PL  |  NL  |  FR  |  ES  |  PT  |  IT  |  DE  |  DK  |  NO  |  SE  |  FI  |  GR  |  JP  |  CN  |  KR  |  RU  |  AE

  Report this article

More information

DNS risks and security

FTP with IPv6

DNS in the IPv6 world

RADIUS Vulnerabilities

DHCP with IPv6

IPSec Protocols Operations and Modes Overview

SNMP risks and security

PERSONALIZED COMMUNICATIONS

Alternative VPN Implementations

RADIUS Related Tools

MOBILE ELECTRONIC MAIL

VPN and Tunneling Protocols

Part one of this paper discussed RFID technology generally, with particular regard to its components and operation. In part two we now consider the major areas of applications of the technology. As highlighted in part one, RFID technology application details may differ even for the same kind of applications. This is due to the fact that, though RFID subsystems are fairly standard, the details of the capabilities that may be included in each subsystem for the given application can be substantially different. In part one it was mentioned in various places how each subsystem component may compromise the information security, particularly in the way the components are configured and implemented. Another aspect of the technology deployment that may impact on security is the application. Certain malicious attacks and threats are aimed at certain applications more than others. Implementation, in a number of cases, may compromise the system by making it more vulnerable due cost and other considerations. Some of the major characteristics that influence the secure deployment of RFID systems include: the RFID application type; the information handled; economic factors; transaction environment, etc. the effects and implications of these characteristics are considered in this paper.

RFID Application Types

The application types are many but the most widely used applications may be grouped as asset management, asset tracking, automated payment, and supply chain management [1]. The application type must be carefully selected with the appropriate security features in mind. For example the security features, which must be included in an application such as automated payment system, will usually more elaborate than the features to include in a basic asset tracking system.

Asset management

These systems are used to manage the inventory of a wide range of items, in a wide range of application areas. Library information management and control systems can incorporate RFID for the tracking of various types of books, publications, articles, etc. the American Library Association (ALA), for example, highlight the advantages of implementing RFID technologies for Libraries [2]. The advantages include rapid charging/discharging of circulations, high reliability, high-speed inventorying, automated materials handling, etc. but RFID is not without shortcomings in the library scenario. Apart fro the high initial cost there are vulnerabilities, which can be exploited if the application is not properly implemented. For example, a book folded several layers may not be detected due to the reduced strength tag signal. Certain materials can completely block out the RF signals from the tag and should therefore not be allowed into the library.

Another widely used form of asset management is the Electronic Article Surveillance (EAS) that is used in retail stores to track the movement of items on sale and in the stores. The tags on these items can only be deactivated at the point of sale, to vindicate that a sale has been made. This approach can minimize pilferage of stock, but is again subject to the vulnerability as the library book asset tracking. Other applications include smart shelves and cabinets, particularly for the monitoring of certain high value items.

Tracking applications

Tracking usually forms an integral part of asset management system, the distinguishing feature being that in asset management interrogators at a single location will provide adequate information. Asset tracking applications, on the other hand involve more than one interrogator and more than one network. This requires the use of a central system to aggregate and correlate the information from the various interrogators. This central system becomes the single point of failure and must be adequately protected against any malicious attacks.

Matching applications

These applications can be some cheap and easily used pattern recognition systems. Two tagged items are checked for a match according to some defined parameters and if there is a match a signal is triggered for some predefined action. Mother-baby tagging and matching in hospitals is a common application of this operation. if a different mother is accidentally or otherwise given an infant an alarm is triggered. The matching application can be extended a host of other appli8actions, including the matching of airline passengers to luggage, etc.

Process control

RFID technologies are increasingly being used in process control in manufacturing and services industries. The information from the tags is used to make and take some control actions, either automatically or manually. In manufacturing the tag characteristics can be monitored as the part or raw material goes through the manufacturing process. This would be most suited to discrete manufacturing. As the part goes through each stage, the interrogator reads the tag and takes the appropriate action as defined for that station and for that particular part. In process control applications the requirements are more stringent than for the tracking and matching applications. In addition:

• Additional information including timestamps, for process monitoring and control purposes
• Additional issues to consider include what information should be recorded, the storage location, how to protect the information, and the privacy details of the information.

Access control applications

RFID technology can be used to provide a robust means of physical access into buildings, rooms, and etc. The systems can also be used to control logical access into information systems. The access controls can be of two types: online or offline.

• Online access control is based on interrogators that are networked through computer systems. The central computer system will have an updated list of the persons with access rights to which resources.
• Offline access control is based on computer systems that are not networked. The interrogator will list the rooms the rooms the tag holder can have access to.

Another application is in automobile key applications, where two basic types can be used: immobilizes and push-button keyless start. In the car immobilizer, the tag is embedded in the normal looking car key. To start a car the key must have the right tag and be of the right shape. In the keyless application, the driver carries a fob with the tag. Upon the tag identification the car can be started using the push button.

Automated payment

A number of financial applications can rely on RFID systems. The transactions include fare collections on public toll stations, fuel charges at petrol or gas stations, retail payments using credit cards with embedded tags, etc. these systems require additional security protection mechanisms. Integrity and confidentiality properties must be tightly controlled. Like the process control systems, the automatic payment systems can be offline or online, with similar demands on system security and performance.

Supply Chain Management

RFID systems are used to monitor and control a wide range of products from manufacturing through distribution to sale, and often, to obsolescence. As the product moves through the chain stages, the tags identifier can be used by all by all the supply chain participants.

RFID Information Characteristics

It is critical that the information characteristics be established and managed for the application type selected. Some applications, such as supply chain systems are more data-intensive than others. The security controls should be considered at this stage, based on whether the data is considered sensitive or confidential or both. It is also important to consider if the data changes and how often the changes take place. These changes can alter the effectiveness of the selected security features.

RFID Transaction Environment

The following parameters must be considered when deciding on the requirements of the RFID system application:

• Distance between the interrogator and the tag, which mainly determines the type of tag that can be deployed. There are also security implications. The farther away the tags are from the interrogators the more the security risks due to increased exposure.
• The transaction speed, usually measured in the number of tags per second is important for several reasons. The interrogators must communicate with all the tags associated with it. If the transaction takes too long the communication will fail. Mobile tags can only be detected if the transaction speed is fats enough. Besides the system users can lose confidence in the system if there are too many speed related bottlenecks.

Network Connectivity

This aspect of the RFID application is most critical for the system security. The use of the databases with the applications means that protection must be as thorough as possible. Generally it is preferred that networked interrogators be the ones to access the databases rather than storing data in the tags themselves. There is, however, always a need for having some local storage within the tags. The situations include:

• When it is not possible to extend the network to a remote interrogator;
• When there is unacceptable latency in the data network;
• When each tag must first collect and then store the data before communicating with the interrogator.

Tag environment

The transactions that take place within the tag environment are critical in determining the RFID system requirements for a given application. A number of issues should be taken into account. Data collection requirements may influence the human and environmental threats to tag integrity. The technology components should be selected based on the level of threats and the vulnerabilities existing in the environment. For example, human threats include damaging of tags, removal of tags, exchanging of tags, etc. environmental factors include extreme of cold, heat, moisture, vibration, and radiation.

Summary

RFID technology can support a very wide range of applications, and the range and applications is continuing to grow. These applications have a major impact on the overall security of any chosen application. The factors that influence the nature and depth of the system protection include the nature of the handled information; and the RFID transaction environment; the characteristics of the tag environment. The economics of the RFID technology cannot be ignored, since it determines what components can be included. This may have a major impact on the security of the overall system. In the third and final part of this discussion we will look at the risks in more detail.

References

[1] Karygiannis T, et al. (2006). "Guidance for Securing Radio Frequency Identification (RFID) Systems (Draft)." NIST Special publication 800-98. http://csrc.nist.gov/publications/nistpubs/800-98/sp800-98.pdf (Accessed December 6, 2006).

[2] American Library Association Technical Notes. (2004)."RFID Technology for Libraries." http://www.ala.org/ala/pla/plapubs/technotes/rfidtechnology.htm (Accessed December 6, 2006).