The information security problems in RFID application may appear in three aspects: tag, network and data, so this paper analyzes the information security technology of RFID from these three aspects.
"Privacy" on the label
Although the size of the tag is very small, its potential safety problems can not be ignored. For enterprises that have just used RFID, RFID tags are easily manipulated by hackers, shoplifters or disgruntled employees. Most passive tags supporting EPCglobal standard can only be written once, but RFID tags supporting other standards such as ISO have the function of writing many times. In the spring of 2005, a large number of RFID tags supporting the second generation protocol of EPCgolbal overclocking came into the market, and these tags also supported the function of multiple writes. Because there is no write protection function, these passive tags can be changed or written "thousands of times", said Lucas Grunwald, consultant of DN System Enterprise Internet Solutions.
In order to deal with the security problems of RFID tags, many suggestions and technologies have been standardized.
For example, give each product a unique electronic product code, which is similar to the license plate number of a car. Once someone wants to break the security, he only gets the information of a single product, so it is not worth spending time decoding. However, Peter Regen, vice president of global visible trade program of Unisys Corp, thinks that the threshold of this method is too high for anyone to do it.
The new EPCgolbal overclocking second generation protocol standard enhances the security performance of passive tags. According to Sue Hutchinson, product management director of EPCglobal, the new standard not only provides password protection, but also encrypts the data transmitted from the tag to the reader, instead of encrypting the data on the tag.
Privacy security issues are mainly reflected in RFID tags. One idea is a "soft blocker". You can increase the protection of customers' privacy preferences, but this is after the goods have been purchased. At the point of sale, customers will show their membership cards, through which they can see their privacy preferences. "After the goods are purchased, the point of sale will immediately update the private data to ensure that these data will not be read by some readers, such as supply chain readers." Dan Bailey, RFID solution architect of RSA Lab, said. Soft shield may be a good way to solve the privacy problem of RFID tags, and this function has been added to the second generation tags of EPCglobal.
Learn other network technologies.
In retail stores or in the process of transporting goods from one place to another, there are many opportunities to rewrite or even modify the data on RFID tags. This loophole also exists in the network used by companies to handle containers, pallets or other goods with RFID tags. These networks are distributed in the backstage of the company's distribution center, warehouse or store. Unsafe wireless networks bring opportunities to intercept data. The back-end of RFID reader is a very standardized internet infrastructure, so the security problems and opportunities of RFID back-end network are the same as those of the Internet.
In the reader's back-end network, we can learn from various security technologies of the existing Internet.
The solution is to ensure that all readers on the network must pass authentication before sending information to the middleware (and then the middleware sends the information to the enterprise system), and the data flow between the readers and the back-end system is encrypted. When deploying RFID readers, some practical measures should be taken to ensure that they can access the enterprise network after verification and that important information will not be stolen by others because of transmission. For example, readers based on company technologies such as Symbol Technologies and ThingMagic support standard network technologies, including built-in authentication methods to prevent unauthorized access.
In order to prevent someone from eavesdropping on the high-power signals sent by RFID readers, one way is to adopt an anti-eavesdropping technology called "silent tree climbing". Burt Kaliski, chief scientist and director of RSA Lab, said that within the limits of RFID wireless interface, this method can ensure that the reader will never send the information on the tag repeatedly. The numbers on RFID tags are not broadcast by readers, but indirectly quoted. Receiving middleware knows how to interpret these numbers, but eavesdroppers don't.
Data Crisis Caused by "Transparency"
Although the application of RFID technology improves the transparency of the whole supply chain, it also causes people's concerns about data security. Enterprises need to have a strong sense of security about data. For enterprises, their data, including information related to their business, is not only their own data, but also the data of their trading partners, said Beth lovett, marketing manager of Verizon Solutions.
BSI (German Federal Office for Information Security) also puts forward requirements for data protection of RFID system. According to the evaluation of the office, the requirements of data security and anonymous personal information in system design should be implemented as soon as possible. In order to make full use of the opportunities brought by RFID and minimize the threat to privacy, the data protection law should be promulgated at the initial stage of RFID system design and listing.
So far, it is not clear which standard to use to ensure the data security on EPCglobal network. The latest version of EPCglobal certificate summary V 1.0 was officially released on the EPC Global website in March 2006. The security specification covers the data security between all components of the EPCglobal network, from the data exchange between enterprises through the EPCIS interface, to the communication between RFID readers and middleware, and the reader management system.
When exchanging data on EPCglobal network, some existing security measures, such as firewall and other access management technologies, can be used to protect data security and ensure that only authorized people can access data. Some companies have good data security practices, and they can apply their experience to RFID projects.
There are also some technologies about RFID data security under development.
For example, SAP and its partner * * * are developing a new database query technology that allows commodity manufacturers and retailers to exchange RFID data. There is no need to create a copy of the data on a server beyond the control of the data owner. Some data are stored in the central virtual database, while other important data are queried separately. Amar Singh, vice president of global business development of SAP, said, "With our technology, retailers no longer need to publish query information somewhere in the virtual environment. They can get the query data directly from the manufacturer. " The more places the data appears, the greater the risk.
It is expected that the existing security methods, such as firewall and other access management technologies, will be used for data exchange through EPCglobal network, and only provided to the authorized party to ensure data security.
Pradhan of Hewlett-Packard Labs thinks: "The problems we discuss about sharing information between companies, such as how to ensure that information will not fall into the hands of others, can be solved with the help of typical IT systems. Because as far as these systems are concerned, we know security very well. " Further development is under way.
Link: RFID information security products
RFID information security products are mostly based on three levels: tag, network and data.
label
RFID tag security products are mainly physical and hardware.
At the beginning of 2004, RSA showed its specially designed RSA Blocker label. If this shield is installed on the shopping bag, the RFID reader cannot read the RFID tag of the goods placed in the shopping bag, and the system will display "Denial of service".
IBM researchers imitated the method of scratching lottery tickets and developed a method to protect consumers' privacy when using RFID tags. IBM's suggestion is to attach a partially damaged RFID antenna to the tag, so that consumers can remove part of the antenna after shopping, and the tag as a whole can still play a role, but its readable range is greatly reduced, thus achieving the "win-win" goal of protecting consumers' privacy and protecting the interests of manufacturers and traders. According to the agreement, IBM's determinant and thermal printing barcode printers will continue to use Printronix, and IBM's product portfolio will also be incorporated into Printronix wireless radio frequency identification (RFID) encryption technology.
In September, 2005, XINK Company developed a new kind of ink, which can eliminate the hidden danger that the RFID tag is counterfeit and its coding system is copied. This is a theoretically invisible printing ink, which has been used for currency anti-counterfeiting. By combining this ink with Creo's invisible label technology, the concern about counterfeit labels can be eliminated.
Dupont Identification System (DAS) has produced RFID tags with 3D imaging technology to enhance the safety of products. 3D images can intuitively prove the authenticity of information, so they can be used in combination with RFID tags. If someone wants to tear off the anti-counterfeiting label on the genuine product and stick it on the counterfeit product, then the 3D renderings will be completely destroyed.
network
Kevin Ashton, vice president of ThingMagic, said that the two basic security technologies, secure shell and secure socket layer, are expected to become the standard of RFID devices. The company has begun to integrate these technologies into their RFID readers. The RFID reader technology developed by the company has built-in verification function to ensure that "malicious readers" cannot steal data. At the same time, before transmitting the data to the intermediate device and then to the system, all RFID readers on the network must be verified.
The solution to the information security problem in the reader's back-end RFID network can refer to the information security solution of the Internet and the existing products of some experienced companies.
data
In 2005, Columbitech, a wireless security software developer, announced that wireless VPN supported the information security of RFID readers. The contents of this upgrade include strengthening the construction of security architecture and providing special security protection for wireless communication of application units.
The integration technology jointly developed by AeroScout, Ekahau, Cisco and other companies is an active RFID system based on the use of Wi-Fi network frequency, which allows end users to use the existing wireless data network facilities. Under this technical framework, it is almost impossible to eavesdrop, because the dialogue between active RFID tags and Wi-Fi contacts is very short.