Radio frequency identification (RFID) systems aim to identify tags to readers in an open environment where neither visual nor physical contact is needed for communication. Because of their low production costs and small size, RFID tags are expected to replace traditional identification methods such as bar codes. Currently, RFID tags are deployed, for instance, in passports, access control cards for public transportation, and location tracking systems.
These examples show that RFID tags, as opposed to bar codes, are not only useful to identify objects, but also to authenticate objects or people. Such applications, however, raise privacy concerns, in particular the worry that people may become traceable by carrying RFID-equipped objects.
The computational limitations of RFID tags impose significant restrictions on the number and type of cryptographic primitives that can be implemented on them. It is then a delicate task to attain strong authentication and untraceability properties with simple cryptographic primitives. For example, in a communication with an RFID reader, a tag's messages need to convey sufficient information for the reader to be able to authenticate the tag, without revealing anything that would allow an adversary to identify the tag. Additionally, to allow for large-scale deployment, the RFID reader needs to be able to effiently identify and authenticate the tag using the supplied information. Thus, RFID tags, and therefore the protocols they are running, have to satisfy several contradictory requirements.
This project focuses on the design and verification of RFID protocols. Current results include a formal definition of untraceability, and a thorough analysis of current RFID protocol literature. The analysis shows that the design of resource-constrained RFID protocols is still not well-understood.
The following members are involved in the project:
|||T. van Deursen and S. Radomirović. On a new formal proof model for RFID location privacy. Information Processing Letters, 110(2):57-61, 2009. [ bib | DOI ]|
|||T. van Deursen, S. Mauw, and S. Radomirović. mCarve: Carving attributed dump sets. In Proc. 20th USENIX Security Symposium. USENIX Association, August 2011. To appear. [ bib | .pdf ]|
|||T. van Deursen and S. Radomirović. Insider attacks and privacy of RFID protocols. In EuroPKI, Lecture Notes in Computer Science. Springer, 2011. To appear. [ bib ]|
|||T. van Deursen. 50 ways to break RFID privacy. In Privacy and Identity 2010, volume 352 of IFIP AICT, pages 192-205. Springer, 2011. [ bib | .pdf ]|
|||T. van Deursen and S. Radomirović. EC-RAC: Enriching a capacious RFID attack collection. In 6th Workshop on RFID Security (RFIDSec 2010), volume 6370 of Lecture Notes in Computer Science, pages 75-90. Springer, 2010. [ bib | DOI | .pdf ]|
|||T. van Deursen and S. Radomirović. Security of RFID protocols - A case study. In Proc. 4th International Workshop on Security and Trust Management (STM'08), volume 244 of ENTCS, pages 41-52. Elsevier, August 2009. [ bib | DOI | .pdf ]|
|||T. van Deursen and S. Radomirović. Algebraic attacks on RFID protocols. In Information Security Theory and Practices. Smart Devices, Pervasive Systems, and Ubiquitous Networks (WISTP'09), volume 5746 of Lecture Notes in Computer Science. Springer, 2009. 38-51. [ bib | .pdf ]|
|||T. van Deursen, S. Mauw, S. Radomirović, and P. Vullers. Secure ownership and ownership transfer in RFID systems. In Proc. 14th European Symposium On Research In Computer Security (ESORICS'09), volume 5789 of Lecture Notes in Computer Science, pages 637-654. Springer, 2009. [ bib | .pdf ]|
|||T. van Deursen and S. Radomirović. Security of an RFID protocol for supply chains. In Proc. 1st Workshop on Advances in RFID (AIR'08), pages 568-573. IEEE Computer Society, October 2008. [ bib | .pdf ]|
|||T. van Deursen, S. Mauw, and S. Radomirović. Untraceability of RFID protocols. In Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks (WISTP'08), volume 5019 of Lecture Notes in Computer Science, pages 1-15, Seville, Spain, 2008. Springer. [ bib | .pdf ]|
|||T. van Deursen and S. Radomirović. Attacks on RFID protocols (version 1.1). Technical report, University of Luxembourg, August 2009. http://eprint.iacr.org/2008/310. [ bib ]|
|||T. van Deursen and S. Radomirović. Untraceable RFID protocols are not trivially composable: Attacks on the revision of EC-RAC. Technical report, University of Luxembourg, July 2009. http://eprint.iacr.org/2009/332. [ bib ]|
|||T. van Deursen and S. Radomirović. On a new formal proof model for RFID location privacy. Technical report, November 2008. http://eprint.iacr.org/2008/477. [ bib ]|
|||T. van Deursen and S. Radomirović. Vulnerabilities in RFID protocols due to algebraic properties. 3rd Benelux Workshop on Information and System Security, November 2008. [ bib ]|
Financial support for the project is obtained through the following grants: