Security and privacy in radio frequency identification

Abstract

This thesis studies security and privacy issues of Radio Frequency Identi cation (RFID) technology that enhances ubiquitous computing environment. RFID technology is used to identify many types of objects. Some of the main applications are asset management, tracking, access control and automated payment. Therefore, in the near future, this technology will replace the barcode technology. However, privacy is one of main issues to adopt RFID technology in daily use. Due to resource constraints of low cost RFID tags in terms circuit size, power consumption and memory size, it is very restricted to design a private authentication protocol based on existing cryptographic functions. Therefore new private authentication protocols based on lightweight cryptography are required to use low cost RFID tags in RFID applications. In this thesis, we focus on low cost RFID tags. Our contributions are as follows. Firstly, we propose a new strong privacy model called ACAP for RFID systems and analyze the privacy of a former authentication protocol based on our privacy model. Former proposal assumes that the adversary should miss any reader-to-tag communication ows and claims that their protocol is secure against forward traceability only in such communication environment. We show that even under such an assumption, the former proposed protocol is not secure. We propose a new RFID authentication protocol called ACA. We analyze its security based on our privacy model. The proposed protocol provides better protection against privacy and security threats than those before. It is resistant to server impersonation attack without any assumption and secure against forward traceability, if the adversary misses any reader-to-tag communication ows. Furthermore, we analyze the performance of ACA. It has low computational load on both the tag and the server side. Secondly, we analyze the privacy and security of another former proposal SAPA (Storage Awareness Private Authentication) and discover that SAPA does not provide location and information privacy between successful authentication sessions and does not resist denial of service attacks, forward traceability, and server impersonation. We analyze the weaknesses of SAPA and propose a new tree based RFID authentication protocol called ACAT. ACAT provides better protection against privacy and security threats than those before. It provides tag information privacy and tag location privacy, and resists replay attacks, denial of service attacks, backward traceability, forward traceability (under an assumption), and server impersonation with an e cient keylookup. Furthermore, ACAT has the least computation and communication load on both the tag and the server side compared to other tree based protocols.