RFID
RFID (Radio Frequency IDentification) technology provides a transparent link between the physical world and the information system as a RFID tag attached/embedded in an object enables unique identification and authentication capabilities, the provision of item-related data (e.g. characteristics or hystory log) or even computing and sensing features, depending on the RFID technology branch applied. Due to these unobtrusive and unexpensive wireless communication capabilities RFID is being widely adopted in several sectors (e.g. logistics, healthcare or access control) and is referred to as a key technology in the upcoming Internet of Things.
However, as we referred in one of our initial publications in RFID security [1], the features of this technology turn it into a double-edge sword that raises several concerns regarding privacy and anonymity threats. In this initial work, we highlighted these double-sided features, as well as the security threats due to information leakage, association with owner and individual’s tracking. Moreover, we reviewed both technology-based, as well as policy and legal-based solutions to these emerging threats.
Furthermore, our work on RFID technology security and applications has focused on two areas where we have been involved in research projects: healthcare environments and personal documentation.
Regarding the integration of RFID in healthcare environments, in the context of the CIES project we have analysed and developed lab-tested prototypes for two types of scenarios. In the first case, a medical equipment tracking system enabling both real-time and theft prevention capabilities. In this area we analyzed several aspects such as technology selection, management of RFID data from the hospital information system or possible EMI interferences. Our tests in a lab environment showed up the limitations of passive UHF RFID technology in this scenario.
In the second scenario of healthcare environments, we designed and implemented a prototype solution for care and control of inpatients in a medical centre. In our solution, the RFID technology enables identification and authentication of patients and medical staff, speed up medical information retrieval, logging of events and the management of an alert control system to the adequate medical personnel. Moreover, RFID is used to provide an in-situ backup source for critical medical data and provide an offline working mode. In other words, in case of a network failure, the system remains operative as user authentication, main data and last performed actions can be securely managed from RFID cards and wristbands. Any new data generated is temporally stored on the RFID devices for subsequent synchronization with central server. For further information, please check [2].
In a different arena and in the context of the IDENTICA project, our research has focused on the secure integration of RFID technology in personal documentation. In our vision, traditional paper-based documentation lacks the link with the digital world for agile and automated processing. At the same time, most documents lack adequate security mechanisms and rely on handwritten signatures which can be easily forged, being prone to cloning alteration and counterfeiting attacks. Paper-based documentation should be integrated with the information system obtaining automatic processing capabilities and enabling the use of advanced cryptographic security mechanisms. From NICS, we have presented our concept of ‘hybrid documentation’ describing how paper-based documentation can benefit from the integration of RFID technology, the new requirements that can be requested from a document because of the natural link between it and the information system, as well as the security requirements a hybrid document can fulfil. We have analyzed the weaknesses in the security mechanisms defined for e-Passport (the most representative example of documentation taking this hybrid approach to-date) and the suitability of these mechanisms for other kinds of electronic documentation. Most of the issues were derived from the key derivation scheme for the Basic Access Control mechanism, due to this we have provided different alternatives for this key generation scheme. As part of them, we have proposed a key management infrastructure for handling control access keys for hybrid documentation including our protoype implementation of the infrastructure as well as RFID-enabled documentation. For further information, please check [3].
References
- Pablo Najera and Javier Lopez (2007): RFID: Technological Issues and Privacy Concerns. In: Acquisti, Alessandro; Gritzalis, Stefanos; Lambrinoudakis, Costas; Vimercati, Sabrina De Capitani (Ed.): Digital Privacy: Theory, Technologies, and Practices, pp. 285-306, Auerbach Publications, 2007, ISBN: 1420052179.
- Pablo Najera and Javier Lopez (2011): Real-time Location and Inpatient Care Systems Based on Passive RFID. In: Journal of Network and Computer Applications, vol. 34, pp. pp. 980-989, 2011, ISSN: 1084-8045.
- Pablo Najera and Francisco Moyano and Javier Lopez (2009): Security Mechanisms and Access Control Infrastructure for e-Passports and General Purpose e-Documents. In: Journal of Universal Computer Science, vol. 15, pp. 970-991, 2009, ISSN: 0948-695X.