A framework for trusted anonymizer based RFID system

A framework for trusted anonymizer based RFID system
of 5
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  A Framework for Trusted Anonymizer BasedRFID System Mohd Faizal Mubarak  1 , Jamalul-lail Ab Manan 2 , Saadiah Yahya 1   1 Computer Science Faculty, Universiti Teknologi MARA Malaysia,40450 Shah Alam, Selangor  Malaysia   1 1 2  Information Security Cluster, MIMOS Bhd.,57000 Technology Park Malaysia, Kuala Lumpur, Malaysia.   2  Abstract   — RFID technology automates several types of objectsidentification processes and improves lots of businesstransactions. Its ability to communicate through wirelessnetworks gives huge advantages in comparison to optical barcodeand manual identification systems. Unfortunately, the ability of RFID system to communicate through wireless communicationopens up possibilities of being tracked by unauthorized reader oradversary and potentially violates user privacy. A truly stronganonymizer would be good for solving this issue because it canprovide tags anonymity so that they cannot be traced byadversary. Past solutions on RFID with anonymizers have lots of issues regarding system integrity and availability. We propose atrust based solution based on trusted computing to providesystem integrity to the anonymizer. This paper provides atechnical framework for a trusted anonymizer for use in RFIDSystems. Our main objective is to solve the major trust issueinherent in almost all previous anonymizer-based RFIDprotocols.  Keywords  — RFID, Privacy, Security, Technical Framework,TPM, Anonymizer. I.   I  NTRODUCTION  Radio Frequency Identification (RFID) is technology thataims for objects identification through a wireless radiofrequency interaction between reader and tags. RFID tag is avery interesting device because of its size, usage andcapabilities. It can be embedded into almost every itemsinclude humans [1] and animals [2]. Its capabilities tocommunicate with RFID reader through wirelesscommunication channel gives very good advantage comparesto the optical barcodes system. For example, hypermarketwith RFID system could reduce number of waiting times atcashier counter since RFID readers can scan tags at rates of hundreds per second. Products or items with RFID tags indelivery system could be tracked as they move from onelocation to another location. Lost animals also could easily befound by using RFID tag.However, the unique ability of RFID tag through wirelesscommunication with RFID reader opens up the possibility for attacks and violation of user privacy. The major issue about privacy in RFID system is related to traceability and locationtracking. Unprotected RFID tags can easily be tracked  by unauthorized reader or adversary can potentially violate user  privacy.Thus, an important objective of privacy-preservingsolution for RFID system is to prevent unauthorized access toany users’ confidential data (confidentiality) and providinglocation privacy, illegal access to users identification(anonymity) and as well as unauthorized tracing of tags bylinking their communications (unlinkability) [3].An anonymizer is a good solution to protect RFID tagfrom being tracked or traced by illegal party. It is also suitableto be used in the low-cost RFID tags because it is not requiredlots of resources from tags [4]. There are several previous anonymizer-based RFIDsolutions [4, 5] which are good for protecting user privacy anddata confidentiality. Unfortunately, lots of anonymizer-basedRFID systems and protocols are suffering from trust issues or system integrity issues. Usually, it was assumed that all of these anonymizers to be trusted device, which we prove that’snot always the case.  Our contribution : In this work we propose a newframework of trusted anonymizer by using trusted computing[6, 7] in RFID system.Another contribution of our proposed solution is related tosystem availability. As far as our knowledge goes, none of  previous privacy-preserving RFID systems could solve thesystem availability problem. Moreover, our proposed solutionis time independent, unlike other RFID anonymizer systems,which always needs several anonymizers to anonymize thetags.This paper reviews several previous anonymizer-basedRFID systems and protocols. Next, we proposed a framework of trusted anonymizer in RFID system.The rest of this paper is organized as follows: in the nextsection we briefly discuss about the concept of trustedanonymizer, then we discuss previous related works on RFIDsystems and protocols, further on we present and discussabout our proposed framework and finally we conclude the paper.   2011 IEEE 7th International Colloquium on Signal Processing and its Applications220 978-1-61284-413-8/11/$26.00 ©2011 IEEE  II.   T RUSTED A  NONYMIZER   A tag anonymizer is used to create tags anonymity andunlinkability. Several previous anonymizer-based RFIDsystems and protocols have almost similar issues, especiallyon providing honest type of anonymizer. Here, honestanonymizer can be associated with trust, i.e. whether theanonymizer platform is trusted or not. We noted that ananonymizer without any integrity verification cannot betrusted because it could be hijacked by adversary and can beinfected by malicious code or malware attacks [8]. The worstscenario would be, anything that happens to the anonymizer (say it is hijacked by an attacker) would not be known to other system components. Hence, it is imperative that theanonymizer integrity is measured and verified by anauthorized verifier. In a typical pervasive computing attackedsituation, an infected anonymizer could spread virus to other system components and it also could work together withadversary to track and trace tags.Another issue related to previous versions of RFIDanonymizer is related to system availability because if there isanything wrong that happens to these anonymizers couldinterrupt the anonymization process of RFID tags. Suchsystem interruption can cause a lot more trouble because thesetags which are not anonymized can directly be tracked byadversary. Even though a number of previous researchers proposed multiple anonymizers to solve the issue,nevertheless it can cause more unexpected problems such assystem collisions, logistics and system management issues.Moreover, these multiple anonymizers are definitely not costs-effectives.As stated before, system collision could occur betweenmultiple anonymizers trying to anonymize the same tag andunanonymized tag would easily be tracked by adversary.Another glaring issue is the problem related to logistics,whereby it should be practically more difficult to locate theright location for every anonymizer. This is done to protectthese anonymizers from competing with each others inanonymizing the tags.Almost all previous anonymizer-based RFID solutions needtheir tags to be anonymized “regularly” by anonymizers. Theterm “regularly” actually depends on an un-optimized time, i.e.they not really sure which is the best frequency to anonymizetags. Is it for every seconds, minutes or hours? Which is the best time to re-anonymize the tags? Frequent anonymizationof the tag is good but unfortunately it needs lots of computingresources to do it. If tag anonymization is less frequents itcould give advantages for adversary to launch attacks.Our proposed framework is based on trusted computing andit is integrated to the anonymizer-based system to produce atrusted anonymizer in RFID system. In the proposedframework, an anonymizer needs to provide its integrity valueto a verifier that invokes a process to verify the systemintegrity. In this way, it can significantly improve the trustamong the system elements by guaranteeing the anonymizer to be always trusted. Once infected by unauthorized system, itwould not have same integrity measurement and hence itwould then be halted to prevent further damage to the systemtrustworthiness. Any attempt to do illegal access to the systemwill be rejected by trusted RFID system.It must be emphasized that trust is very critical in the proposed framework because it protects the system from beinginfected by malicious code or impersonation attacks. Next, wewill discuss further on how the integrity measurement of  platform components and attestation process will be done.   A.    Measuring Platform Components The integrity measurement value is used as trust evidenceof trust of one platform which needs to be verified (attester) by another platform (verifier). This process is calledattestation and before it starts, attester needs to have theintegrity value.This integrity value can be created by using trusted boot process which operates like a chain process. This processneeds TPM as tamper proof hardware to store all the integritymeasurements. Integrity measurements are stored intoPlatform Configuration Registers (PCR) [9, 10] which is avolatile memory inside TPM with each storage length equalsto 20 bytes SHA-1 digest, i.e. 20 bytes [11].Besides measuring the booting process, all applicationsinside the attester platform can also be measured by usingintegrity measurement architecture (IMA) [12, 13] which iscreated by IBM Research Group. IMA application has to beembedded inside the Linux kernel to perform binary runtimemeasurement and also extends all these measurement valuesinto PCR. We can ourselves determine which applications thatwe need to be measured and extended into the PCR. Itdepends on how we configure the setting and configuration toour system.For our proposed trusted RFID system, we can measuretrusted anonymizer and extend its value inside the PCR. Thetrusted anonymizer integrity value will be used as report thatcan be verified by the verifier.  B.    Attestation Process Attestation process works like a challenge-response protocol between attester and verifier. The trustedcommunication channel can be built between both parties if  both platforms can trust each others. The process starts by verifier sending a challenge message to the attester.  Normally,the challenge information sent by verifier is a nonce or arandom number generated by random number generator (RNG). Then, attester will prove that it is trustable by providing the integrity report in order to respond to thechallenge that was sent by the verifier. Measurement values inside the PCR will then be used bythe attester as the integrity report to be sent to the verifier. Theverifier can verify the integrity report that has been send byattester by using a verification module. Then, verifier willdecide whether it can trust the attester platform or thetransaction with attester will be terminated.III.   R  ELATED W ORK   There are lots of past related works that addressed securityand privacy issues of RFID systems. In this paper we have presented some of these issues and we emphasize on privacyon the need to address issues. Usually, the victim of privacy 2011 IEEE 7th International Colloquium on Signal Processing and its Applications221   breach by adversary attacks would be RFID tag because of thevulnerability of wireless communication channel and lowcapabilities of wireless resource. In order to protect user  privacy and data confidentiality, RFID tag has to beuntraceable to illegal parties.Sadeghi et al. [3, 4] proposed anonymizer-based RFIDsystem that is secure against impersonation attacks andforgeries. However, this scheme has assumed honestanonymizers to guarantee anonymity of tags, which would not be necessarily true. Hence, if these anonymizers becomevulnerable and being attacked, and the RFID tags becometraceable, the whole system would be affected too. It was alsonoted that lots of anonymizers to cater for demanding systemavailability and this would automatically increase overall costof operation.Juels et al. [14] proposed a solution for privacy protectionof RFID-enabled banknotes by allowing European CentralBank to embed RFID tags inside Euro banknotes to protectagainst forgeries. The anonymizers in shops or banks will re-encrypt the ciphertext stored on the corresponding tag everytime the banknote is spent and creates unlinkability for thatRFID tag. However, this scheme has a drawback of the serialnumber of each banknote which needs to be optically scanned before the ciphertext can be re-encrypted again, and hencemaking it less practical for public use.Anonymous authentication protocol by Armknecht et al. [5]is based on an efficient and cost effective anonymizer-approach. However, their solution has a problem of systemavailability and its dependence on anonymizers to alwaysrefresh the tag.Above all which are afore mentioned, all of the previousschemes have one common drawback which is related to providing trust between components of the RFID system.IV.   O UR  P ROPOSED F RAMEWORK   In this section we explore some recent proposals for thedesign of RFID system with trusted anonymizer. In order tohave a trusted anonymizer we need at least a verifier to verifythe integrity reports specifically for the anonymizer andgenerally for its platforms. We have determined andcategorized several suitable verifiers for our proposedframework. Hence our proposed framework may consist of acombination of the following possible verifiers: •   Back-end server  •   Trusted Third Party •   TagWe also assumed in this framework that the anonymizer resides inside the RFID reader because it can be interfaceddirectly to tags. Hence we eliminate the usual issue of RFIDtags being illegally traced by linking their communications.Below, we present some possible models which can bederived from this framework.Figure 1 shows Model A whereby the process of trustedanonymizer in RFID reader is being verified by back-endserver as the verifier. In this model, the process starts by thereporting module inside RFID reader which measuresintegrity value of the anonymizer and extends thatmeasurement into PCR in TPM [6]. The detail of this processis as described in the previous section, i.e. measuring platformcomponents.Then, the integrity measurement needs to be send to theverifier (in this example is the back-end server). The back-endserver verifies the integrity report from RFID reader (whichhosts the anonymizer). The integrity verification (or attestation) needs to be protected from being intercepted byadversary. Based on some considerations, we propose anencryption which is modified based of AES [15] to protectinformation in our communication channel as proposed byFeldhofer et al. [16]. Another example of RFID protocol withintegrity verification and AES encryption has also been previously proposed by Mubarak et al. [17].  Fig. 1 A Model of the Back-end Server that is verifying the Anonymizer inRFID Reader  Figure 2 shows Model B whereby the process of trustedanonymizer in RFID reader being verified by trusted third party as the verifier. The design of Model B is purposely madedifferent from Model A, because it needs three partiesinvolvement as compared to two in Model A. The new entityin this design is a trusted third party that would verify theintegrity measurement of the trusted anonymizer.This process starts in a similar way as the previous processin Model A. However, after that the RFID reader would sendthe integrity report of the anonymizer to be verified by thetrusted third party. Then, the trusted third party will comparethe integrity report (value) with integrity value in its storage.If this attestation process between anonymizer in RFID reader and trusted third party is successful, the trusted third party will provide a trusted token to the RFID reader. Then, the RFIDreader will send the trusted token to back-end server and the back-end server would refer trustworthiness of the trust tokenwith trusted third party. Trusted third party would verify thetrust token by comparing it with those in its storage. If everything goes well, it will produce a successful result to back-end server and therefore, anonymizer will be trusted bythe RFID system. Back-end Server RFID Reader  EncryptedAnonymizer integrity report ReportingModuleVerificationModuleTPMAnonymizer DB 2011 IEEE 7th International Colloquium on Signal Processing and its Applications222    Fig. 2 A Model of Trusted third party that is veryfying the Anonymizer inRFID Reader Fig. 3 A Model of RFID Tag that is verifying the Anonymizer in RFIDReader  Figure 3 shows Model C whereby the process of trustedanonymizer in RFID reader is being verified by RFID tag asthe verifier. The integrity measurement process is similar tothose of Model A and Model B. The only difference is that thetag acts as the verifier. Therefore, the RFID tag will receivethe integrity measurement of trusted anonymizer from RFIDreader. Then, RFID tag verifies the integrity measurement of trusted anonymizer with integrity value in its storage. If thisattestation process between RFID tag and anonymizer inRFID reader is successful, RFID system will trust theanonymizer.V.   D ISCUSSION  Our proposed framework is suitable to be implemented inenvironment where RFID is used for example in shops,hypermarkets and library, and they are used to track consumer  products, goods and books. Books or consumer products can be attached with RFID tags, and readers are located indesignated area inside the premise and library. These readerscan be connected to the back-end server at the managementoffice.Our proposed framework of RFID system with trustedanonymizer is more trusted and privacy enhanced compared to previous approaches (see the related work section). Thisframework utilizes TPM as a tamper-proof hardware which protects all measurements inside the platform and provides theintegrity report to the remote party. It prevents an attacker from spoofing, hijacking and interrupting the service of trusted anonymizer in RFID system since all transactionmessages are encrypted by using AES encryption and integrityof all entities must be verified before any connection can take place.This proposed framework also provides the required data privacy and protect against traceability caused byuninterrupted service of anonymizers in RFID system. It will protect the privacy of say, a user who is borrows books fromthe library or anybody that buys things from the hypermarkets.This framework also solves the problems of blocker tags byJuels et al. [18] who previously proposed tags should be blocked or killed after products being bought by consumers.We argue that RFID solution proposed by Juels is less practical for several situations for example, books in thelibrary because we cannot just simply kill the tag for a particular book just because it is being borrowed by someone.After, the book is returned back to the library the librarianneeds to install a new tag and could potentially create lots of hassle and incur more costs.This framework also gives some flexibility with threedesign models (Model A, Model B and Model C) based on thedifferent types of verifiers. These verifiers verify the integrityreport of trusted anonymizer including the RFID reader  platforms. The system integrity verifications for trustedanonymizer maintain the required “honesty” of the trustedanonymizer and avoid it from being unavailable.   VI.   C ONCLUSION  In this paper we presented a framework for RFID systemwith trusted anonymizers. We also provided three designsmodels based on our proposed framework. These designs havesomething in common, i.e. they are based on the verifier for the trusted anonymizer. In order to provide honest anonymizer,we proposed the trusted computing approach to verify theintegrity of the anonymizer. We hope that technicalframework for the trusted anonymizer would help solve thetrust and system integrity issues in anonymizer-based RFIDsystems. EncryptedAnonymizer integrity report Back-end Server RFIDReader RFIDTag  ApplicationModuleDBReportingModuleTPMTPMAnonymizer  EncryptedTrusttokenEncryptedTrust TokenVerifyingTrustToken Back-end Server RFIDReader  EncryptedAnonymizer integrity report ReportingModuleApplicationModuleTPMAnonymizer  Trusted Third Party  VerificationModuleStorage 2011 IEEE 7th International Colloquium on Signal Processing and its Applications223  R  EFERENCES   [1]   M., Naser, M. A. Majaly, M. Rafie, R. Budiarto, “A Framework for RFID Systems' Security for Human Identification Based on Three-Tier Categorization Model”. In  International Conference on Signal  Acquisition and Processing   –   ICSAP 2009 , April 2009, Kuala Lumpur,Malaysia.[2]   Atmel Corporation: Innovative IDIC solutions (2007), [3]   A. R. Sadeghi, I. Visconti, C. Wachsmann, -“Location Privacy in RFIDApplications, ” In: C. Bettini, S. Jajodia, P. Samarati, X. S. Wang, (eds.)  Privacy in Location-Based Applications , volume 5599 of LNCS,Springer, Heidelberg, 2009, pp. 127-150.[4]   A. R. Sadeghi, I. Visconti, C. Wachsmann,-“Anonymizer-EnabledSecurity and Privacy for RFID, ” In: J. A. Garay, A. Miyaji, A. Otsuka(eds.) CANS 2009 , volume 5888 of LNCS, Springer, Heidelberg, 2009, pp. 134-153.[5]   F. Armknecht, L. Chen, A. R. Sadeghi and C. Wachsmann,“Anonymous Authentication for RFID Systems”, In 6  th Workshop of  RFID Security -  RFIDSec 10’  , Istanbul, Turkey, June 2010.[6]   Trusted Computing Group (2007, August 2nd). TCG SpecificationArchitecture Overview, Specification Revision 1.4.[7]   A. Sadeghi,”Trusted Computing – Special Aspects and Challenges,” SOFSEM 2008, High Tetras , volume 4910 of LNCS, January 2008,Springer, Slovakia, pp. 98-117.[8]   M. R. Rieback, P. N. D. Simpson, B. Crispo and A. S.Tanenbaum, ”RFID malware: Design principles and examples,” In  Pervasive and Mobile Computing  In Special Issue on PerCom 2006,Vol. 2, No. 4. (November 2006), IEEE, 2006, pp.405-426.[9]   D. Challener, K. Yoder, R. Catherman, D. Safford, L. V. Doorn, “ APractical Guide to Trusted Computing,”  IBM Press , 2008.[10]   S. Kinney, “Trusted Platform Module Basics: Using TPM inEmbedded System,” September 2006,  NEWNES  .[11]   A. Tomlinson, A, “Introduction to the TPM,”  In Smart Cards, Tokens,Security and Application , Springer, 2008, pp. 155-172.[12]   T. Jaeger, R. Sailer, U. Shankar, “PRIMA: Policy-Reduced IntegrityMeasurement Architecture,” In Proceedings of the 11th ACMSymposium on Access Control Models and Technologies -SACMAT  ‟     06  , 2006, ACM Press, pp. 19-28.[13]   R. Sailer, X. Zhang, T. Jaeger, L. V. Doorn, “Attestation-based policyenforcement for remote access,” In  Proceedings of the 11th ACM Conference on Computer and Communications Security , 2004, pp.308–317.[14]   A. Juels and R. Pappu, “Sequeling Euros: Privacy Protection in RFID-Enabled Banknotes”, In  Proceedings of the 7  th Financial CryptographyConference – FC ’03, IFCA.LeGosier  , volume 2742 of LNCS,Springer, Guadeloupe, French West Indies, February 2004, pp. 103-121.[15]   J. Daemen, V. Rijmen, “The Design of Rijndael: AES the AdvancedEncryption Standard”, Springer-Verlag, 2002, Berlin, Germany.[16]   M. Feldhofer, S. Dominikus, J. Wolkerstorfer, “Strong Authenticationfor RFID Systems Using the AES Algorithm”, Workshop onCryptographic Hardware and Embedded Systems - CHES, volume3156 of LNCS, August 2004, pp. 357-370.[17]   M. F. Mubarak, J. A. Manan and S. Yahya, “Mutual Attestation UsingTPM for Trusted RFID Protocol,” In 2 nd  International Conference on Network Applications, Protocols and Services-NETAPPS 2010 , Kedah,Malaysia, September 2010.[18]   A. Juels, R. Rivest and M. Szydlo, - “The Blocker Tag: SelectiveBlocking of RFID Tags for Consumer Privacy, ”   Conference onComputer and Communications Security – ACM CCS  , USA, October 2003, pp.103-111. 2011 IEEE 7th International Colloquium on Signal Processing and its Applications224
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks