In this issue, we will introduce the security knowledge of RFID in detail. Dhs4300a – Q4 (RFID Security) was released on August 5, 2014. This document puts forward RFID related requirements and RFID related guidance suggestions for the implementation of DHS wireless security strategy, so as to assist various departments of the Ministry of Homeland Security in the development and implementation of RFID system information assurance projects.
RFID is a technology that can communicate with wireless devices (tags) remotely through electromagnetic signals. It can identify and track their attached objects through electromagnetic signals. RFID system includes tag, reader, local computer host, back-end application and database. The data on the tag is scanned by the reader and sent to the back-end server. The whole process can be automatically synchronized and completed remotely. Figure 2 depicts a passive RFID system.
In RFID system, some tags only store simple identification codes, while others can store more information, such as biometric data, location, temperature and humidity, which depends on the tag hardware and additional peripherals. For example, a label that uses standard enterprise wireless network and combines location and ID information to locate assets and personnel in real time can be used to implement dynamic tracking in the hospital.
RFID tag is composed of microchip and antenna. It uses different electromagnetic frequencies, such as low frequency, high frequency, ultra-high frequency, wireless network, infrared and ultrasonic for communication. Generally, there are two types of RFID Tags: active and passive:
(1) Passive and semi passive tags have no internal energy source, and usually use the energy of signals transmitted by external RF equipment (such as readers and Writers).
(2) Active and semi-active tags have internal energy, which can automatically send RF signals to readers and writers.
Security problems and suggestions in RFID system
Active tags periodically send RF signals to communicate with readers and writers. According to the frequency and transmission power, the signals can penetrate objects such as walls. Some tags can even communicate in hundreds of meters of open space and tens of meters of indoor area.
At present, most active tags do not support authentication or encryption functions, and it is easy to steal the transmitted data by using compatible readers and writers. Therefore, active tags should be used in a secure operating environment. For organizations using RFID, it is very important to understand the operation mechanism of active tags, evaluate the risks and vulnerabilities in business and operation, make wise decisions, and balance operation and security considerations.
Now, most passive tags comply with epcclass1gen2 standard. This standard was commissioned by the US Department of defense and Wal Mart and has been widely adopted by various industries and government agencies. However, the epcclass1gen2 standard provides only very limited security features:
A 16 bit random number generator for two-way handshake and data masking is used to lock a given tag and reader writer session to avoid conflicts when multiple tags or readers exist; The value generated by it is also used as a key value for simple encryption of the password and what the reader writes to the tag when executing the write command, but it is not used to encrypt the identification data from the tag to the reader.
A 32 password is required to execute the kill command to disable the tag.
16 bit cyclic redundancy check (CRC) is used for error detection.
Some parts of the access tag require a 32-bit password (such as the password bit for “write” operations), but this password is not used for tag ID data access verification.
Due to the small number of bits that can be encrypted, all these features are considered weak security. Therefore, the following security issues must be considered when deploying such tags:
EPC tag will not be authenticated before responding to any compatible reader / writer;
The passwords used for deactivation and access control are short and static, and they only provide one-way authentication from reader to tag, so they may be cracked by attackers;
EPC standard has no data encryption requirements, whether on the label or in transmission;
The encryption ability of EPC password is very weak.
The key value sent by the reader to the tag for data shielding can be intercepted when the tag is sent to the reader at the beginning.
The smart card communicates with the reader through direct physical contact (contact card, following ISO / iec7816 standard) or remote contactless RF interface (contactless card, following ISO / iec14443 standard). The smart card has an embedded integrated circuit (IC) for data storage and calculation. With its built-in integrated circuit and related microcontroller, it can store a large amount of data and perform complex operations. Smart card includes some powerful security functions, such as encryption and digital signature, and can intelligently interact with external RFID system. For example, some contactless cards can encrypt data through the advanced encryption standard (AES) algorithm, and can authenticate each other with a secret built-in unique key according to the public key infrastructure (PKI).
Smart card and RFID system should provide a mechanism for batch verification before communication establishment and during periodic communication, so as to reduce smart card attacks. Digital certificates are often used for this, and shared keys are another option.
Near field communication (NFC)
Near field communication (NFC) is a wireless technology, which aims to communicate when two devices are very close (a few centimeters). Its working frequency, power consumption, hardware and software design determine the limitations of communication distance. NFC allows two devices to establish a communication channel, which complies with ISO / iec18092 and 21481 standards. For example, two NFC smartphone users can share photos by being close to each other’s phones.
NFC communication does not require authentication or encryption, but the two devices need to be very close, which also makes it not vulnerable to threats such as eavesdropping, data modification and man in the middle attack, but it is not impeccable. In addition to specific needs or business considerations, by default, the NFC function on the device should be disabled and manually enabled by the user to minimize potential data leakage.
RFID back-end system is composed of network components, middleware and business applications that process ID information. This system shares ID information with other enterprise systems (such as supply chain applications), so the back-end system should be deployed within the trusted enterprise boundary.
Deployed within this boundary are information systems and components approved by the U.S. Department of homeland security, which usually directly controls the application and its effect evaluation. It is necessary to ensure the effective defense of RFID system. Firewall, proxy and content filtering are some effective tools and methods to ensure the security of enterprise boundary. In addition, standard operating procedures for security patches, updated operating systems and applications related to back-end systems shall be prepared and implemented.
Label data security
The data on the tag is vulnerable to various attacks, especially the tag with poor data capability and no powerful security function. For example, laptops are tracked through epcgen2 passive tags. Non descriptive and random unique numbers can be used to represent sensitive identification information, rather than directly storing sensitive data such as organization code, employee tag number and product serial number on the tag, and then using a more secure RFID back-end system for mapping and identification. In this way, even if the tag data is captured by unauthorized readers and writers, the tag data will not reveal any sensitive information.
According to the power of RF band and equipment, RF signals sent from tags and readers can be captured and decoded in the range of several centimeters to hundreds of meters, which needs to be prevented.
Guidance on improving the security of RFID Technology
Physical access control
RFID signals can pass through the walls of the use area and spread around the area. General physical access control restricts personnel from entering and leaving office buildings, data centers and rooms containing it equipment, which can prevent threats to the physical environment. Through this control, the RFID system owner needs to take measures to limit the physical contact of opponents with RFID system components.
Taking into account the capabilities of some special competitors, it should also ensure the proper use of data related to RFID system. This means that it is also necessary to prevent the unconscious incorrect operation of personnel, even if they are not opponents. The potential misuse of RFID system and data (including unintentional use) must be considered in the privacy specification document, and the document must be continuously updated according to the identified new usage and risks.
Safe handling label
After completing the expected task, the RFID tag should be safely disposed of. Labels can be physically or electronically destroyed or deactivated.
Physical destruction includes burning, forced tearing or shredding, which can cause the integrated circuit to separate from the antenna (which makes the reading of the label more difficult, but not impossible), and damage or eliminate the integrated circuit. Electronic destruction includes the use of the killing function of the label or the use of a strong electromagnetic field to deliver a strong current to the circuit to make the circuit of the label inoperable. Although the data recovery method is not practical, it is still possible to recover the label content by permanently disabling the label electronically (such as using a scanning electron microscope). Therefore, if the readability of the label is to be zero, incineration must be carried out after physical or electronic destruction.
Separation of duties
It is mandatory to assign each safety task to different personnel, and a single person cannot undertake the whole task. In order to carry out appropriate internal control over sensitive information systems, this method must be used for separation. It also ensures that no one can fully control the security mechanism of the system alone.
Control changes to the RFID system through configuration management to ensure that the changes are consistent with the organization’s tasks. Configuration management usually enables technical support personnel to quickly identify the root causes of operational problems and allows security personnel and auditors to detect misconduct and other policy violations.
Safety emergency response
Security controls are designed to protect organizations from security threats, but no matter how effective these controls are, some security incidents are inevitable. Before such an event occurs, the organization needs an effective response capability.
RFID technology is an important part of wireless network communication. The security of RFID system is also related to the asset security of many important departments, so the user departments need to pay attention to it. In this issue, we introduced the safety of RFID in dhs4300a series manual for the reference of departments using RFID system.
Responsible editor: CT