ASIA PACIFIC INSTITUTE OF

INFORMATION TECHNOLOGY

INDIVIDUAL ASSIGNMENT

Module Code & Title:

CE00542-7

Personal Development & Research Methods

Prepared By: [A. Sameera Heshan Rodrigo] [CB006066] [MP14A1CS]

Date of Submission: 11th September 2015

Lecturer(s): Dr. Harinda Sahadeva Fernando

Research Proposal

Improved Security and Authentication System for Radio

Frequency Identification (RFID)
MARKING CRITERIA % MARKS OBTAINED

TOTAL (%)
 Research Proposal

Improved Security and Authentication System

For

Radio Frequency Identification (RFID)

2|Page
Acknowledgment

First of all I would like to express my deepest appreciation to Dr. Harinda Fernando for the
valuable guidance and advice given to me throughout this module. Also I really appreciate
the useful comments, remarks; engagement & support given to me for complete this research
proposal.

Secondly I would like to express my true appreciation to APIIT management for giving me
this valuable opportunity to follow this MSC program in your esteem institute and finally I
thank my family and friends who helped me throughout this semester.

3|Page
 1. Abstract
Radio Frequency Identification (RFID) is emerging technology using around the world that
caught the attention of many people. RFID tags are small, wireless devices/microchips that
can store data to help identify objects and people. RFID enabled devices become more
common in our day to day tasks and it make things easy. RFID Enabled Credit Cards,
Electronic wallets and RFID embedded smartphones are becoming more popular. However
with the RFID implementation it will raise number of potential concerns related to
information security, privacy and venerability of sensitive data.

The purpose of the research is to discuss RFID technology, its usage, security issues,
venerability threats of using RFID and assessing current RFID authentication protocol
models and develop more advanced, integrated security framework to overcome above
issues.

4|Page
 2. Table of Contents
1. Abstract...............................................................................................................................4

2. Table of Contents................................................................................................................5

3. List of Figures.....................................................................................................................6

4. Introduction.........................................................................................................................7

5. Background.........................................................................................................................8

5.1 Eavesdropping (or Skimming)....................................................................................8

5.2 Traffic Analysis...........................................................................................................8

5.3 Spoofing......................................................................................................................9

5.4 Replay attacks..............................................................................................................9

6. Aim and scoop..................................................................................................................10

6.1 Type of Hardware :-...................................................................................................11

6.2 RFID firmware :-.......................................................................................................11

7. Related work.....................................................................................................................12

8. Research Difficulties & problems.....................................................................................13

9. Approach...........................................................................................................................13

10. Data collection methods and instruments.....................................................................15

11. Main contributions........................................................................................................16

12. Timeline........................................................................................................................17

13. Bibliography..................................................................................................................18

5|Page
 3. List of Figures

Figure 1 - Contactless Identity Theft..........................................................................................9

Figure 2 - Basic RFID System (Priority 1 Design, 2007)........................................................10

Figure 3 - Scientific Research Method.....................................................................................13

Figure 4 - RFID Skimmer (Kirschenbaum, 2006)...................................................................16

Figure 5 - Timeline Project Proposal....................................................................................17

Figure 6 - Timeline - dissertation.............................................................................................17

6|Page
4. Introduction
In this section we will explain the background of Radio Frequency Identification (RFID), its
usage, advantages and current security viabilities of RFID to give a clear picture of the main
purpose of the thesis.

In 1935 Radio Frequency Identification or RFID was invented by Sir Robert Alexander
Watson-Watt to detect approaching aircrafts (Jones & Chung , 2011), from then RFID
technology opens a new frontier expanding extensively and evolved to different areas. For
many years Radio Frequency Identification (RFID) devices was used to simplify day to day
work in industrial sector. In the last decade RFID identified as e immerging technology and
starts adapting to many other sectors including consumer goods, retail services, inventory and
supply chain management and even humans are tagged with RFID chips to collect health
information and broad range of other applications.

Modern day RFID microchips can be physically embedded to devices such as mobile phones,
credit cards and also available as programmable Tags as well. These RFID data can access or
read from specially designed RFID readers or scanners. There are many advantages and
benefits of using RFID technology;

No line of sight required to access/Read RFID

Reader and Tags not orientation sensitive
Long read range
Can store more data (Portable database)
RFID can read multiple Tags simultaneously

The main advantage of this technology is RFID enabled devices no need to be physically
connected to each other to communicate or transfer data. For example credit card with
embedded RFID no need to be swipe in the credit card machine, with RFID it just have to
move or gesturing closer to the RFID Reader and this will establish connection or transfer
data without any physical touch between the card and the reader.

While the RFID usage widely spread due to its numerous benefits there is potential issue
arise when considering the privacy and security. Especially when it comes to RFID Enabled
credit cards and Electronic wallets there is possible risk of stealing information without any
physical access and there are many incidents reported regarding Wireless identity theft
gathering an individuals personal information without any contact.

7|Page
5. Background
As mentioned in the introduction RFID systems are widely used in many levels, since it being
evolved to store sensitive personal data such as credit card information satisfaction of privacy
and security must be in height level. While improving the RFID technology in the past few
years researchers and technologist trying to enhance the security and identify the possibilities
of enhancing RFID.

In 2008 The Government of the Hong Kong Special Administrative Region published a
research report regarding concepts behind RFID technology and the associated security
issues and threats in using RFID technology, along with possible measures on how to tackle
them and law enforcement (The Government of the Hong Kong Special Administrative
Region, 2008).

When considering the privacy and security there are number of possible vulnerabilities and
threats can be identified in Radio Frequency Identification system;

5.1 Eavesdropping (or Skimming)

Radio signals transmitted from the RFID enabled device/Card or tag, reads by signal receiver
from several meters away by unauthorized person/identity theft and gain access to the data
(Jones & Chung , 2011).

5.2 Traffic Analysis

Traffic analysis tools can track predictable tag responses over time. Correlating and
analyzing the data could build a picture of movement, social interactions and financial
transactions. Abuse of the traffic analysis would have a direct impact on privacy (The
Government of the Hong Kong Special Administrative Region, 2008).

8|Page
5.3 Spoofing

This allows intruders to perform reading or writing in to RFID Cards or tags and change the
identity of tags to gain an unauthorized or undetected advantage. (The Government of the
Hong Kong Special Administrative Region, 2008).

5.4 Replay attacks

These are integrity attacks in which the attacker uses a tags response to a rogue readers
challenge to impersonate the tag. The main concern here is in the context of RFIDs being
used as contactless identification cards (in substitution of magnetic swipe cards) to provide
access to secured areas and/or resources. In such applications, RFIDs can be more vulnerable
than other mechanisms, again due to their ability to be read at a distance by covert readers.
(Burmester & Medeiros, 2014)

As discussed above when considering the benefits and advantages of RFID system its clear
this technology gives great good to different fields around the globe and in future more and
more people will adopt this technology from high end industrial production to individual
humans such as Credit cards, Electronic Wallets and retails shops etc. Meantime with all this
benefits, risk of compromising privacy and security also increased, if sensitive data such as
Credit card information is compromised, the effects could be devastating. There for its
essential to identify the current security measures, weakness and venerabilitys of RFID
security and develop advance security system to ensure the integrity and confidence of data.

Figure 1 - Contactless Identity Theft

9|Page
6. Aim and scoop

Figure 2 - Basic RFID System (Priority 1 Design, 2007)

The main aim is to study the current state of RFID security and privacy concepts and
understand the physical principle of Radio Frequency Identification system. In this
framework the main components will be physical layer of RFID systems and software
implementations. To develop enhanced security for the proposed system these two
components will be analyses more deeply as mentioned in below;

10 | P a g e
 6.1 Type of Hardware :-

Active RFID tags

Passive RFID tags
Battery-Assisted Passive
Active RFID Passive RFID
(BAP)
Tag uses internal power
Energy transfer from the source to power on, and
Tag Power Source Internal to tag
reader via RF energy transferred from the
reader via RF to backscatter
Tag Battery Yes No Yes
Availability of Tag
Continuous Only within field of reader Only within field of reader
Power

Required Signal Moderate (does not need to

Very high (must power the
Strength from Very Low power tag, but must power
tag)
Reader to Tag backscatter)

Available Signal
Strength from Tag to High Very Low Moderate
Reader

Communication
Long Range (100m or more) Short range (up to 10m) Moderate range (up to 100m)
Range

Ability to read and transfer

Ability to continuously monitor
Sensor Capability
and record sensor input
Ability to read and transfer
sensor values only when tag
sensor values only when tag
receives RF signal from
is powered by reader
reader

Table 1 - RFID Types (Impinj, Inc., 2015)

6.2 RFID firmware :-

Encryption of RF signals

Authentication methods

Cryptographic primitives

Security Algorithms

Permanently destroying sensitive data

11 | P a g e
7. Related work
In 2008, The Government of the Hong Kong Special Administrative Region conducted a
research regarding RFID attacks security threats. According to the research they have
identified some type of low-cost passive and basic RFID tags cannot execute standard
cryptographic operations like encryption, strong pseudorandom number generation, and hashing
(The Government of the Hong Kong Special Administrative Region, 2008). Also they identified
main areas to be concerned when considering the RFID Security;

Tag Data Protection

Reader Integrity

Personal Privacy

2011, (Juels & Christof, 2001) 7th international workshop for RFID Security Ari Jules &
Christof Paar submitted a research paper regarding RFID Security and Privacy. In this
research they have analyzed Skipjack - lightweight block ciphers designed by U.S National
Security Agency (NSA). This embedded application has algorithm with hardware efficient
block cipher. And defined the type of attacks (Juels & Christof, 2001);

Liner and differential attacks

Key schedule attacks
Integral attacks

Other than the above mentioned there are many researches are conducted to identify security
and privacy vulnerabilities and experiments and implementations to overcome the RFID
issues and below mentioned are few important research studies,

2015 January, Introduction to RFID Security by InfoSec Institute

Black Hat Security Conference (USA) 2013

RFID Feasibility Study Final Report U.S. Smart Border Alliance

Guidelines for Securing Radio Frequency Identification (RFID) Systems -

National Institute of Standards and Technology USA

12 | P a g e
 Privacy and Security Aspects of RFID Tag by Dong-Her Shih - Department
of Information Management, National Yunlin University of Science and
Technology

8. Research Difficulties & problems

Main propose of this research is to critically analyze and identify the weakness of security in
the current RFID system and to develop a software solution with physical changes to
overcome the above. In this research there will be few challenges to be addressed;

Main problem to be face is limited resources. Such as e it would be difficult to find

real Credits with RFIDs to do the experiments since people will not willing to
participate or provide their credit cards for such survey since it will compromise their
personal information.

But this can be overcome by gathering expired Credit cards and by using
programmable RFID Tags.

Identifying the best software development method and tools.

9. Approach

Figure 3 - Scientific Research Method

By using Experimental Research Methods to manipulate quantitative, variables to generate

statistically analyzable data and literature review of previous work related to RFID security
models and careful study of the algorithms of elliptic curve cryptography methods will help
to understand the current functional specification and optimize system to be developed with

13 | P a g e
new metrics considering reliability, efficiency and performance. Finals deliverables are
depending on bellow mentioned security protocols and methods;
Hash Lock
symmetric key cryptography
lightweight authentication protocol
Asymmetric Key cryptography
The Hash-Lock approach is a concept of locking and
unlocking the tag to allow access and requires
implementing cryptographic hash function on the tags
(Dixit et al., 2011).
An encryption method in which the sender and receiver
of a message share a single, common key that is used to
encrypt and decrypt the message. Symmetric-key
systems are simpler and faster, but their main drawback
is that the two parties must somehow exchange the key in
a secure way (Beal, 2015).
In Asymmetric Encryption public key and a private key
used to encrypt and decrypt massages. Asymmetric
cipher also solves the scalability problem. Everyone will
need only one public key and one private key to
communicate with other people (nfoSec Institute, 2013).
14 | P a g e
10. Data collection methods and instruments
Following devices and methods will be used to collect and data.

Standard RFID scanner

RFID Embedded credit card

RFID Tags

RFID enabled Smart phone

Custom-made High Powered RFID Skimmer

15 | P a g e
Figure 4 - RFID Skimmer (Kirschenbaum, 2006)

11. Main contributions

Identifying the current RFID security and privacy implications

Assessment of prior authentication protocols

Identifying type of attacks and RFID security Vulnerabilities

In-depth analysis of low cost lightweight authentication protocol RFID tags

Perform key cryptography such as hash functions

Hypothesis for new efficient authentication protocol system that prevents the RFID
attacks and address privacy and security of future RFID system based on research
including Elliptic Curve algorithm.

12. Timelines

Figure 5 - Timeline Project Proposal

16 | P a g e
Figure 6 - Timeline - dissertation

13. Bibliography
Anon., 2015. Hypotheses and Tests. Boundless.

Baig, M., 2012. RFID technology: Advantages and Disadvantages. [Online] Available at:
http://mbaigrfidreport.blogspot.com/2012/04/rfid-technology-advantages-and.html [Accessed
8 September 2015].

Beal, V., 2015. Data Encryption Standard (DES). [Online] Available at:
http://www.webopedia.com/TERM/S/symmetric_key_cryptography.html [Accessed 09
September 2015].

Burmester, & Medeiros, B., 2014. RFID Security: Attacks, Countermeasures and.
Tallahassee, FL 32306: Florida State University.

Dixit, V., Verma, H. & Singh, A., 2011. Comparison of various Security Protocols in RFID.
International Journal of Computer Applications.

17 | P a g e
Impinj, Inc., 2015. The Different Types of RFID Systems. [Online] Available at:
http://www.impinj.com/resources/about-rfid/the-different-types-of-rfid-systems/ [Accessed
09 September 2015].

Jones, C. & Chung , C.A., 2011. RFID and Auto-ID in Planning and Logistics. NY: CRC
Press.

Juels, A., 2006. RFID Security and Privacy: A Research Survey. IEEE JOURNAL ON
SELECTED AREAS IN COMMUNICATIONS.

Juels, A. & Christof, P., 2001. RFID Security and Privacy. Amherst: Springer.

Karygiannis, , Eydt, , Barber, G. & Bunn, L., 2007. NIST Issues Guidelines for Ensuring
RFID Security. Gaithersburg: The National Institute of Standards and Technology (NIST)
U.S.

Kirschenbaum, I., 2006. How to Build a Low-Cost, Extended-Range RFID Skimmer. [Online]
Available at:
https://www.usenix.org/legacy/event/sec06/tech/full_papers/kirschenbaum/kirschenbaum_ht
ml/kw-usenix06-forhtml.html [Accessed 10 September 2015].

nfoSec Institute, 2013. Symmetric and Asymmetric Encryption - InfoSec Resource. [Online]
Available at: http://resources.infosecinstitute.com/symmetric-asymmetric-encryption/
[Accessed 9 September 2015].

Priority 1 Design, 2007. Priority1 Design. [Online] Available at:

http://www.priority1design.com.au/rfid_design.html [Accessed 09 September 2015].

The Government of the Hong Kong Special Administrative Region, 2008. RFID SECURITY.
Hong Kong: HKSAR.

18 | P a g e