RFID

RFID (Radio Frequency IDentification) technology provides a transparent link between the physical world and the information system as a RFID tag  attached/embedded in an object enables unique identification and authentication capabilities, the provision of item-related data (e.g. characteristics or hystory log) or even computing and sensing features, depending on the RFID technology branch applied. Due to these unobtrusive and unexpensive wireless  communication capabilities RFID is being widely adopted in several sectors (e.g. logistics, healthcare or access control) and is referred to as a key  technology in the upcoming Internet of Things.

However, as we referred in one of our initial publications in RFID security [1], the features of this technology turn it into a double-edge sword that raises several concerns regarding privacy and anonymity threats. In this initial work, we highlighted these double-sided features, as well as the security threats due to information leakage, association with owner and individual's tracking. Moreover, we reviewed both technology-based, as well as policy and legal-based solutions to these emerging threats.

Furthermore, our work on RFID technology security and applications has focused on two areas where we have been involved in research projects: healthcare  environments and personal documentation.

Regarding the integration of RFID in healthcare environments, in the context of the CIES project we have analysed and developed lab-tested prototypes for two types of scenarios. In the first case, a medical equipment tracking system enabling both real-time and theft prevention capabilities. In this area we analyzed several aspects such as technology selection, management of RFID data from the hospital information system or possible EMI interferences. Our tests in a lab environment showed up the limitations of passive UHF RFID technology in this scenario.

In the second scenario of healthcare environments, we designed and implemented a prototype solution for care and control of inpatients in a medical centre. In our solution, the RFID technology enables identification and authentication of patients and medical staff, speed up medical information retrieval, logging of events and the  management of an alert control system to the adequate medical personnel. Moreover, RFID is used to provide an in-situ backup source for critical medical data  and provide an offline working mode. In other words, in case of a network failure, the system remains operative as user authentication, main data and last  performed actions can be securely managed from RFID cards and wristbands. Any new data generated is temporally stored on the RFID devices for subsequent  synchronization with central server. For further information, please check [2].

In a different arena and in the context of the IDENTICA project, our research has focused on the secure integration of RFID technology in personal documentation. In our vision, traditional paper-based documentation lacks the link with the digital world for agile and automated processing. At the same time, most documents lack adequate security mechanisms and rely on handwritten signatures which can be easily forged, being prone to cloning alteration and counterfeiting attacks. Paper-based documentation should be integrated with the information system obtaining automatic processing capabilities and enabling the use of advanced cryptographic security mechanisms. From NICS, we have presented our concept of 'hybrid documentation' describing how paper-based documentation can benefit from the integration of RFID technology, the new requirements that can be requested from a document because of the natural link between it and the information system, as well as the security requirements a hybrid document can fulfil. We have analyzed the weaknesses in the security mechanisms defined for e-Passport (the most representative example of documentation taking this hybrid approach to-date) and the suitability of these mechanisms for other kinds of electronic documentation. Most of the issues were derived from the key derivation scheme for the Basic Access Control mechanism, due to this we have provided different alternatives for this key generation scheme. As part of them, we have proposed a key management infrastructure for handling control access keys for hybrid documentation including our protoype implementation of the infrastructure as well as RFID-enabled documentation. For further information, please check [3].

References

  1. P. Najera, and J. Lopez, "RFID: Technological Issues and Privacy Concerns",
    Digital Privacy: Theory, Technologies, and Practices, A.. Acquisti, S. Gritzalis, C.. Lambrinoudakis, and S. De Capitan di Vimercati Eds., Auerbach Publications, pp. 285-306, December, 2007. More..
  2. P. Najera, and J. Lopez, "Real-time Location and Inpatient Care Systems Based on Passive RFID",
    Journal of Network and Computer Applications, vol. 34, Elsevier, pp. pp. 980-989, 2011. DOI (I.F.: 1.065)More..

    Abstract

    RFID technology meets identification and tracking requirements in healthcare environments with potential to speed up and increase reliability of involved processes. Due to this, high expectations for this integration have emerged, but hospital and medical centers interested in adoption of RFID technology require prior knowledge on how to squeeze RFID capabilities, real expectations and current challenges. In this paper, we show our lab tested solutions in two specific healthcare scenarios. On the one hand, we analyze the case of a medical equipment tracking system for healthcare facilities enabling both real-time location and theft prevention. Worth-noting aspects such as possible EMI interferences, technology selection and management of RFID data from hospital information system are analyzed. Lab testing of system reliability based on passive UHF RFID is provided for this case. On the other hand, we analyze and provide a solution for care and control of patients in a hospital based on passive HF RFID with the result of a fully functional demonstrator. Our prototype squeezes RFID features in order to provide a backup data source from patient’s wristband. It also provides an offline working mode aiming to increase application reliability under network fail down and therefore, improving patient’s safety. Considerations regarding lessons learned and challenges faced are exposed.

    Impact Factor: 1.065
    Journal Citation Reports® Science Edition (Thomson Reuters, 2011)
  3. P. Najera, F. Moyano, and J. Lopez, "Security Mechanisms and Access Control Infrastructure for e-Passports and General Purpose e-Documents",
    Journal of Universal Computer Science, vol. 15, pp. 970-991, 2009. DOI (I.F.: 0.669)More..

    Abstract

    Traditional paper documents are not likely to disappear in the near future as they are present everywhere in daily life, however, paper-based documentation lacks the link with the digital world for agile and automated processing. At the same time it is prone to cloning, alteration and counterfeiting attacks. E-passport defined by ICAO and implemented in 45 countries is the most relevant case of hybrid documentation (i.e. paper format with electronic capabilities) to date, but, as the advantages of hybrid documentation are recognized more and more will undoubtedly appear. In this paper, we present the concept and security requirements of general-use e-documents, analyze the most comprehensive security solution (i.e. ePassport security mechanisms) and its suitability for general-purpose e-documentation. Finally, we propose alternatives for the weakest and less suitable protocol from ePassports: the BAC (Basic Access Control). In particular, an appropriate key management infrastructure for access control to document memory is discussed in conjunction with a prototype implementation.

    Impact Factor: 0.669
    Journal Citation Reports® Science Edition (Thomson Reuters, 2009)