inventory and share information. Vendor managed inventory (VMI) is an inventory comanagement approach used for integrating enterprise resources and inhibiting the bullwhip effect. Moreover, a vendor can manage inventory according to a mutual agreement for sharing inventory costs, which were previously solely borne by the dealer. An RFID multiownership transfer protocol intended for use in VMI environments is presented in this paper. The protocol was developed to solve the difficulties in RFID system implementation in VMI environments and to improve the efficiency of inventory cost allocation. Furthermore, the protocol was designed to handle one object with multiple owners according to the situations encountered; ownership can be assigned to particular users or terminated as required. Possible security concerns and strategies to prevent such attacks are discussed. The proposed protocol is referred to as multiownership transfer protocol with a trusted third party (TTP) because it allows business partners to manage their inventory in the control of the TTP. It also provides a mechanism to divide business into two levels for facilitating information privacy.