Abstract
This work describes how the use of aggregate signatures can contribute to the comprehensive protection of RFID systems. Following a brief description of a product traceability system based on RFID technology and made secure by the use of aggregate signatures, a review is given of the main security threats to such systems and it is shown how the properties of aggregate signatures can provide comprehensive protection. Throughout the paper the protection measures adopted against the threats described for a real prototype are explained.
Keywords: RFID, Virus, Aggregate signatures.
Introduction
RFID technology is increasingly present in many areas of our daily lives and also in industrial processes. The advances in ubiquitous computing, where the use of RFID for marking objects is becoming common, has numerous advantages. However, there are new challenges on the horizon such as the proliferation of attacks and specific malware in RFID environments [1]. This work concentrates on how these threats can affect an RFID-based traceability system and how the use of aggregate signatures can contribute to preventing or mitigating these effects. The use of the proposed system protects it against new risks that can have an impact on automated systems of information capture, providing an interesting novelty to traceability systems and quality management.
In the following section we briefly describe a system of RFID secured traceability on which the impact of various threats will be studied.
Section three outlines the security risks and basic characteristics of the threats that may affect RFID systems and their execution.
Section four provides an evaluation of which of these threats affect the system and how aggregate signatures and other counter-measures can contribute to minimising their impact.
The conclusions are set out in the final section.
RFID Traceability
RFID technology enables objects or persons to be identified with a unique identifier, the information being transmitted with a specific protocol to a receiving device, called a reader, by means of radio waves [2]. The simplest form of RFID consists of a tag (containing a minute integrated circuit with its corresponding antenna) and a RFID reader, although in most cases this basic system is also connected to an information system (back-end) with a database that stores all the information relating to the object. Here, this technology can show its full potential, but it is also the most vulnerable point from the security aspect.
Traceability is defined, according to the International Standards Organization (ISO) [3], as "The property of the result of a measurement or the value of a standard whereby it can be related to stated references, usually national or international standards, through an unbroken chain of comparisons all having stated uncertainties".
Traceability systems based on RFID technology are increasingly common and they provide many advantages over other systems (bar codes, for example). In [4] a RFID-based traceability system was proposed that, in addition to traceability, facilitates control of the requirements at every stage the product must pass through and the locating of the entity responsible for certification at every checkpoint. This involved the use of aggregate signatures, defined in [5] as "a function in which given a set of U users, each one with a public and private key (Ku+ and Ku-), and a subset V c U, if each user u e V produces a signature cu of a message Mu these signatures can be compacted into an aggregated signature c by an untrusted third party different from the users of V".
The use of aggregate signatures allows the validity of the data held in a tag to be verified in one cryptographic operation. This takes place at every checkpoint before new data is introduced and the new aggregate signature is updated. If everything is correct, the corresponding computations are done and the data recorded in both the RFID label and the information system.
Fig. 1. Checkpoint Architecture
In the process for which product traceability is required, are several checkpoints to be entrusted with guaranteeing the system under study.
At each checkpoint the reader takes the data from the tag. This one checks the aggregate signature and, if it is correct, checkpoint generates a new signature that encompasses the data input at this point and passes the new data and signature to the information system. This operation is executed by the "security module", meaning the part of the system responsible for generating and verifying the aggregate signatures at each point. Thus, the system works as a data filter, preventing those items not correctly signed can reach the information system. An extensive description of our system is in [6] and [7].
Figure 1 shows the architecture of the system, where each computer connected to an RFID reader has a "Security Module".
RFID Security Risks
RFID systems are susceptible to various types of attacks. This technology is not immune to risks, and some authors have classified the most significant threats into several categories. Many of these threats are related to privacy ([8], [9] and [10]). In our system, privacy is not something that we need to safeguard, because traceability is, in this case, the objective of the process as a whole. On the other hand, taxonomy proposal in [11] adds three more risk groups to that of privacy is proposed: Business Process Risks, related to the impact of RFID system failures on automatic systems based on them, Business Intelligence Risks, and finally "external" risks. Although this perspective is more extensive and closer to reality than previous ones, we are going to use as a base the structure proposed in [1], where types of attacks and threats are classified and related to a model with four layers: physical, network and transport, application, and strategy. The first three ones correspond quite closely to the layers given in the OSI model, while the fourth one encompasses the risks associated with logistic factors and also contemplates the possibility that attacks may be multilayer, in other words they affect several of the basic layers.
As developed in [1] and [12], the main risks for each layer are as follows:
• Physical layer: permanent or temporary tag disablement, relay attacks and removal or destruction of RFID readers.
• Network and transport layer: identity, cloning and spoofing (affecting tags), impersonation and eavesdropping (both mainly affecting readers), and network protocol attacks.
• Application layer: unauthorized tag reading, modification of tag details, attacks in the middleware (such as buffer overflows and malicious code injection).
• Strategic layer: industrial espionage, social engineering, privacy threats, targeting objects (for example targeting people with valuable items with intention to rob).
Furthermore, there are multilayer attacks which may include denial of service attacks, reading / writing of information in the free space of the tag without the user’s knowledge, traffic analysis, attacks on the cryptographic information algorithms, attacks based on monitoring the physical working parameters (energy consumption, variation in electromagnetic fields, etc…) and relay attacks (recording of a password of a previous transaction and repeating it when presented with the same challenge).
Robustness of the System Against Threats
In view of these various threats, we will examine those that probably affect most the system and the protection measures adopted, some of them based on the guidelines suggested in [1] and [13].
Physical Layer
It is quite likely that a tag may become detached or damaged during the process. In such a case, at the first point at which the tag fault or absence is detected, the product is withdrawn from the production chain, the database is checked to confirm up to what point the process has been recorded, a new tag is issued with all the information and the process continues from that point.
The KILL [14], [15] and DESTROY [16] command, created to defend the privacy of the future buyer once the product is acquired [17] and which permanently disables the tag, is not relevant in this process because the tag is only for internal use and is not supposed to reach the final user. Note that some works like [18] suggest that kill tag state may be reversible. For more information about attacks based on the use of these commands is recommended reading [19].
It seems unlikely that active interference could be carried out by a supposed attacker given that the process always takes place in private installations, so that it should be enough to observe the physical protection measures proposed in [13] which are: access control, security cameras, security guards and similar precautions. Nevertheless, there should also be a contingency plan in case a checkpoint in the traceability system fails so that the productive process can continue and data continue to be taken.
The possibility of relay attacks, as suggested in [20], is remote due to the nature of the installations and the short communication distances between tags and readers. Moreover, the use of aggregate signatures protects the system from possible malicious alterations of the data as it is all protected by the signature and a temporary seal. In these circumstances it is highly unlikely that the system does not realise data is tampered with.
The most worrying risk from the point of view of its impact would be tag cloning. However, cloning a tag with the same physical appearance is difficult given that this would involve manufacturing an identical model of tag. Furthermore, these cloned tags would have to be introduced into the market when the production process of the product has finished, otherwise they would be easily detected by the system. Even so, if an increase in the level of security was required, it would be possible to turn to hardware solutions based on the use of physically unclonable functions (PUFs) [2123]. In the case of similar tags being cloned but with a different unique identification number, this would immediately be detected because the aggregate signature includes the unique identifier, and therefore if the card is not the same the identifier changes and it is automatically detected that the signature is not correct. Moreover, other tag data as weight or identification number that looks at first glance, it is easy check that the weight has changed or the number does not match or is repeated. For more information about avoiding tag cloning recommended reading [19], [23-28] and [29-31] about detecting it.
Network and Transport Layer
There is no encrypted data in the tag, so there would be no problem if someone read the content of the card with a legitimate reader. Similarly, if a fraudulent reader wrote a tag, this would be detected at the next checkpoint since it would not be able to provide a valid signature.
Application Layer
As mentioned in the previous point, there is no problem about unauthorized readings as all the information is plaintext and, as it has also been pointed out, modification of the data is automatically detected by the security module.
Although the risk classification we are using deals only with buffer overflows and malicious code injection, it is also possible to speak in general terms about malware specifically designed to attack RFID systems [12], i.e. software designed to cause damage in the systems. There are three main types of malware: RFID exploits, RFID worms and RFID viruses [12].
Starting with the main threats, the greatest danger of the exploits in RFID is precisely that they are frequently unexpected and their processing can exploit vulnerabilities both in the RFID system and in the information system itself or the entire network. Normally these attacks are aimed at specific components of the system, such as databases, web interfaces or APIs managing readers. One of the simplest attacks would be the injection of SQL commands such as shutdown or drop table that cause serious damage to the system (switching off or deleting tables) or even data theft. For example, some databases such as Microsoft SQL Server allow administrators to execute system commands, so that if the database is functioning as root all the system can be jeopardised. The use of aggregate signatures guarantees that data have been input by authorised entities, so that if the signature is not correct data is not passed to the information system, and the security module discards the data and therefore does not execute the command.
Another type of attack within the exploits category would be the insertion of code. If the RFID applications use web protocols to consult the database, it is very likely that clients will be able to interpret scripts, in which case they could be vulnerable to this type of attack in the same way as web navigators but with a higher degree of danger given that navigators normally have limited access to the host. To prevent this, and as the cited codes habitually use non alphanumeric characters, a first measure is the system cannot process any input that has any element of this kind. Additionally, as in the previous case, the security module will filter the data reaching the information system. If possible it would be advantageous not to allow the execution of script languages in the back-end system.
No less dangerous is a buffer overflow [1] that occurs when an area of the memory writes more data than it can contain, and these extra data overwrites areas of the adjacent memory. The greatest danger is that an attacker intentionally producing an overflow can execute arbitrary code. Although the majority of compilers, navigators and systems are already protected against these attacks, an example of overflow in an RFID system is presented in [12]. In this case, the previous filtering of the security module through the confirmation of the validity of the signature meant that the malicious data did not pass to the system. Special care should also be taken in the programming, and it should be ensured that only the areas of the memory where there are data should be read.
RFID worms exploit system faults to introduce malicious code into the reader that overwrites the tags with a code that causes the infection of a new reader and so on. Again, the previous checking of the signatures will obstruct the propagation of the infection through the tags, but the security of the system should be audited to find out how the reader has been infected (probably via the network). In this case, it is important to emphasise again the importance of an appropriate security policy for all the systems involved in the process.
The first RFID virus was presented and explained at length in [12]. It carries out an SQL code injection when the tag is read, copying the instructions of the injection in the database so that when a new tag is written it becomes infected and also propagates the virus. From this initial idea, it is possible to programme payloads to cause more dangerous effects.
Even if dealing with a virus with the improvements described, applying the basic general norms such as limiting the permissions for the database and the number of users, isolating the middleware server from the rest of the network and reviewing the middleware code to avoid security gaps [32], [33], we can count on a high degree of protection against these threats (at least at the moment). Also, the implementation of the "security module" enables the propagation of the virus through the tags to be limited, given that the data will not be processed by the information system.
Strategic Layer
Of the risks cited (industrial espionage, social engineering, threats to privacy, targeting of objects), we could only be affected to some extent by the possibility that through social engineering techniques some person, in some position of privilege, could perform an action that might compromise the security of the system. The coun-termeasures proposed are appropriate training of personnel and implementing a general security policy, as well as the impossibility of users having direct access to the private keys of the devices. In other words, when a legitimate user starts a session, the authenticity of the user should be verified for the system, after which the system will be responsible to carry out the calculations, without the user having direct access to the private key used in the operation.
Multilayer Attacks
We consider that attacks that could affect our system are: denial of service, reading / writing of information in the free space of the tag without the knowledge of the user, and relay attacks. The others do not affect us since privacy is not an issue.
Denial of service attacks could affect the production chain. However, for their execution physical access to the premises is necessary so that the physical measures proposed in Subsection 4.1 should be sufficient. It should not be forgotten that there are communication networks in the system which could be vulnerable to external DoS attacks, so that the usual security measures should be taken to prevent these from occurring.
Unauthorised reading, as already mentioned, is not a problem given that there is no secret data involved. Unauthorised writing has been dealt with in Subsections 4.2 and 4.3.
As regards relay attacks, these have also been dealt with, specifically in Subsection 4.1.
Conclusions
As explained in the previous sections, the security of an RFID system depends on the security of all layers integrated into the system, none of which should be ignored.
Given that in the present case the system will always be located in private installations without public access, many of the potential problems will not affect us. Furthermore, as privacy is not a requirement, attacks directed at finding secret data will not be of concern.
The use of aggregate signatures in the system, in addition to the initial step of ensuring the veracity of the data, the time of its introduction and the fact that only authorised entities may carry out the writing also provides protection against other types of threat as has been pointed out in the previous paragraphs: relay attacks, cloning, unauthorised writing, modification of tag data, SQL injection, insertion of codes, buffer overflow, RFID worms, RFID viruses, and social engineering.
The worst threat hanging over RFID security is the idea that the system is secure merely because of the use of RFID technology. A knowledge of the risks and the implementation of all possible safeguards is fundamentally important, both in respect of the RFID and of the other systems used in the process.
Since this scenario of aggregate signatures can be implemented in an information system, independently from used technology, it allows its use in any process in which there is a chain of steps, and to be able to know who takes responsibility of the data introduced in each point (either a human agent or an autonomous system) and to protect the system, if a signature verification is performed before entering data into it.
