Plan for RFID Security before it rains

  • Detail

In the current development blueprint, the biggest difference between RFID and other wireless technologies is that RFID tags are mainly used for identification and verification. However, all wireless technologies need to consider security issues, and RFID is no exception. If RFID system hopes to be widely used in the world, its security must be tested. RFID is mainly used in logistics, consumption and other fields, which do not have high requirements for privacy. Therefore, the industry does not pay enough attention to the consideration of RFID Security. For a typical logistics application system with hundreds of RFID reading devices, what will be the loss caused by the theft of the information in the cargo tag? In most cases, although some people are worried about it, no one seriously evaluates it

however, it is worth noting that people's concern about RFID Security has slowed down RFID's 4 The development of automatic storage of experimental data. Whether it is the users who have applied the RFID system or those who are evaluating the RFID system, the potential security problems of RFID have troubled them

main security risks

· intercepting RFID tag information

the most basic security problem is how to prevent the interception and cracking of RFID tag information, because the information in these tags is the core and medium of the entire application. After obtaining the tag information, an attacker can use an eyepiece of the RFID system without authorization. Due to the limited application of RFID, hacker groups have not been widely involved in the field of RFID. At this stage, most of the problems are displayed by some research organizations. For example, Johns A research team of Hopkins University has shown in detail how to crack the DST (digital signaturetransporter) component manufactured by Texas Instruments (TI). This component is built into many RFID components that act as car anti-theft systems and electronic payment systems, and is combined with car keys in the form of capsules. The car can only be started after the component is correctly identified by the car anti-theft system. This study shows that it is possible to steal information from RFID devices without touching them. Although the DST can only be read within a distance of tens of centimeters, there is still a great possibility to get close contact with the owner in the elevator, rest area and other environments

· cracking RFID tag

rfid tag is an integrated circuit chip, which means that the method used to attack smart card products is also feasible on RFID tags

the process of cracking RFID tags is not complicated. Products with 40 bit keys can usually be cracked within one hour; For a more robust encryption mechanism, it can be brutally cracked through a dedicated hardware device. However, this usually requires a physical object with a label

the protective layer on the label can also be removed through a special solution, so that the external electronic equipment can be connected with the circuit in the label. In this case, the attacker can not only obtain the data in the tag, but also analyze the structural design of the tag to find the problems that can be used to complete some specific forms of attacks. In this way, even if the RFID tag is very "tiny", as a complete system, there may still be security vulnerabilities. Once it is poorly designed, it will have a wide range of impacts

· copying RFID tags

even if the encryption mechanism is set to be strong enough that attackers cannot crack it, RFID tags are still in danger of being copied. Especially for those RFID tags without protection mechanism, using card readers and smart card devices with RFID tags can easily complete tag replication

although it is still very difficult to tamper with the information in the RFID tag, at least it is subject to many restrictions, in most cases, the successful replication of the tag information is enough to cheat the RFID system. For example, the attacker passes through the security system with the copied RFID certificate, enters the database system using RFID as the authentication means, and so on. This problem has something to do with the definition of RFID protocol: in the RFID technical standards, there are more detailed specifications for the writing and management of RFID tags, but the reading restrictions are relatively loose, which is the internal cause of the threat of RFID replication

· privacy issues

on the one hand, it is necessary to effectively apply RFID functions, and at the same time, it is also necessary to prevent RFID tags from disclosing consumer information, which seems to be a dilemma. How to balance these two points is a subject that every organization applying RFID system needs to consider carefully

products that meet the latest RFID standards include a function called kill, which can be used for label effectiveness. However, a label that performs effective operation will be permanently unavailable, which means that businesses cannot use RFID tags to complete after-sales service, and the application effect of RFID is limited

it is true that consumers can prevent unauthorized use of their information by tearing up labels, but this will have a certain psychological impact on consumers: they need to always remember to tear up labels at the appropriate time, and also bear the burden of finding labels in commodities. This is undoubtedly a blow to RFID applications that advertise convenience, If the merchant sets that the RFID tag will be automatically damaged when it is moved outside the store, how to manage the entry and exit of goods in the store, how to determine the time when the tag is enabled and the mixed use of LDPE and LLDPE is relatively ineffective, and so on, also make the specific operations extremely complex

find solutions

now, Robert eller, a consultant in the RF plastic industry, says that the technical standard system of ID is still perfect, but it needs to be improved in the ultra-high frequency (UHF) field. If there are security barriers in long-distance tag reading, it will cause greater trouble to the security of RFID

it is gratifying that the international organization for Standardization (ISO) has formulated standards for tracking goods with high radio frequency tags (I so 18000 - 3) and ultra-high radio frequency tags (ISO) used in the supply chain

at present, although RFID technical standards contain requirements for encryption protection and other security measures, these requirements are not well combined with the actual requirements of RFID applications, thus limiting the effect of these standards

in this regard, some industrial standards can be defined on the core standards to match the security restrictions for specific application forms, so as to avoid the practice of reducing the security standards because the core standards worry about limiting the application flexibility

during some specific operations, some security protection rules of other wireless networks are also applicable to the RFID field, which means that some existing technical resources and security management specifications can be used

a principle that needs attention is to carefully restrict the reading of RFID tags. This is the beginning of solving the RFID security problem

in addition, although the standard EPC tag has tamper proof security protection capability, the data added to the tag often cannot obtain the same protection as the initial data. Therefore, when operating the writing of RFID tag, it is necessary to define corresponding solutions to comprehensively protect the information in the tag

for privacy issues, invalidation is still the most important solution

some companies have developed more complex protection technologies because simply invalidating the label will lead to many other problems. For example, the clipped tag technology proposed by IBM allows users to tear off or scrape off the RFID antenna, which can prevent others from remote tracking through RFID tags; RSA lab researchers also proposed that some data in RFID tags can be shielded to prevent privacy disclosure. A better solution may be to make a compromise between label invalidation and label use. When the label leaves the store, it is automatically placed in a restrictive protection state. In this state, the label cannot be read remotely, and the consumer's private information is shielded into an unusable state. When returning to the store, the label is released into a normal application state. This means that the functions of labels and peripheral devices need to be expanded to include the activation and deactivation of labels into the automated management process

plan ahead

obviously, the RFID encryption protection mechanism is not absolutely safe, but in any case, it is still the main protection method for the current RFID product application. Additional security measures are also very necessary for the RFID system at this stage. Physical devices such as tags, readers and writers should be additionally protected. In the next few years, more standards need to be specified. As a leading manufacturer of RFID Security, RSA is vigorously advocating the importance of third-party RFID Security Solutions and actively promoting the definition of some RFID Security standards

more importantly, at this stage, we urgently need to establish the ultimate goal of RFID, what it should do, at what cost, and so on. Moreover, we need to figure out a seemingly simple problem: how much convenience we need to obtain through RFID, and how much we can sacrifice while obtaining convenience

after all, once the promotion of this technology crosses the critical point, the previous decisions will not be reversed, and some hidden dangers will remain forever, just like the vulnerable points in the tcp/ip protocol family. If these decisions are repaired in the future, it will undoubtedly pay a great cost and price

at present, the RFID industry is thinking about ways to reduce the tag cost, which is the biggest obstacle to the development of RFID at present, and security and cost itself are a group of opposites. We hope that the RFID industry will step up to deal with the security problems of RFID while seeking to reduce costs. After all, it is a better strategy to plan ahead

if the security problem has not been solved when RFID reaches a sufficient application scale, the psychological frustration of consumers may make the development of RFID enter a "winter break" that everyone does not want to see


this is the core of RFID system. It is a very small integrated circuit, which is usually placed in the identified object. RFID tags are used to store unique codes and information about the identified objects


devices that read and write RFID tags send radio waves to tags through antennas to activate tags. After the built-in circuit of the tag is activated, it will automatically send its own data back to the reader through radio signals according to the predetermined rules


is responsible for transmitting and receiving radio signals. It is the communication bridge between the tag and the reader. Generally speaking, the antenna determines the signal range of the RFID system

information source: business information

Copyright © 2011 JIN SHI