Security Terminology

1.1 Background

RFID (Radio-Frequency IDentification) systems are made up of readers and tags. The readers read the tags with non-contact communication. In order to complete this function, each tag comprises at least two parts. One is a microchip for storing and processing data, which is similar to that in a smart card or USB key, while the other is an antenna for receiving and transmitting radio waves. Because of its convenience and low cost, RFID technology has been widely used in industry to improve the efficiency of tracking and managing goods and production. For example, we are using RFID at the cashier of pharmacies to read the prices of different drugs. RFID has also been used for more complex applications, such as passport verification, employee cards and payment for bus tickets.

As with other new technology (such as computer networks), in the beginning, RFID systems designers were mainly focused on creating an available system without adequate consideration of security and privacy. Without access control, RFID tags could leak information and erode us of privacy. For example, an attacker could read the identifier in tags easily and track which items that an individual is using. If a RFID tags stores the Electronic Product Code (EPC) of an item, we could identify the item by checking it on Object Name Service (ONS), which is provided by EPCglobal (Fabian et al. 2005).

Cryptography is the study of hiding information and protecting communications. In order to keep privacy in a RFID system, many cryptographic protocols have been designed to protect the sensitive information in tags, such as basic hash protocol and hash chain protocol. Cryptographic protocols hide tag ID by using cryptographic algorithms with secret keys. We give a simple example to show which aspects of security we need to consider transmitting a message protected by cryptography. Imagine that Alice is to send Bob a message “I am going to meet you at 19:00 tomorrow night.” We list what services we will need to keep this information secure. That is to say, which aspects we should consider to implement a secure communication.

• •

  Confidentiality: This message must be secret to others.

• •

  Authentication: Alice knows for sure that she is communicating with Bob, and so does Bob.

• •

  Integrity: The receiver, Bob, can verify if this message has been modified, such as if “tomorrow” has been changed to “today.”

• •

  Non-repudiation: Alice cannot deny that she has sent the message if she did send it, and Bob cannot deny receiving of the message if he does receive it.

• •

  Availability: This message must be delivered in time, which means the communication channel have to always be in working order if needed.

The security requirements above can all be satisfied by cryptographic methods. If Alice wants to send the message secretly, she encrypts this message into a ciphertext using a cryptographic key. Then she sends the ciphertext of the message to Bob. Bob decrypts the cipher, firstly using a decryption algorithm with the right key, and reads the message. In general, encryption/decryption algorithms are either based on symmetric key cryptography or asymmetric key (public key) cryptography. In symmetric key cryptography, the encryption methods require that the sender and receiver share the same key. The encryption key and the decryption key are different in asymmetric cryptosystems. Whatever cryptographic algorithm Alice is using, she needs to share the right key or key pairs with Bob. We describe how to achieve key sharing in the next section. After that, some fundamental concepts of security requirements are explained. Lastly, we introduce the quantities that measure the security of an algorithm.