G4 Team 8
Radio Frequency Identification (RFID) devices have seen rapid adoption in recent years. RFID enabled a plethora of innovations across various industries, such as real-time inventory tracking in supply chain management. Implementations of the technology have gone far beyond the supply chain focus that had generated much hype for it in the last decade. The various uses of RFID devices have greatly influenced the landscape of the electronics industry as a whole.
Scenario and Assumptions
This report will cover an implementation of a Secure RFID Tag System for use in inventory management scenario in Company SEC. The company seeks to implement a secure RFID system so as to prevent unauthorized personnel from wirelessly collecting information from the RFID tags on Company SEC’s products.
This secure system must:
1. Prevent unauthorized RFID readers from collecting meaningful data from the Company SEC’s RFID Tags 2. Enable authentic RFID readers to detect rogue RFID tags that masquerade as authentic tags.
This project assumes the following conditions:
1. Company SEC has in place a secure database which contains the serial numbers of all the RFID tags in the company. The aspects of database security will hence not be covered. 2. Company SEC has in place a system that provides secure communication between RFID readers and the secure database aforementioned. We will therefore not cover aspects of secure communication between the simulated RFID reader and the databases. 3. Communication channel between RFID reader and tag will be considered as standard. Hence, we will merely simulate data transmission between RFID reader and tag. Focus will be placed on ensuring that unauthorized devices cannot decipher the contents of the data transmitted.
Rogue RFID tags
Attackers looking to compromise Company SEC’s inventory management system can create tags that masquerade as authentic tags. These ‘fake’ tags could corrupt the supply-chain data or slow down the inventory system causing costly disruptions to business processes.
‘Eavesdropping’ with Unauthorized RFID readers
High-powered RFID readers can detect RFID tag data from several hundred meters away, which means that attackers can remotely ‘eavesdrop’ on RFID tag information of all tags inside Company SEC’s warehouses. Such information needs to be kept private as it would allow competitors to gain an unfair advantage over Company SEC, or thieves to know where the most valuable inventory is kept. RFID System Design
Figure 1: RFID System Design
Key Initializer (RFIDInit.java)
Figure 2: Key Initializer GUI (RFIDInit.java)
This class creates a key for each RFID Tag Serial Number. It first reads directly from rfid-sn.txt and generates a random 128-bit key for each of the serial numbers. These keys, together with their corresponding serial number, are then written and stored in keys.txt.
RFID Tag (TagUI.java)
Figure 3: RFID Tag GUI (TagUI.java)
To enable the user to select a tag to be scanned, the tags are first retrieved from our backend database, keys.txt, and displayed on the user interface.
After the reader has scanned the tag, the tag receives the ciphertext C1 sent by the reader. The hash digest is then computed using ciphertext C1, its respective key and ciphertext C2. In our design, the ciphertext is computed using the SecureRandom class from the java.security package, whereas for the hash digest, it is computed using the DigestUtils class from the org.apache.commons.codec.digest package.
The following formula is applied:
Digest, R = SHA256(C1 + C2 + Key)*
*The Strings C1, C2 and Key are concatenated
After the hash has been computed, the hash digest R and ciphertext C2 is sent as a JSON object via a JMS Queue to the RFID Reader.
RFID Reader (ReaderUI.java)