Radio Frequency Identification (RFID) is a challenging wireless technology with a great potential for supporting supply and inventory management. In this chapter the authors consider a particular application in which a group of tagged items are scanned to generate a record of simultaneous presence called a grouping-proof. Grouping-proofs can be used, for instance, to guarantee that drugs are shipped (or dispensed) accompanied by their corresponding information leaflets, to couple the user’s electronic passport with his/her bags, to recognize the presence of groups of individuals and/or equipment and more generally to support the security of supply and inventory systems. Although it is straightforward to design solutions when the verifier is online since it is sufficient for individual tags to authenticate themselves to the verifier, interesting security engineering challenges arise when the trusted server (or verifier) is not online during the scan activity. So, the field of grouping-proofs is very active, and many works have been published so far. This chapter details the setting for RFID grouping-proofs and discuss the threat model for such applications. The authors analyze some of the grouping-proofs proposed in the literature describing their advantages and disadvantages. Then, general guidelines for designing secure grouping-proofs are proposed. Finally, some examples of grouping-proofs that are provably secure in a strong security framework are presented.
Top1. Introduction
The low cost and high convenience value of RFID tags gives them the potential for massive deployment. Accordingly, they have found increased adoption in manufacturing, inventory control, healthcare domain and counterfeit prevention.
An RFID deployment involves tags, readers, and a Verifier (backend Server). Tags are wireless transponders that typically have no power of their own and respond only when they are in an electromagnetic field, while RFID readers are transceivers that generate such fields. On-board clocks are not considered realistic for low-cost tags, but crude timers can be based on discharging capacitor (Juels, 2004). Readers implement a radio interface to tags and a high-level interface to the Verifier. The Verifier is a trusted entity that processes private tag data. The channel that links readers to the Verifier is assumed to be secure because hardware constraints are not so tight here and, common security protocols can be used.
In 2004, Ari Juels introduced the security context of a new RFID application, which he called a yoking-proof (Juels, 2004), that involves generating evidence of simultaneous presence of two tags in the broadcast range of an RFID reader. There are several practical scenarios where such proofs can substantially expand the capabilities of RFID-based systems. For example:
- •
In manufacturing: to automatically check that all the components of a kit, or components that are part of a consignment, are accounted for. For example, a component is only shipped if a safety cap is attached.
- •
Pharmaceutical distribution: to automatically check that drugs are accompanied with information leaflets when they are shipped (or dispensed).
- •
At airports: for security, to automatically check that passengers are accompanied by their baggage.
- •
In a battlefield context: for security, weaponry or equipment may have to be linked to specific personnel (who are the only ones that can use or operate it).
Although it is straightforward to design solutions for the case when the Verifier is online, since it is sufficient for individual tags to authenticate themselves to the Verifier, the case when the Verifier is not online is challenging both from a security and an engineering point of view. In particular, offline solutions require that tag interrogations (reader scanning’s) are restricted to broadcasting challenges that are valid only for a short time period, and that collecting tag responses to generate a grouping-proof should be completed during this period. Therefore, research on grouping-proofs has focused on the offline case.
In the yoking-proof, an RFID reader first activates all the tags in its range and then interrogates those responding tags that are paired (yoked). The interrogation involves (i) establishing a communication channel with each one of the tags that are paired, (ii) collecting and relaying tag responses, and finally (iii) generating a proof of “simultaneous presence” of paired tags in the broadcast range of the reader. This proof can (later) be verified by the Verifier.
Saito and Sakurai observed (Saito and Sakurai, 2005) that Juels’s yoking-proof is subject to an interleaving attack in which the adversary combines flows from different sessions, and proposed the use of time stamps. They also extended this proof to groups withtags, which they called grouping-proofs. Piramuthu replaced the time stamps by random numbers to prevent attacks that collect prior responses and combine these to forge a grouping-proof (Piramuthu, 2006). Peris-Lopez et al. combined the strengths of yoking-proofs with the grouping-proofs to address some of their weaknesses (Peris-Lopez et al., 2007). Burmester et al. extended the grouping-proofs to address anonymity and unlinkability in a strong modular security framework. Several EPCGen2 compliant grouping-proofs have been recently published to enhance impatient medication safety.