Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

A survey of RFID privacy approaches

  • Original Article
  • Published:
Personal and Ubiquitous Computing Aims and scope Submit manuscript

Abstract

A bewildering number of proposals have offered solutions to the privacy problems inherent in RFID communication. This article tries to give an overview of the currently discussed approaches and their attributes.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. See http://scholar.google.com.

  2. The alternative of using the same secret for all of its tags typically lowers the strength of the authentication algorithm significantly.

  3. Note that such items could still be traceable as particular constellations [58].

  4. See http://www.emvelope.com.

  5. To allow for selective jamming, the RFID Guardian requires the use of a deterministic protocol like ISO-15693, where tags reply in a pre-defined timeslot (based on their ID) to reader requests.

  6. See slides of his invited talk at http://events.iaik.tugraz.at/RFIDSec06/Program/.

  7. Forward security means that a compromised tag does not disclose the entire history of tag sightings, even if these were under different pseudonym IDs.

  8. This is known as the Learning Parity in the Presence of Noise (LPN) Problem.

  9. Until such devices are available, the authors propose that new random passwords would be assigned by the supermarket and printed on the receipt.

  10. See http://ec.europa.eu/information_society/policy/rfid/index_en.htm.

References

  1. Agrawal R, Kiernan J, Srikant R, Xu Y (2002) Hippocratic databases. In: Proceedings of the 28th international conference on very large databases (VLDB 2002). Morgan Kaufmann, Hong Kong, pp 143–154. http://www.vldb.org/conf/2002/S05P02.pdf.

  2. Avoine G (2006) Bibliography on security and privacy in RFID systems. http://www.epfl.ch/~gavoine/rfid/

  3. Avoine G, Dysli E, Oechslin P (2005) Reducing time complexity in RFID systems. In: Preneel B, Tavares S (eds) Selected areas in cryptography—SAC 2005, Kingston, ON, Canada, August 11–12, 2005. Revised Selected Papers. Lecture Notes in Computer Science, vol 3897. Springer, Heidelberg, pp 291–306

  4. Batina L, Guajardo J, Kerins T, Mentens N, Tuyls P, Verbauwhede I (2006) An elliptic curve processor suitable for RFID-tags. Cryptology ePrint Archive, Report 2006/227. http://eprint.iacr.org/2006/227.pdf

  5. Bertold O, Günther O, Spiekermann S (2005) RFID: Verbraucherängste und Verbraucherschutz. Wirtschaftsinformatik 47(6):422–430. http://edoc.hu-berlin.de/docviews/abstract.php?id=26367

    Google Scholar 

  6. Buttyán L, Holczer T, Vajda I (2006) Optimal key-trees for tree-based private authentication. In: Tsudik G, Syverson P, Bertino E (eds) Privacy enhancing technologies—sixth international workshop, PET 2006, Cambridge, UK, 28–30 June 2006, Revised Selected Papers, Lecture Notes in Computer Science, vol 4258. Springer, Heidelberg, pp 332–350

  7. Castelluccia C, Soos M (2007) Secret shuffling: a novel approach to RFID private identification. In: Conference on RFID security, Malaga, 11–13 July 2007. http://rfidsec07.etsit.uma.es/slides/papers/paper-45.pdf

  8. Chien H-Y, Chen C-H (2007) Mutual authentication protocol for RFID conforming to EPC class 1 generation 2 standards. Comput Standars Interfaces 29(2):254–259

    Article  MathSciNet  Google Scholar 

  9. Data Protection Commissioners (2003) Resolution on radio frequency identification. In: 25th international conference of data Protection and Privacy Commissioners, November 2003. http://www.privacyconference2003.org/commissioners.asp.

  10. Dimitriou T (2005) A lightweight RFID protocol to protect against traceability and cloning attacks. In: Conference on security and privacy for emerging areas in communication networks—SecureComm. Athens, Greece, September 2005. IEEE

  11. Dimitriou T (2006) A secure and efficient RFID protocol that could make big brother (partially) obsolete. In: PERCOM ’06: proceedings of the fourth annual IEEE international conference on pervasive computing and communications (PERCOM’06). IEEE Computer Society, Washington, DC, pp 269–275

  12. European Commission (EC) (2007) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on radio frequency identification RFID in Europe: Steps towards a policy framework. COM/2007/0096 final, March 2007. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52007DC0096:EN:NOT

  13. European Data Protection Supervisor (EDPS) (2007) Opinion of the European Data Protection Supervisor on the communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on radio frequency identification (RFID) in Europe: steps towards a policy framework COM(2007)96, December 2007. http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consulta tion/Opinions/2007/07-12-20_RFID_EN.pdf.

  14. EPCglobal (2005) Class-1 generation-2 UHF RFID protocol for communications at 860 MHz–960 MHz, version 1.0.9. EPC radio-frequency identity protocols, January 2005. http://www.epcglobalinc.org/standards/Class_1_Generation_2_UHF_Air_Interface_Protocol_Standard_Version_1.0.9.pdf

  15. EPCglobal (2006) EPC tag data specification 1.3. EPCglobal Standard, March 2006. http://www.epcglobalinc.org/standards/ EPCglobal_Tag_Data_Standard_TDS_Version_1.3.pdf.

  16. European Union (2007) European policy outlook RFID (draft version). Working document, German Federal Ministry of Economics and Technology, June 2007. http://www.nextgenerationmedia.de/Nextgenerationmedia/Navigation/en/rfid-conference.html.

  17. Fabian B, Günther O, Spiekermann S (2005) Security analysis of the object name service for RFID. In: Proceedings of the first international workshop on security, privacy and trust in pervasive and ubiquitous computing, SecPerU 2005, in conjunction with IEEE ICPS'05, Santorini, Greece, July 14, 2005. http://cgi.di.uoa.gr/~spu2005/

  18. Feldhofer M, Dominikus S, Wolkerstorfer J (2004) Strong authentication for RFID systems using the AES algorithm. In: Joye M, Quisquater J-J (eds) Workshop on cryptographic hardware and embedded systems—CHES 2004, 6th international workshop, Cambridge, MA, USA, August 11–13, 2004. Proceedings. Lecture Notes in Computer Science, vol 3156. Springer, Heidelberg, pp 357–370

  19. Fishkin K, Roy S, Jiang B (2005) Some methods for privacy in RFID communication. In: Castelluccia C, Hartenstein H, Paar C, Westhoff D (eds) Security in ad-hoc and sensor networks—first European workshop, ESAS 2004, Heidelberg, Germany, 6 August 2004, Revised Selected Papers, Lecture Notes in Computer Science, vol 3313. Springer, Heidelberg, pp 42–53

  20. Floerkemeier C, Schneider R, Langheinrich M (2005) Scanning with a purpose—supporting the fair information principles in RFID protocols. In: Murakami H, Nakashima H, Tokuda H, Yasumura M (eds) Ubiquitous computing systems—second international symposium, UCS Tokyo, Japan, 8–9 November 2004, Revised Selected Papers, Lecture Notes in Computer Science, vol 3598. Springer, Heidelberg, pp 214–231

  21. Garfinkel S (2004) RFID rights. Technol Rev 107(9). http://www.technologyreview.com/articles/04/11/wo_garfinkel110304.asp?p=1.

  22. Garfinkel S, Rosenberg B (eds) (2005) RFID: applications, security, and privacy. Addison-Wesley, Reading

  23. Henrici D, Müller P (2004) Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers. In: Lau F, Lei H (eds) Proceedings of the second IEEE annual conference on pervasive computing and communications workshops. Orlando, FL, USA, March 2004. IEEE Computer Society, pp 149–153. http://ieeexplore.ieee.org/xpl/tocresult.jsp?isNumber=28557&page=2

  24. Heydt-Benjamin TS, Bailey DV, Fu K, Juels A, OHare T (2007) Vulnerabilities in first-generation RFID-enabled credit cards. In: Dietrich S, Dhamija R (eds) Financial cryptography and data security. 11th International Conference, FC 2007, and 1st international workshop on usable security, USEC 2007, Scarborough, Trinidad and Tobago, 12–16 February 2007. Revised Selected Papers, Lecture Notes in Computer Science, vol 4886. Springer, Heidelberg, pp 2–14. The full version of this paper appears as UMass Amherst CS TR-2006-055. See http://www.rfid-cusp.org for the latest version. http://www.springerlink.com/content/e7324164535up092/.

  25. Inoue S, Yasuura H (2003) RFID privacy using user-controllable uniqueness. In: Proceedings of the RFID privacy workshop, MIT Press, Cambridge. http://www.rfidprivacy.us/2003/papers/sozo_inoue.pdf.

  26. Juels A (2004) Minimalist cryptography for RFID tags. In: Blundo C (ed) Security of communication networks (SCN), Amalfi, Italy, September 2004. http://www.rsasecurity.com/rsalabs/staff/bios/ajuels/publications/minimalist/M inimalist.pdf.

  27. Juels A (2005) RFID privacy: a tecnical primer for the non-technical reader. In: Strandburg K, Raicu DS (eds) Privacy and technologies of identity: a cross-disciplinary conversation. Springer, Heidelberg. http://www.rsasecurity.com/rsalabs/staff/bios/ajuels/publications/rfid_privacy/DePaul23Feb05Draft.pdf.

  28. Juels A (2005) Strengthening EPC tags against cloning. In: WiSe ’05: Proceedings of the fourth ACM workshop on wireless security. ACM Press, New York, pp 67–76

  29. Juels A (2006) RFID security and privacy: a research survey. IEEE J Sel Areas Commun 24(2):381–394. http://www.rsasecurity.com/rsalabs/staff/bios/ajuels/publications/pdfs/rfid_survey_28_09_05.pdf

    Google Scholar 

  30. Juels A, Brainard J (2004) Soft blocking: flexible blocker tags on the cheap. In: De Capitani di Vimercati S, Syverson P (eds) Workshop on Privacy in the Electronic Society—WPES. ACM Press, Washington, DC, pp 1–7

  31. Juels A, Pappu R, Parno B (2008) Unidirectional key distribution across time and space with applications to RFID security. Cryptology ePrint Archive, Report 2008/044. http://eprint.iacr.org/cgi-bin/cite.pl?entry=2008/044

  32. Juels A, Rivest RL, Szydlo M (2003) The blocker tag: selective blocking of RFID tags for consumer privacy. In: Jajodia S, Atluri V, Jaeger T (eds) Proceedings of the tenth ACM conference on computer and communication security. ACM Press, Washington, DC, pp 103–111. http://portal.acm.org/citation.cfm?id=948126&coll=Portal

  33. Juels A, Weis S (2005) Authenticating pervasive devices with human protocols. In: Shoup V (ed) Advances in cryptology—CRYPTO’05, Lecture Notes in Computer Science, IACR, vol 3126. Springer, Santa Barbara, pp 293–308

  34. Karjoth G, Moskowitz PA (2005) Disabling RFID tags with visible confirmation: clipped tags are silenced. In: Atluri V, De Capitani di Vimercati S, Dingledine R (eds) Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society (WPES 2005). ACM Press, Alexandria, pp 27–30

  35. Karthikeyan S, Nesterenko M (2005) RFID security without extensive cryptography. In: Workshop on security of ad hoc and sensor networks—SASN’05. ACM, ACM Press, Alexandria, pp 63–67

  36. Kobsa A, Schreck J (2003) Privacy through pseudonymity in user-adaptive systems. ACM Trans Internet Technol 3(2):149–183

    Article  Google Scholar 

  37. Kriplean T, Welbourne E, Khoussainova N, Rastogi V, Balazinska M, Borriello G, Kohno T, Suciu D (2007) Physical access control for captured RFID data. IEEE Pervasive Comput 6(4):48–55

    Article  Google Scholar 

  38. Langheinrich M (2007) RFID and privacy. In: Petkovic M, Jonker W (eds) Security, privacy, and trust in modern data management. Springer, Heidelberg, pp 433–450

    Chapter  Google Scholar 

  39. Langheinrich M, Marti R (2007) Practical minimalist cryptography for RFID privacy. IEEE Syst J 1(2):115–128. http://www.vs.inf.ethz.ch/publ/papers/shamirtags07.pdf.

    Google Scholar 

  40. Lu L, Han J, Hu L, Liu Y, Ni LM (2007) Dynamic key-updating: privacy-preserving authentication for RFID systems. In: Porta TL, Mutka M, Pinhanez C, Steenkiste P (eds) Proceedings of the fifth annual IEEE international conference on pervasive computing and communications (PerCom ’07), 19–23 March. IEEE Press, White Plains, pp 13–22

  41. Mara J (2003) Euro scheme makes money talk. Wired News, 9 July 2003. http://www.wired.com/news/privacy/0,1848,59565,00.html.

  42. Molnar D, Soppera A, Wagner D (2005) Privacy for RFID through trusted computing. In: WPES ’05: proceedings of the 2005 ACM workshop on privacy in the electronic society. ACM Press, New York, pp 31–34

  43. Molnar D, Soppera A, Wagner D (2005) A scalable, delegatable pseudonym protocol enabling ownership transfer of RFID tags. In: Preneel B, Tavares S (eds) Selected areas in cryptography—SAC 2005, Lecture Notes in Computer Science, vol 3897. Springer, Kingston, pp 276–290

  44. Molnar D, Wagner D (2004) Privacy and security in library RFID: issues, practices, and architectures. In: Pfitzmann B, Liu P (eds) Conference on computer and communications security—ACM CCS. ACM Press, Washington, DC, pp 210–219

  45. Ohkubo M, Suzuki K, Kinoshita S (2005) Cryptographic approach to “privacy-friendly” tags. In: Garfinkel S, Rosenberg B (eds) RFID: applications, security, and privacy. Addison-Wesley, Reading. http://www.rfidprivacy.us/2003/papers/ohkubo.pdf.

  46. Osaka K, Takagi T, Yamazaki K, Takahashi O (2006) An efficient and secure RFID security method with ownership transfer. In: Cheung Y-M, Wang Y, Liu H (eds) Computational intelligence and security, 2006 international conference on (CIS’06), vol 2. IEEE Press, Piscataway, pp 1090–1095. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4076126

  47. Rieback M, Crispo B, Tanenbaum A (2005) RFID guardian: a battery-powered mobile device for RFID privacy management. In: Boyd C, González Nieto JM (eds) Australasian conference on information security and privacy—ACISP’05, Brisbane, Australia, July 4–6, 2005. Proceedings. Lecture Notes in Computer Science, vol 3574. Springer, Heidelberg, pp 184–194

  48. Rieback M, Crispo B, Tanenbaum A (2007) Keep on blockin’ in the free world: personal access control for low-cost RFID tags. In: Christianson B, Crispo B, MalcolmJA, Roe M (eds) Security protocols, 13th international workshop, Cambridge, UK, 20–22 April 2005. Revised Selected Papers, Lecture Notes in Computer Science, vol 4631. Springer, Heidelberg, pp 51–59. http://www.springerlink.com/content/92407245x4432q17/.

  49. Rieback MR, Crispo B, Tanenbaum AS (2006) The evolution of RFID security. IEEE Pervasive Comput 05(1):62–69

    Article  Google Scholar 

  50. Shamir A (1979) How to share a secret. Comm ACM 22(11):612–613

    Article  MATH  MathSciNet  Google Scholar 

  51. Spiekermann S (2008) RFID and privacy—what consumers really want and fear. Personal Ubiquitous Comput. Special issue on Privacy in Ubiquitous Computing. doi:10.1007/s00779-008-0213-4

  52. Spiekermann S, Berthold O (2005) Maintaining privacy in RFID enabled environments—proposal for a disable-model. In: Robinson P, Vogt H, Wagealla W (eds) Privacy, security and trust within the context of pervasive computing, Springer International Series in Engineering and Computer Science, vol 780. Springer Science and Business Meida Inc., New York, pp 137–146. http://www.springerlink.com/content/w8w447l70541w075/.

  53. Staake T, Thiesse F, Fleisch E (2005) Extending the EPC network—the potential of RFID in anti-counterfeiting. In: Proceedings of the 2005 ACM symposium on applied computing. ACM Press, New York, pp 1607–1612

  54. Swedberg C (2006) Marnlen makes privacy-friendly tags for retail items. RFID J. See http://www.rfidjournal.com/article/articleprint/2803/-1/1/. November 2006

  55. Tsudik G (2007) A family of dunces: trivial RFID identification and authentication protocols. In: Borisov N, Golle P (eds) Privacy enhancing technologies. Seventh international symposium, PET 2007 Ottawa, Canada, 20–22 June 2007, Revised Selected Papers, Lecture Notes in Computer Science, vol 4776. Springer, Heidelberg, pp 45–61. http://www.springerlink.com/content/d67454h576847p42/

  56. Tuyls P, Batina L (2006) RFID-tags for anti-counterfeiting. In: Pointcheval D (ed) Topics in cryptology—CT-RSA 2006—the cryptographers’ track at the RSA conference 2006, San Jose, USA, 13–17 February 2005, Proceedings, Lecture Notes in Computer Science, vol 3860. Springer, Heidelberg, pp 115–131. http://www.cosic.esat.kuleuven.be/publications/article-621.pdf.

  57. Want R (2006) An introduction to RFID technology. IEEE Pervasive Comput 5(1):25–33

    Article  Google Scholar 

  58. Weis SA, Sarma SE, Rivest RL, Engels DW (2003) Security and privacy aspects of low-cost radio frequency identification systems. In: Hutter D, Müller G, Stephan W, Ullmann M (eds) Security in pervasive computing—first international conference, Boppard, Germany, 12–14 March 2003, Revised Papers, Lecture Notes in Computer Science, vol 2802. Springer, Heidelberg, pp 201–212. http://www.springerlink.com/openurl.asp?genre=issue&issn=0302-9743&volume=2802.

  59. Westhues J, Hacking the prox card. In: Garfinkel S, Rosenberg B (eds) RFID: applications, security, and privacy. Addison-Wesley, Reading, pp 291–300

  60. Westin AF (1967) Privacy and freedom. Atheneum, New York

    Google Scholar 

Download references

Acknowledgments

The feedback of the anonymous reviewers, as well as the many helpful comments from my co-editor Sarah Spiekermann, helped tremendously in the writing of this article.

Author information

Authors and Affiliations

  1. Faculty of Informatics, University of Lugano (USI), Via Guiseppe Buffi 13, 6904, Lugano, Switzerland

    Marc Langheinrich

Authors
  1. Marc Langheinrich
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marc Langheinrich.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Langheinrich, M. A survey of RFID privacy approaches. Pers Ubiquit Comput 13, 413–421 (2009). https://doi.org/10.1007/s00779-008-0213-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00779-008-0213-4

Keywords

Search

Navigation