POP%20Method%20An%20Approach%20to%20Enhance%20the%20Security%20and%20Privacy%20of%20RFID%20Systems%20Used%20in%20Product%20Lifecycle%20with%20an%20Anonymous%20Ownership%20Transferring%20Mechanism

1
POP MethodAn Approach to Enhance the Security
and Privacy of RFID Systems Used in Product
Lifecycle with an Anonymous Ownership
Transferring Mechanism
S.K.K.H. Sabaragamuwa, S. M. Reza, J. Miura, Y.
Goto, and J. Cheng Department of Information and
Computer Sciences, Saitama University, Saitama,
338-8570, Japan krishan, selim, miura, gotoh,
cheng_at_aise.ics.saitama-u.ac.jp
Advanced Information Systems Engineering
Lab Saitama University, Japan 2007-March-13
2
Goal and Objectives

• Goal
• The goal is to originate a way to enhance the
  security and privacy of RFID tagged products in
  product life cycle by enabling ownership
  transferring mechanism with novel communicational
  protocol.
• Objectives
• Discover a security privacy enhanced
  communication mechanism for RFID tagged products
  in product lifecycle.
• Define application layer protocols for RFID
  communication in product life cycle.
• Derive an ownership transferring mechanism for
  RFID tagged products throughout the product life
  cycle

3
Agenda

• Background
• Motivation
• Solution
• Contribution
• Conclusion

4
(No Transcript)
5
What is the problem?

• The secret stored inside the RFID tag may be
  read/modified by more than one party who may or
  may not allow to access it.
• Therefore the RFID tagging creates the security
  risks and privacy threats for the individuals as
  well as for corporations throughout the product
  lifecycle.

6
Why does the problem occur?

• The same passive tag is used throughout product
  life cycle from the point of production up-to the
  product recycling.
• It is easy to buy a RFID tagged product and find
  out the information inside the tag by reverse
  engineering it.
• Since the RFID signal range is larger and
  contact-less, communication between tags and
  readers are susceptible to interference and
  interception.
• It is unable to employ strong security mechanisms
  on passive tags as they are low in computational
  power programmability, small in memory
  capacity, and also constraint by cost.
• Tags cannot be switched-off and also tag answers
  without the agreement of their bearers.

7
(No Transcript)
8
Why we must solve the problem?-I

• Almost every thing in the world is to be uniquely
  numbered by embedding a RFID tag as the process
  automation efficiency and usability can be
  improved.
• It is the passive tag, which are acceptable to be
  used in the domain of product lifecycle as the
  cost constraints exists.
• Extensive use of RFID tags has been limited as it
  creates threats to security and privacy.
• Corporate and individual privacy
• Data/information and communication security
• No proper mechanism to transfer the ownership and
  also to allow the multiple authorizations of
  tagged products.

9
Why we must solve the problem?-II

• Easy access and autonomous
• Can improve the automated processing
• Will greatly reduce the need for manual scanning
• Efficient Tracking is possible
• Can store fairly decent information set
• Items serial number, Color, Size, Manufacture
  date and Current price, as well as a list of all
  distribution points the item touched before
  arriving at a store.
• Non-contact, non-line-of-sight reading,
  read/write capability
• Improve inventory, warehousing, distribution,
  logistics, and security

10
(No Transcript)
11
Solution Outline

• Assumptions
• Product lifecycle
• Tag memory
• Proposed flow of tagged products
• Point of Sales
• After purchase
• Ownership Transference
• Multiple authorization
• Characteristics of proposed solution
• Communication protocols
• Recycling of tagged products

12
Assumptions

• Proper radio communication is available
• Tags are having rewritable memory
• Tags are having 1000015000 total gate count
• Capability of reading and writing
• Able to Disable or Kill the tag at the POS (Point
  of Sales)
• Interrogator (Reader) should have the writing
  capability
• Tags memory capacity should be at least 512 bits
  including minimum programmable memory of 256 bits
• 96bits for EPC and 16 bits CRC
• 80bits for Authentication Key
• 48bits for Shared Secret key

13
Product lifecycle
Product Manufacturer
Logistics
Distributors/Resellers/Warehouses
Logistics
Retail Stores
Customer sells the product to another customer
Product Usage
Recycling of Products
14
Lifecycle of the tagged products
(5) Retail Store
(4) Logistics
(3) Warehouse
(2) Logistics
(1) Production
(6) Customer
Barcode
(7) Customer
(8)Application
(9) Recycling
Productive RFID use throughout the product
life cycle
15
Memory structure of the Tag
16
How to change the ownership
17
Point of Sales

• Customer card
• Contains the 80 bits number card key
• Customer PIN number
• Will have to remember their own number

18
Point of Sales

• Tag data is changed in POS
• 80 bits Authentication key
• 48 bits Shared Secret key

• Customer Card PIN number
• PIN number will be assigned to for 48 bit Shared
  Secret key
• Card key will be assigned to 80 bits
  Authentication key
• By swiping the card and key-in the PIN number
  once for all items purchase at any given time.
• The card and the PIN number will allow smart home
  appliances to protect the security and privacy
• Disable the tag
• No more use of RFID tag after the purchase

19
After purchaseSmart appliances with RFID tags

• Each smart device at home will consist of Key pad
  and proximity or swipe card reader to input your
  shared secrets
• Each smart device will have their own database
  and reader in it

20
Transferring ownership

• Seller will have to swipe his card and enter his
  PIN number for the product to trusted
  transferring point
• Buyer will have to swipe his card key and enter
  his PIN number

21
Multiple authorization

• This is necessary in case of product recall,
  repair or return
• Since these actions should carry out with the
  consent of the owner of the product each party
  who expect to read the product tag need to
  transfer the ownership to proceed

22
Characteristics of proposed solution

• Algorithm
• Grain1 stream cipher algorithm
• 1650 gate count
• Lightweight and 80 bits Cryptographic Key
• Protocols design
• Authentication
• Reading
• Writing
• Security
• Proper authentication before reading or writing
• Changing the shared secrets in defined frequency
• Usage of nonce makes duplication extremely
  difficult
• Cryptographic key is 80 bits long

23
Protocol outline

1. Reading the EPC
2. Disabling the Tag
3. Changing Shared Secret
4. Changing Cryptographic Key
5. Changing both Shared Secret and Cryptographic key

24
Protocol outline
25
Protocol outline
26
Recycling of tagged products

• Each product to be recycled should change the tag
  data as follows

Should assign NULL for two Secrets
SNULL KNULL

• Same method can be used in each stage to remove
  the damaged products

27
(No Transcript)
28
Devise

• New process flow for RFID tagged products
• Re-assigning method of shared secrets when
  changing hands over the product lifecycle
• Anonymous ownership transferring method for
  tagged products even after purchase without using
  database
• New protocols for secured authentication, reading
  and writing of data in RFID tag
• Introduced security and privacy enhanced use of
  RFID tagged products from production to its
  recycling
• A method for recycling RFID tagged products using
  the same structure

29
(No Transcript)
30
Conclusion

• Allow anonymous ownership transference
• Enhance security
• Protect privacy
• Single protocol and light weight algorithm is
  used throughout the product life cycle
• No need to implement multiple authorization

31
Conclusion

• The POP (Product flow with Ownership transferring
  Protocol) Method
• Is an approach to enhance the security and
  privacy of RFID tagged products in product
  lifecycle by enabling anonymous ownership
  transference. It requires the tag to have a
  rewritable memory and a simple logic circuit.
  These requirements are practical and easy to
  implement though currently cost constraint exists.

32
Thank you very much for your attention !!!.....
Please feel free to ask questionsor put
forward your opinions..
33
Q A
34
Thank you
35

• K. H. S. Sabaragamu Koralalage, Mohammed Reza
  Selim, Junichi Miura, Yuichi Goto, and Jingde
  Cheng POP Method An Approach to Enhance the
  Security and Privacy of RFID Systems Used in
  Product Lifecycle with an Anonymous Ownership
  Transferring Mechanism, Proceedings of the 22nd
  Annual ACM Symposium on Applied Computing (SAC
  '07), pp. 270-275, Seoul, Korea, ACM Press, March
  2007.