JOURNAL OF INFORMATION AND COMMUNICATION TECHNOLOGIES, VOLUME 3, ISSUE 3, MARCH 201316
Providing Anonymity for RFID Systems
Wissam Razouk, Ferucio Laurentiu
iplea, Abderrahim Sekkaki and Cosmin Varlan
—Radio Frequency Identification (RFID) is considered as the next generation technology, and is certainly playing animportant role for several applications. Therefore, security is a pressing need for various cases. However, Low-cost RFID tagsare very constrained devices and cannot apply the existing cryptographic algorithms due to computation and memory sizerestrictions. Consequently, RFID systems are vulnerable to numerous security attacks, which imply many privacy issues. In thispaper, we propose a security protocol that fits low-cost RFID tags requirements, and provides data protection and locationprivacy for the consumer. Moreover, different from previous works, our protocol enables searching on encrypted data withoutleaking any information, and provides also protection based on the assumption that the server is not necesserally considered asa trusted third party. We present the formal proof of correctness of our scheme based on GNY Logic.
—RFID Security, Anonymity, Formal Verification, GNY Logic, Security Protocols.
RFID systems have become widely used in access controland security applications, and more significantly in in-dustries that require tracking or identification of productslike the supply chain management or the manufacturingprocess. The potential benefits of RFID applications aremultiple; first, unlike barcodes, RFID tags do not requirea line of sight to be read; they can be read from distanceand from any orientation. Therefore, a huge number of tags can be scanned remotely at once and very quickly.Second, bar codes are in most cases scanned only once atthe checkout during the lifetime of the item. On the otherhand, RFID systems have read and write capabilities,which allow for data to be changed dynamically at anytime. Thus, RFID systems can be deployed in a way inwhich numerous supply chain management applicationscan be simultaneously implemented, benefiting all enti-ties involved in the commercial transaction process (themanufacturers, the retailers and the users).An RFID system typically consists of three main compo-nents; the readers (or transceivers), the tags (or transpond-ers) and a back end database. The reader starts the com-munication by querying the tag and transferring energy byemitting electronic waves. The tag charges up and uses RFenergy to send the stored data.
RFID Security and Privacy Requirement
Many studies have developed a classification of RFID at-tacks and presented several analyses of potential securitytreats in RFID systems. We describe below some securitygoals; nevertheless, we refer the reader to the studies ,, , ,  for a comprehensive and detailed descrip-tion of possible attacks.We summarize the RFID security requirement as fol-lows:
Resistance to tag impersonation attacks:
The protocolshould not allow the authentication of fake tags as long asthe tags are not compromised.
Resistance to DoS attacks:
Power interruption or faultinduction should not compromise future communicationor make hijacking possible.
Resistance to replay attacks:
Impersonation using previ-ous messages should not be possible.
Backward and forward traceability:
Should be providedeven if the tag is compromised. An attacker should not beable to identify past or future interactions .To avoid privacy treats the protocol should also satisfythe following requirements :
Resistance to traceability
: The tag's messages should beanonymous and randomized. Hence, an adversary shouldnot be able to link messages to each other or to the tag.
Resistance to information leakage:
Only a genuine read-er should be able to access the information associatedwith a tag .
RFID Performance Requirements
In order to fit the low-cost RFID tags requirements, a secu-rity protocol has to fulfill the following conditions:
Cost effective RFID tags arevery constrained devices and cannot afford very intensivecomputations due to their low power and small memorysize. Thus the computational effort required at the tagside is considered as an important criterion.
The protocol should not exceed the ca-pacity of the tag, as low-cost RFID tags have very limitedstorage area
For performance optimization reasons,the number and size of the messages exchanged betweenreaders and tags should be minimized .
The readers usually have to perform an ex-haustive search over a list of entries in order to identify orauthenticate a tag. This has to be done in a reasonabletime to provide scalability.The rest of this paper is organized as follows: First, wesummarize the relevant related work in Section 2, thenwe present our security protocol in Section 3. In section 4,we formally verify the proposed scheme. Next, we dis-cuss the security and performance evaluation in Section 5.
Wissam Razouk and Abderrahim Sekkaki are with the Department of Mathematics and Computer Science, Hassan II University, Casablanca, Morocco.
Ferucio Laurentiu Tiplea and Cosmin Varlan are with the Faculty of Com- puter Science, “
Alexandru Ioan Cuza
” University of Iasi, Iasi, Romania.