This action might not be possible to undo. Are you sure you want to continue?
A Study on Establishment of Secure RFID Network Using DNS Security Extension
YoungHwan Ham *, NaeSoo Kim * ,CheolSig Pyo*, JinWook Chung**
* Telematics·USN Research Division, Electronics and Telecommunications Research Institute, 161 Gajeong-Dong, Yuseong-Gu, Daejeon, Korea Tel : +82-42-860-5432 E-mail: firstname.lastname@example.org **School of Electrical and Computer Engineering, Sungkyunkwan University, ChunChun-Dong, JangAn-Gu, Suwon, Kyongki-DO, Korea Tel : +82-31-290-7106 E-mail: email@example.com
Abstract-RFID network mainly consists of three components, such as ODS(Object Directory Service), OTS(Object Traceability Service), OIS(Object Information Service). The RFID information is very important, so the security between RFID network components is critical. The DNS technology already have defined the security standard such as DNS security extension & DNS dynamic update, so RFID network security can be achieved using current DNS security model. For the dynamic update of OIS URI mapping on RFID code, the DNS dynamic update technology can be used. The authentication, authorization and confidentiality need between RFID network components can be accomplished by PKI certificate system, and DNS server can be used as PKI certificate repository for the storing & retrieval of each other’s certificate. So we proposed the secure integration of RFID network components by using DNS security extensions.
RFID stands for radio frequency identification. It is a technology that has existed for decades. At a simple level, it is a technology that involves tags that emit radio signals and devices called readers that pick up the signal. The RFID Network is a set of technologies that enable immediate, automatic identification and sharing of information on items in the supply chain. In that way, the RFID Network will make organizations more effective by enabling true visibility of information about items in the supply chain. The RFID Network uses radio frequency identification technology to enable true visibility of information about items in the supply chain. The network is comprised of five fundamental elements: the Object Directory Service(ODS), the ID System (EPC Tags and Readers), Object Information Service (OIS), Object Traceability Service(OTS), RFID Middleware. The RFID information is very important, so the security between RFID network components is critical. The ODS uses DNS technology for OIS URI information. The DNS technology already have defined the security standard such as DNS security extension & DNS dynamic update, so RFID network security can be implemented using current DNS security model. For the dynamic update of OIS URI mapping on RFID code, the DNS dynamic update
0-7803-9132-2/05/$20.00 ©2005 IEEE.
technology can be used . The DNS with security extensions (RFC2535) can provide integrity and data authentication of the information stored in the ODS server, and integrity and data authentication of ODS queries and responses. For the authentication & confidentiality between RFID Middleware and OIS server is necessary for the secure exchange of RFID object information. The same security is needed between OIS server and OTS server. The efficient solution to above problem is Public Key Infrastructure(PKI) base on asymmetric key algorithm. In the PKI, a user’s public key certificate is generated by a certification authority and stored in a directory system. Middleware, OIS server and OTS server need to authenticate each other by the public key, so they need public key repository system. RFC 2538-“Storing Certificates in the Domain Name System” defines the CERT RR for the storing of public key X.509 certificates. By using this standard, all servers’ public key certificate can be stored in the DNS server, and the stored certificate can be retrieved by each server when they need to verify each other’s message signature. II. THE SECURE DNS
The secure DNS provides the following three security services. Key distribution : Entities such as zones, hosts, and users have a pair of a private key and a public key. The public keys are stored in the DNS server and distributed on demand. Integrity and data authentication of the information stored in the DNS server : All the resource records that are the information stored in the DNS server are signed by the DNS server and his signature is stored as a separate resource record. Integrity and data authentication of DNS queries and responses : The DNS header and content of a DNS query or response is signed by the private key of the DNS client or DNS server, respectively.
it also sends the corresponding SIG resource record and the resolver receiving the answer checks the integrity of the answer by verifying the signature in the SIG resource record. a host.host. foo. MX. Key Distribution All the entities such as zones. and users have a pair of private key and a public key and the public key is stored as a KEY resource record in the DNS server.host. used in TSIG.A. hosts.examle. foo. the system adapts the SIG(0) method to authenticate the messages. A SIG resource record is stored with the following format. RFC2931]records allow two DNS entities to authenticate DNS requests and responses sent between them. Algorithm : Indicates what hash algorithm and symmetric key algorithm are used for the signature. SPKI. and then Middleware authenticates the response message. Integrity and Data Authentication of Request/Response Exchanges of DNS messages which include TSIG [RFC2845] or SIG(0) [RFC2535. III.host.host.example. are inexpensive to calculate and verify. or PGP type. A DNS request may be optionally signed by including one SIG(0) at the end of the query additional information section. or a zone and specifies for what purposes this key can be used. It is the request SIG. The ODS server can verify Middleware host key(zone update key). The protocol indicates what protocol including DNS can use this key. Signer’s name 526 . The Transaction SIG(response SIG) is made by signing the preceding DNS request message including DNS header but not including the UDP/IP header. or CNAME type.. Figure 1. CNAME resource record as an answer. Such a SIG is identified by having a “type covered” field of zero. A SIG resource record contains a signature for some other resource record. Key tag: Specifies which public key in the KEY resource records the public key in this certificate corresponds to. IN KEY RDATA RDATA contains the public key of foo. a record containing the message signature/MAC is included as the final resource record in a DNS message. Besides above zone key. Type: Specifies whether the certificate is a X.509. The signature is made with the private key of the zone which the signed resource record belongs to. Integrity and Data Authentication of Resource Records The integrity and data authentication of resource records in a DNS server are provided basically by SIG resource records. The algorithm specifies the asymmetric key algorithm of the public key. The Middleware sends the update request message with request SIG signed by Middleware host key to ODS server. but DNS update request must be signed by including one SIG(0). RFID NETWORK SECURITY B. Keyed hashes. and a SIG(0) is generated from a private key whose public counterpart is stored in DNS. After update of the date. foo. The ODS server sends response message with transaction SIG (response SIG) signed by its host key to the Middleware. A TSIG MAC (message authentication code) is derived from a shared secret. Certificate or CRL. A. And the RDATA contains the following information. and then ODS server authenticates request message. They are stored as resource records of a CERT type as follows. Time signed : Specifies when the signature was made. ODS server has its own host key and RFID Middleware (or Application) has its own host key which is update key for the pre-configured zone. Public key encryption. The Secure Update of ODS The NAPTR(Naming Authority Pointer) zone data is signed by zone key and that signature is stored as SIG RR for the purpose of zone data authentication. CERT RDATA And RDATA contains following information. In both cases. Signature expiration : Tells when the signature expires. and Middleware can verify ODS server's host key.example. as used in SIG(0). is more scalable as the public keys are stored in DNS. A. C. Because the proposed system uses the certificate and need more scalability. 0 Flags 15 16 23 24 31 Protocol Algorithm Public Key Signature When a name server returns a KEY. IN SIG RDATA A. KEY RDATA format The flag indicates whether the key belongs to a user. These key systems are all asymmetric key cryptographic systems and their public key should be shared between ODS server and Middleware for the support of secure dynamic update of zone data. Type : Specifies whether the type of the signed resource record is an NS.example with the format in Figure 1. The DNS server also stores certificates for entities and CRLs. ODS server signs the zone data by the zone key for the integrity of that updated zone.
B. It is important that access control systems be able to support multiple authentication mechanisms by consuming and understanding the credentials they generate. Existing Web security protocols support PKI-based authentication. The Zone Section names the zone that is to be updated by the message. authenticate. There are three major challenges that any security framework must address: Authentication. Because different companies in a supply chain are likely to have different user RFID Middleware Tag Reader : PKI Certificate Figure 3. Y. T. If the RFID Middleware must interact with the remote OIS server whose certificate is not in the local DNS server. The Prerequisite Section specifies the starting invariants (in terms of zone content) required for this update. Through sharing data about supply and demand. The communication between two components can be achieved by the secure transport protocol layer. The Structure of Secure RFID Network IV. including a well-defined trust model and the ability to make users responsible for their actions. the DNS servers. USING DNS SERVER AS A CERTIFICATE REPOSITORY FOR INTEGRATED SYSTEM To retrieve certificates from a DNS server. Therefore. and authorize all other company’s users. 527 . U. An example hierarchy of DNS servers and certification authorities Figure 4 shows a hierarchy of DNS servers named S. X V Y CA_X CA_Y CA_U U S T Z CA_Z A B C Figure 4. U. each company still needs to be able to identify . its use introduces critical concerns over data security and integrity. Data protection. Among them.Y.QR bit : “0” (request) or “1”(response) Header Header Zone Zone to update ExistingRR or RRsets Opcode : “5” Question Prerequisite Answer management and authentication requirements. The OTS server can authenticate the OIS server and vice versa. Access control. The OIS server can authenticate the RFID Middleware and vice versa. Secure Integration of RFID Network Components The Electronic Product Code(EPC) is emerging as one technology utilizing Radio Frequency Identification (RFID) to enable efficiency and accuracy of business operations throughout the extended supply chain. an intelligent security framework is recommended to ensure that information is distributed. a RFID network component makes a query message using the resolver library routine. however. such as TLS. Middleware can retrieve the remote DNS server’s certificate by DNS query and then can verify that certificate by the certificate chain composed by DNS server hierarchy. The Header Section specifies that this message is UPDATE (Opcode:5). The format of ODS Update Message OIS The ODS update messages use the extended DNS message format. The operation_code parameter is set to be QUERY. By using standards like Security Assertions Markup Language(SAML) facilitate this type of interoperability. PKI technology has several advantages. and Z. The TCP or HTTP protocol also can use PKI-based TLS for the secure channel between end points.X. and the Additional Data Section contains “request SIG” or “transaction SIG” which is created by SIG(0) mechanism explained in the previous section(2. and describes the size of the other sections. The Update Section contains the edits to be made. X. V. This paper proposes to employ PKI technology to solve the above problem. Using a current standard IP network is the most efficient way to share this information. The PKI technology can assign and manage verifiable identities for mutual authentication between RFID network components.3). enterprises can sense changes in the supply chain as they occur in near real time. Certificate Repository(DNS) OTS INTERNET (TLS Secure Channel) Update Authority RR or RRsets to update Additional Data Additional Request SIG or Transaction SIG ONS Figure 2.
CA_Y. Processing a DNS query in the recursive method Figure 5. Processing a DNS query in the iterative method (1) (2) (3) (4) (5) (6) U requests the root DNS server X of C’s certificate. The DNS with security extensions can provide integrity and data authentication of the information stored 528 . Z returns C’s certificate to Y. We assume that the user A has the certificates of its own certification authority CA_U and the root certification authority. The RFID network security can be implemented using current DNS security model. V. automatic identification and sharing of information on items in the supply chain. If A wants B’s certificate. In the case of the iterative method. In can be made possible by making each DNS server append its associated certification authority’s certificate when it returns a user certificate or relays an answer. CA_X. The all RFID servers can retrieve the necessary certificate in the any other domain because DNS system is already providing naming services world-wide. Y relays C’s certificate to X. CA_Z. the DNS dynamic update technology can be used. are registered in the zone U. So X.and Z. CA_Y<<CA_Z>>.X and one user C is registered in the zone Z. Y. Because A has the public key of CA_U. OTS. the query is processed as in Figure 6 and each message contains information as follows: (1) (2) (3) (4) (5) (6) U asks the root server. Because A has the root certification authority’s certificate. The root returns the address of Y. respectively. ONS) and the user C can be another remote RFID network component to be authenticated. In the proposed system. In the case of the recursive method. If A requests the certificate of the user C who is not in the same zone. so the security between RFID network components is critical. OIS.Y. Y asks Z of C’s certificate. X relays C’s certificate to U. The RFID information is very important. Y returns the address of Z U requests Z of C’s certificate. So in our example the user A will find the certificates of CA_X. CA_Z<<CA_C>> Where <<X>> = the certificate of the user X issued by certification authority Y The user A can get this complete certificate path by making each DNS server returns the certificate of its associated certification authority whenever it returns the address of other DNS servers or users’ certificates. Two users. CONCLUSION The RFID Network is a set of technologies that enable immediate. the query is sent to the DNS server U and U returns B’s certificate signed with CA_U’s private key. the user A can be one local RFID network component(Middleware. For the dynamic update of OIS URI mapping on RFID code. of C’s certificate X asks Y of C’s certificate. he needs the certificate path as follows: CA_X<<CA_Y>>. the root DNS server need not return the certificate of the root certification authority. Z returns C’s certificate If A wants to check the validity of C’s certificate.V.X. A and B. the request can be processed in an iterative method or a recursive method. C’s certificate is stored in the answer section and the certificates of all the certification authorities will be The user A requires the same certificate path as in the iterative method. have their associated certification authorities. All these certificates will be gathered at the user A and the validity of the C’s certificate can be verified. X. and Z will return the certificate of CA_X. it can check the validity of the reply. CA_Y. the query is followed as in Figure 5 and each message carries information as follows: X (2) (1) V (3) Y stored in the additional section in the DNS reply message. X (6) (1) V (5) (2) Y (3) (4) (5) U (6) Z (4) U Z Figure 6. The ODS uses DNS technology for OIS URI information. and CA_Z in the additional section of DNS reply in addition to the certificate of the user C in the answer section of the same DNS reply. U requests Y of C’s certificate.
March 1999. RFC  Mockapetris P.Lewis. “Secure Domain Name System(DNS) Dynamic Update”. O. Eastlake. RFC 2539. “DNS Operational Security Considerations”. Thomson. March 1999  D. RFC 2535. 1034. November 1987. 3rd. “DNS Security Extension Clarification on Zone Status”. September 2000. RFC 2537. The efficient solution to above problem is Public Key Infrastructure(PKI) base on asymmetric key algorithm. the secure integration of RFID network components can be established efficiently by using DNS security extensions. RFC 3007.. The same security is needed between OIS server and OTS server. As we have proposed above. Vixie. RFC 2131. June 2001. RFC 2931. Solo.Droms. 529 . W. March 1999. By using DNS security extensions. RFC 2136. March 1999. RFC 2538. March 1999. RFC 2459. Polk. “RSA/MD5 KEYs and SIGs in the Domain Name System(DNS)”. Eastlake. RFC 3130.Eastlake. Eastlake 3rd. W. S. “DNS Request and Transaction Signature(SIG(0)s)”.  D.  D. all server’s public key certificate can be stored in the DNS server.  P. so they need public key repository system. “Dynamic Updates in the Domain Name System(DNS UPDATE)”. For the authentication & confidentiality between RFID Middleware and OIS server is necessary for the secure exchange of RFID object information. November 1987. D. “Notes from the State-Of-The-Tech nology:DNSSEC”. and the stored certificate can be retrieved by each server when they need to verify each other’s message signature.  D.Eastlake. and integrity and data authentication of ODS queries and responses. “Storing Certificates in the Domain Name System(DNS)”. “Storage of Diffie-Hellman Keys in the Domain Name System(DNS)”.  E.  B.  E. “Secret Key Transaction Authentication for DNS(TSIG). September 2000. Gudmundsson. RFC2930. “Domain Name System Security Extensions”. 3rd.Eastlake. March 2001. “Dynamic Host Configuration Protocol”.  D.Eastlake. “Internet X. Housley .Lewis. Y.  P. Specification”.  D. Rekhter.  D. RFC 2541. “Domain Names – Concepts and Facilities”. “Secret Key Establishment for DNS(TKEY RR)”. January 1999.Wellington. Middleware. May 2000. OIS server and OTS server need to authenticate each other by the public key. RFC 3090. “Domain Names – Implementation and  R. References  Mockapetris P. April 1997.. RFC 1035. November 2000.Vixie. The all RFID servers can retrieve the necessary certificate in the any other domain because DNS system is already providing naming services world-wide. RFC2845. Ford.509 Public March 1997 Key Infrastructure Certificate and CRL Profile..  R. Eastlake.in the ODS server. D.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.