ebook:RFID Security

hudie2002

Part I: Overview . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1 What Is RFID?. . . . . . . . . . . . . . . . . . . 3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
What This Book Is and Is Not . . . . . . . . . . . . . . . . .5
RFID Radio Basics . . . . . . . . . . . . . . . . . . . . . . . . .9
Why Use RFID? . . . . . . . . . . . . . . . . . . . . . . . . . .11
RFID Architecture . . . . . . . . . . . . . . . . . . . . . . . .13
Tag/Label . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Passive vs. Active Tags . . . . . . . . . . . . . . . . . .14
Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Middleware . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Data Communications . . . . . . . . . . . . . . . . . . . . . .17
Tag Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Electronic Product Code . . . . . . . . . . . . . . .18
Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Physical Form Factor (Tag Container) . . . . . . . . . .21
Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Key Fobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Other Form Factors . . . . . . . . . . . . . . . . . . . . .24
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Links to Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Chapter 2 RFID Uses . . . . . . . . . . . . . . . . . . . . . 29
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Applied Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Wholesale . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Retail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Standards in the Marketplace . . . . . . . . . . . . . . . . .38
Failures in the Marketplace . . . . . . . . . . . . . . . . . .40
Benetton . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Metro Group . . . . . . . . . . . . . . . . . . . . . . . . . .41
Lessons Learned . . . . . . . . . . . . . . . . . . . . . . .41
RFID for the Consumer: Case Studies . . . . . . . . .44
Wal-Mart . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Implementation . . . . . . . . . . . . . . . . . . . . . .44
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
US Department of Defense (DoD) . . . . . . . . . .46
Implementation . . . . . . . . . . . . . . . . . . . . . .46
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
E-ZPass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Implementation . . . . . . . . . . . . . . . . . . . . . .48
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
SpeedPass and Contactless Payment Systems . . .49
Implementation . . . . . . . . . . . . . . . . . . . . . .50
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Livestock Tagging . . . . . . . . . . . . . . . . . . . . . .51
Implementation . . . . . . . . . . . . . . . . . . . . . .51
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Part II: Attacking RFID. . . . . . . . . . . . . . . . . . . . 55
Chapter 3 Threat and Target Identification . . . 57
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Attack Objectives . . . . . . . . . . . . . . . . . . . . . . . . .58
Radio Frequency Manipulation . . . . . . . . . . . . .59
Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Insert . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
DOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Manipulating Tag Data . . . . . . . . . . . . . . . . . . .60
Middleware . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Backend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Blended Attacks . . . . . . . . . . . . . . . . . . . . . . . . . .65
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Chapter 4 RFID Attacks: Tag Encoding Attacks 67
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Case Study: Johns Hopkins vs. SpeedPass . . . . . . . .68
The SpeedPass . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Breaking the SpeedPass . . . . . . . . . . . . . . . . . . .74
The Johns Hopkins Attack . . . . . . . . . . . . . . . .76
Lessons to Learn . . . . . . . . . . . . . . . . . . . . . .80
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Chapter 5 RFID Attacks:
Tag Application Attacks . . . . . . . . . . . . . . . . . . 83
MIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Chip Clones—Fraud and Theft . . . . . . . . . . . . . . .84
Tracking: Passports/Clothing . . . . . . . . . . . . . . . . .90
Passports . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Chip Cloning > Fraud . . . . . . . . . . . . . . . . . . . . .96
Disruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Chapter 6 RFID Attacks: Securing
Communications Using RFID Middleware . . . 101
RFID Middleware Introduction . . . . . . . . . . . . . .102
Electronic Product Code System Network
Architecture . . . . . . . . . . . . . . . . . . . . . . . . .102
EPC Network Software
Architecture Components . . . . . . . . . . . . . . . .103
Readers . . . . . . . . . . . . . . . . . . . . . . . . . . .103
RFID Middleware . . . . . . . . . . . . . . . . . . .104
EPC Information Service . . . . . . . . . . . . . .104
Object Name Service . . . . . . . . . . . . . . . .105
ONS Local Cache . . . . . . . . . . . . . . . . . . .105
EPC Network Data Standards . . . . . . . . . . . . .105
EPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
PML . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
RFID middleware Overview . . . . . . . . . . . . . .106
Reader Layer - Operational Overview . . . . . . .109
Smoothing and Event Generation Stage . . . .112
Event Filter Stage . . . . . . . . . . . . . . . . . . . .113
Report Buffer Stage . . . . . . . . . . . . . . . . . .113
Interactions with Wireless LAN Networks . . . .113
802.11 WLAN . . . . . . . . . . . . . . . . . . . . . .114
Attacking Middleware with the Air Interface . . . .116
Understanding Security
Fundamentals and Principles of Protection . . . . . .122
Understanding PKIs and Wireless Networking .123
Understanding the Role
of Encryption in RFID Middleware . . . . . . . .123
Overview of Cryptography . . . . . . . . . . . . .124
Understanding How a Digital Signature Works 129
Basic Digital Signature
and Authentication Concepts . . . . . . . . . . .129
Why a Signature Is Not a MAC . . . . . . . . .130
Public and Private Keys . . . . . . . . . . . . . . .130
Why a Signature Binds
Someone to a Document . . . . . . . . . . . . . .131
Learning the W3C XML Digital Signature .131
Applying XML Digital
Signatures to Security . . . . . . . . . . . . . . . . .135
Using Advanced Encryption Standard
for Encrypting RFID Data Streams . . . . . . .136
Addressing Common Risks and Threats . . . . . . . .137
Experiencing Loss of Data . . . . . . . . . . . . . . .137
Loss of Data Scenario . . . . . . . . . . . . . . . . .137
The Weaknesses in WEP . . . . . . . . . . . . . . . . .138
Criticisms of the Overall Design . . . . . . . . . . .139
Weaknesses in the Encryption Algorithm . . . . .140
Weaknesses in Key Management . . . . . . . . . . .141
Securing RFID Data Using Middleware . . . . . . . .141
Fields: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Using DES in RFID
Middleware for Robust Encryption . . . . . . . . . . .143
Using Stateful Inspection in the Application
Layer Gateway For
Monitoring RFID Data Streams . . . . . . . . . . . . .145
Application Layer Gateway . . . . . . . . . . . . . . .146
Providing Bullet-Proof Security Using Discovery,
Resolution and Trust Services in Commerce Events
AdaptLink™ . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Discovery Service . . . . . . . . . . . . . . . . . . . . . .148
Resolution, ONS and the EPC Repository . . .149
EPC Trust Service . . . . . . . . . . . . . . . . . . . . .150
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Chapter 7 RFID Security:
Attacking the Backend . . . . . . . . . . . . . . . . . . 153
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Overview of Backend Systems . . . . . . . . . . . . . . .154
Data Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Data Flooding . . . . . . . . . . . . . . . . . . . . . . . .157
Problem 1 . . . . . . . . . . . . . . . . . . . . . . . . .157
Solution 1 . . . . . . . . . . . . . . . . . . . . . . . . .158
Problem 2 . . . . . . . . . . . . . . . . . . . . . . . . .158
Solution 2 . . . . . . . . . . . . . . . . . . . . . . . . .158
Purposeful Tag Duplication . . . . . . . . . . . . . . .158
Problem . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Solution . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Spurious Events . . . . . . . . . . . . . . . . . . . . . . .159
Problem . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Solution . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Readability Rates . . . . . . . . . . . . . . . . . . . . . .159
Problem . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Solution . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Virus Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Problem 1 (Database Components) . . . . . . . . .160
Problem 2 (Web-based Components) . . . . . . .160
Problem 3 (Web-based Components) . . . . . . .161
Solution 1 . . . . . . . . . . . . . . . . . . . . . . . . .161
Problem 4 (Buffer Overflow) . . . . . . . . . . . . .161
Solution 4 . . . . . . . . . . . . . . . . . . . . . . . . .162
RFID Data Collection Tool—
Backend Communication Attacks . . . . . . . . . . . . .162
MIM Attack . . . . . . . . . . . . . . . . . . . . . . . . . .162
Application Layer Attack . . . . . . . . . . . . . . . . .162
Solution . . . . . . . . . . . . . . . . . . . . . . . . . . .163
TCP Replay Attack . . . . . . . . . . . . . . . . . . . .163
Solution . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Attacks on ONS . . . . . . . . . . . . . . . . . . . . . . . . .163
Known Threats to DNS/ONS . . . . . . . . . . . .164
ONS and Confidentiality . . . . . . . . . . . . . . . .164
ONS and Integrity . . . . . . . . . . . . . . . . . . . . .165
ONS and Authorization . . . . . . . . . . . . . . . . .165
ONS and Authentication: . . . . . . . . . . . . . . . .165
Mitigation Attempts . . . . . . . . . . . . . . . . . .166
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Part III: Defending RFID . . . . . . . . . . . . . . . . . 167
Chapter 8 Management of RFID Security. . . . 169
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Risk and Vulnerability Assessment . . . . . . . . . . . .170
Risk Management . . . . . . . . . . . . . . . . . . . . . . . .173
Threat Management . . . . . . . . . . . . . . . . . . . . . .176
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Chapter 9 Case Study: Using
Commerce Events AdaptLink™ to
Secure the DOD Supply Network –
Leveraging the DOD RFID Mandate . . . . . . . . 181
Background on the Use of
RFID in the DOD Supply Chain . . . . . . . . . . . .182
Why RFID is Essential
to the DoD Supply Chain . . . . . . . . . . . . . . . .182
RFID Policy Scope and Definition . . . . . . . . .183
History of RFID in DoD . . . . . . . . . . . . . . . .184
RFID in the DoD Supply Chain . . . . . . . . . . .185
RFID Standards . . . . . . . . . . . . . . . . . . . . . . .186
Improved Asset Tracking for the DoD is Critical .186
The Business Case . . . . . . . . . . . . . . . . . . . . .186
Reducing Sales Impediments and Stockouts .187
Minimizing Loss and Shrinkage . . . . . . . . . .187
Minimizing Inventory Carrying Costs . . . . .187
Minimizing Waste . . . . . . . . . . . . . . . . . . . .188
Minimizing Labor . . . . . . . . . . . . . . . . . . . .188
Needs of a Solution . . . . . . . . . . . . . . . . . . . .188
A Proposed Solution in Silent Commerce . . . . . .190
Passive RFID Technology . . . . . . . . . . . . . .191
Commerce Event’s Enabling Software . . . . . . .192
Implementing UID for the
DOD Supply Chain i . . . . . . . . . . . . . . . . . . .194
Identity Types . . . . . . . . . . . . . . . . . . . . . . . . .194
DoD Identity Type Option . . . . . . . . . . . . . . .195
DoD-64 Identity Type . . . . . . . . . . . . . . . .196
DoD-96 Identity Type . . . . . . . . . . . . . . . .200
Implementing Business Rules
for the DOD Supply Chain . . . . . . . . . . . . . .204
Passive RFID Business Rules . . . . . . . . . . . . . .204
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Case, Palletized Unit Load,
UID Item Packaging Tagging . . . . . . . . . . . . .206
2.4.1 Bulk Commodities Not Included . . . .207
Contract/Solicitation Requirements . . . . . .207
Passive UHF RFID Tag Specifications . . . . . . .208
Passive UHF RFID
Tag Data Structure Requirements . . . . . . . .210
Passive UHF RFID Tag Data Structure
Requirements - Suppliers Shipping to
DoD Non-EPCglobal™ Subscribers
Using the DoD Tag Data Construct . . . . . .211
Passive UHF RFID
Tag Data Structure Requirements - DoD
Receiving Points Shipping Items Down
the Supply Chain to DoD Customers . . . . .214
Electronic Data Interchange Information . . . . .216
DoD Purchase Card Transactions . . . . . . . . . . .217
Wireless Encryption Requirements . . . . . . . . .218
Frequency Spectrum Management . . . . . . . . .218
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Appendix A Additional RFID
Reference Material . . . . . . . . . . . . . . . . . . . . . 221
Frequently Asked Questions . . . . . . . . . . . . . . . . .222
RFID Solutions Fast Track . . . . . . . . . . . . . . . . . .225
Overview of Backend Systems . . . . . . . . . .226
Data Attacks . . . . . . . . . . . . . . . . . . . . . . .226
Virus Attacks . . . . . . . . . . . . . . . . . . . . . . .227
Middleware—Backend
Communication Attacks . . . . . . . . . . . . . . .227
Attacks on ONS . . . . . . . . . . . . . . . . . . . .227
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

semico_ljj

我来顶！！
安全领域！

semico_ljj

RFID Security
Copyright © 2006 by Syngress Publishing, Inc. All rights reserved. Printed in Canada. Except as permitted

semico_ljj

Lead Author
Frank Thornton runs his own technology consulting firm,
Blackthorn Systems, which specializes in wireless networks. His specialties
include wireless network architecture, design, and implementation,
as well as network troubleshooting and optimization.An
interest in amateur radio helped him bridge the gap between computers
and wireless networks. Having learned at a young age which
end of the soldering iron was hot, he has even been known to repair
hardware on occasion. In addition to his computer and wireless
interests, Frank was a law enforcement officer for many years. As a
detective and forensics expert he has investigated approximately one
hundred homicides and thousands of other crime scenes.
Combining both professional interests, he was a member of the
workgroup that established ANSI Standard “ANSI/NIST-CSL 1-
1993 Data Format for the Interchange of Fingerprint Information.”
He co-authored WarDriving: Drive, Detect, and Defend: A Guide to
Wireless Security (Syngress Publishing, ISBN: 1-93183-60-3), as well
as contributed to IT Ethics Handbook: Right and Wrong for IT
Professionals (Syngress, ISBN: 1-931836-14-0) and Game Console
Hacking: Xbox, PlayStation, Nintendo, Atari, & Gamepark 32 (ISBN: 1-
931836-31-0). He resides in Vermont with his wife.
Dedicated to my wife, Gerry
For the many years of love and support

semico_ljj

Introduction
In a broad context, radio transmissions containing some type of identifying
information are considered Radio Frequency Identification (RFID).This can
be a cab driver using his unit number over the air, or the call sign of a radio
station.This chapter discusses the tools, applications, and security of RFID.
RFID is about devices and technology that use radio signals to exchange
identifying data. In the usual context, this implies a small tag or label that
identifies a specific object.The action receives a radio signal, interprets it,
and then returns a number or other identifying information. (e.g.,“What
are you?” answered with “I am Inventory Item Number 12345”).
Alternatively, it can be as complex as a series of cryptographically encoded
challenges and responses, which are then interpreted through a database,
sent to a global satellite communications system, and ultimately influence a
backend payment system.
Some of the current uses of RFID technology include:
■ Point of Sale (POS)
■ Automated Vehicle Identification (AVI) systems
■ Restrict access to buildings or rooms within buildings
■ Livestock identification
■ Asset tracking
■ Pet ownership identification
■ Warehouse management and logistics
■ Product tracking in a supply chain
■ Product security
■ Raw material tracking/parts movement within factories
■ Library books check-in/check-out
■ Railroad car tracking
■ Luggage tracking at airports

semico_ljj

又是一本可以当杂志看的Ebook！

semico_ljj

Additional RFID Reference Material

RFID Solutions Fast Track
Applied Use

RFID is a versatile technology. It has been used extensively and
successfully in a variety of contexts, including contactless cards, such
as contactless payment systems, and livestock tagging.

Mandates by Wal-Mart, the DoD, and others have raised the profile
of RFID in supply chain contexts. However, supply chain
implementations of the technology are still in formative stages.

Some have predicted that bar codes would be entirely replaced by
RFID. However, as pilots have been implemented, we have come to
understand that bar codes will have a place for many years to come.
Standards in the Marketplace

Standards for RFID technology are evolving. This evolution is an
ongoing process.

EPCglobal, a worldwide body formed to develop product
identification standards, has implemented the electronic product code.

While EPCglobal’s action went a long way toward standardization,
there are still open questions. For instance, the EPC code has not
necessarily been accepted in all industries to identify all products.
Differences in frequencies from country to country and application
to application still exist.

semico_ljj

RFID Case Studies

Wal-Mart’s and the DoD’s mandates requiring major suppliers to start
using RFID gave a much-needed jump-start to the industry to
accelerate supply chain usage of RFID.

However, all the supply chain mandates are still in early stages of
multiphase, multiyear rollouts. Hard conclusions and final results are
not yet available. Even so, the initial reports of the mandates under
way suggest significant ROI to the retailers and the DoD.

Outside of the supply chain context, uses of RFID are very well
established in the marketplace.These uses have been going on for
over a decade and have touched the lives of millions of consumers.
Overview of Backend Systems

A backend system converts RFID events into actions that trigger
business processes.

Backend systems use RFID data analytics (event pattern analysis) to
identify events of “interest.”

Relative to EPCglobal Network Architecture, backend systems
consist of the EPCIS capturing application and EPCIS accessing
application.
Data Attacks

Prevent data flooding by buffering incoming RFID events.

Detect spurious events by doing event pattern analysis.

Build flexible backend systems where tag readability rates are far
below an acceptable level.

semico_ljj

Virus Attacks

Validate tag data using a checksum mechanism.

Validate tag data before using it in database query or Web page
generation.

Do not assume the length of tag data; prevent buffer overflows.
Middleware—Backend Communication Attacks

Use secure protocols to communicate data over unsecured networks,
which will prevent MIM attacks.

Authenticate the source of an event generator to prevent TCP/IP
replay attacks.
Attacks on ONS

Use DNS security extensions to ensure the authenticity and integrity
of ONS (ONS is a subset of DNS).

Prevent an ONS server from being hijacked.

Prevent DOS attacks on an ONS server.

semico_ljj

Frequently Asked Questions

Frequently Asked Questions
Q: What is an EPC tag?
A: EPC stands for “electronic product code.” EPC Global defines it as “a
globally unique serial number that identifies an item in the supply chain.
This allows inquiries to be made about a single instance of an item, wherever
it is within the supply chain.” In December 2004 EPC Global established
a global standard for the EPC, enabling companies across the globe
to use a standardized format to identify goods throughout the supply
chain, from supplier to purchaser.
Q: What is the difference between RFID and EPC?
A: RFID refers to the technology in which an RFID tag transmits a radio
frequency signal that is picked up by a reader. EPC means the unique 96-
bit code identifying an item. The phrase “EPC tag” refers to an RFID tag
containing an EPC code.
Q: Will RFID tags replace bar codes?
A: RFID tags will not replace bar codes for many many years to come. Bar
codes are far less expensive than RFID tags, and the technology to deploy
bar codes is proven and reliable. The two technologies will continue to
coexist for a long time.
Q: What is a Generation 2 tag?
A: Generation 2 or Gen 2 is the name given to the RFID tags developed to
meet the EPC standard ratified by EPC Global in late 2004. Gen 2 tags
take the place of certain earlier Class 1 and Class 2 tags. Gen 2 tags can be
rewritten several times and are more durable than earlier classes of tags.
Impinj shipped the first Gen 2 tags in April 2005.