The security and privacy issues that surround radio frequency identification (RFID) systems in practice are becoming ever more obvious, as the technology moves from the concept and pilot phase into full-scale production systems. While the authors primarily address the issues surrounding the use of RFID in supply chain scenarios, the same issues are relevant when discussing security and privacy in other situations, especially those that incorporate RFID into human identification systems, such as driver’s licenses and passports.
This paper presents a short review of RFID, and a sample of the security challenges. Several previous proposals are presented and their shortcomings are introduced, including scalability and the loss of functionality. The authors attempt to provide a solution that addresses these shortcomings, and describe a method that could be used within the supply chain.
The approach presented has some similarities to the hash lock [1] proposal, and thus meets the requirements of low processing and storage overhead on the tag itself, requiring the ability to calculate a cryptographic hash, produce a random number, and store an additional reader ID.
The presented algorithm is interesting, however it leaves four major challenges unaddressed. First, the system requires that each reader have access to the tag ID as well as the precomputed hash. In a system as large as the global supply chain, this presents a major challenge in ensuring that any possible reader in the chain has appropriate access to all of the possible tags that may pass within its domain. Second, since both the tag IDs and the hash algorithm will be widely known, there is a high likelihood that eavesdropping is feasible, simply by building a private database of tag ID/hash (tag ID) pairs, and correlating this with the eavesdropped information. Third, for each tag to be readable, the upstream reader must know the reader ID for the next downstream set of readers. This represents a formidable challenge in the global supply chain. Lastly, since each tag responds with static information (in this case, the hash of the tag ID), it is possible to track the tag over time, and, in fact, to go back in time based on a future read.
While the proposed approach does meet some of the requirements for securing the supply chain, continued work is needed to refine the approach and address the remaining issues.