Security and privacy in RFID systems

Official URL: http://risc01.sabanciuniv.edu/record=b1589824 (Table of Contents)

RFID is a leading technology that has been rapidly deployed in several daily life applications such as payment, access control, ticketing, e-passport, supply-chain, etc. An RFID tag is an electronic label that can be attached to an object/individual in order to identify or track the object/individual through radio waves. Security and privacy are two major concerns in several applications as the tags are required to provide a proof of identity. The RFID tags are generally not tamper-resistant against strong adversarial attacks. They also have limited computational resources. Therefore, the design of a privacy preserving and cost-effective RFID authentication protocol is a very challenging task for industrial applications. Moreover, RFID systems are also vulnerable to relay attacks (i.e., mafia, terrorist and distance frauds) when they are used for authentication purposes. Distance bounding protocols are particularly designed as a countermeasure against these attacks. These protocols aim to ensure that the tags are in a bounded area by measuring the round-trip delays during a rapid challenge-response exchange of short authentication messages. Several RFID distance bounding protocols have been proposed recently in the literature. However, none of them provides the ideal security against the terrorist fraud. Besides, the requirements of low resources and inefficient data management trigger to make use of cloud computing technology in RFID authentication systems. However, as more and more information on individuals and companies is placed in the cloud, concerns about data safety and privacy raise. Therefore, while integrating cloud services into RFID authentication systems, the privacy of tag owner against the cloud must also be taken into account. Motivated by this need, this dissertation contributes to the design of algorithms and protocols aimed at dealing with the issues explained above. First of all, we introduce two privacy models for RFID authentication protocols based on Physically Unclonable Functions (PUF). We propose several authentication protocols in order to demonstrate these models. Moreover, we study distance bounding protocols having bit-wise fast phases and no final signature. We give analysis for the optimal security limits of the distance bounding protocols. Furthermore, we propose a novel RFID distance bounding protocol based on PUFs and it satisfies the highest security levels. Finally, we provide a new security and privacy model for integrating cloud computing into RFID systems. For the sake of demonstration of this model, we also propose two RFID authentication protocols that require various computational resources and provide different privacy levels.