The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.02 - March-April (2013 vol.10)
pp: 57-69
Di Ma , Coll. of Eng. & Comput. Sci, Univ. of Michigan-Dearborn, Dearborn, MI, USA
N. Saxena , Comput. & Inf. Sci. Dept., Univ. of Alabama at Birmingham, Birmingham, AL, USA
Tuo Xiang , Coll. of Eng. & Comput. Sci, Univ. of Michigan-Dearborn, Dearborn, MI, USA
Yan Zhu , Coll. of Eng. & Comput. Sci, Univ. of Michigan-Dearborn, Dearborn, MI, USA
ABSTRACT
In this paper, we report on a new approach for enhancing security and privacy in certain RFID applications whereby location or location-related information (such as speed) can serve as a legitimate access context. Examples of these applications include access cards, toll cards, credit cards, and other payment tokens. We show that location awareness can be used by both tags and back-end servers for defending against unauthorized reading and relay attacks on RFID systems. On the tag side, we design a location-aware selective unlocking mechanism using which tags can selectively respond to reader interrogations rather than doing so promiscuously. On the server side, we design a location-aware secure transaction verification scheme that allows a bank server to decide whether to approve or deny a payment transaction and detect a specific type of relay attack involving malicious readers. The premise of our work is a current technological advancement that can enable RFID tags with low-cost location (GPS) sensing capabilities. Unlike prior research on this subject, our defenses do not rely on auxiliary devices or require any explicit user involvement.
INDEX TERMS
Security, Relays, Protocols, Privacy, RFID tags, location sensing, RFID, mobile payment system, relay attacks, context recognition
CITATION
Di Ma, N. Saxena, Tuo Xiang, Yan Zhu, "Location-Aware and Safer Cards: Enhancing RFID Security and Privacy via Location Sensing", IEEE Transactions on Dependable and Secure Computing, vol.10, no. 2, pp. 57-69, March-April 2013, doi:10.1109/TDSC.2012.89
REFERENCES
[1] RFID Toll Collection Systems, http://www.securitysa.comnews.aspx?pklnewsid=25591 , 2007.
[2] 66-Channel LS20031 GPS Receiver Module, http://www. megachip.ru/pdf/POLOLU66_CHANNEL.pdf , 2011.
[3] GM-101 Cost Effective GPS Module with Ttl Rs-232 Interface, http://www.alibaba.com/product-gs/435104168 GM_101_Cost_ Effective_GPS_Module.html , 2011.
[4] GPS Glossory, http://www.gsmarena.comglossary. php3?term=gps , 2011.
[5] NMEA 0183 Standard, http://www.nmea.org/content/ nmea_standards nmea_083_v_400.asp, 2011.
[6] S. Brands and D. Chaum, "Distance-Bounding Protocols," Proc. Int'l Conf. Theory and Applications of Cryptographic Techniques Advances in Cryptology (EUROCRYPT), 1993.
[7] J. Bringer, H. Chabanne, and E. Dottax, "HB++: A Lightweight Authentication Protocol Secure against Some Attacks," Proc. Second Int'l Workshop Security, Privacy and Trust in Pervasive and Ubiquitous Computing, 2006.
[8] M. Buckner, R. Crutcher, M.R. Moore, and S.F. Smith, "GPS and Sensor-Enabled RFID Tags," http://www.ornl.gov/webworks/cppr/y2001/ pres118169.pdf, 2013.
[9] M. Buettner, R. Prasad, M. Philipose, and D. Wetherall, "Recognizing Daily Activities with RFID-Based Sensors," Proc. Int'l Conf. Ubiquitous Computing (UbiComp), 2009.
[10] M. Calamia, "Mobile Payments to Surge to $\$670$ Billion by 2015," http://www.mobiledia.com/news96900.html, July 2011.
[11] G. Cropsey, "Designing a Distance and Speed Algorithm Using the Global Positioning System," http://www.egr.msu.edu/classes/ece480/capstone/ spring08/group10/documents ApplicationApplication%20Note-%20Gabe.pdf , Mar. 2008.
[12] A. Czeskis, K. Koscher, J. Smith, and T. Kohno., "RFIDs and Secret Handshakes: Defending against Ghost-and-Leech Attacks and Unauthorized Reads with Context-Aware Communications," Proc. ACM Conf. Computer and Comm. Security, 2008.
[13] Y. Desmedt, C. Goutier, and S. Bengio, "Special Uses and Abuses of the Fiat-Shamir Passport Protocol," Proc. Conf. Theory and Applications of Cryptographic Techniques Advances in Cryptology (CRYPTO), 1988.
[14] S. Drimer and S.J. Murdoch, "Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks," Proc. 16th USENIX Security Symp., Aug. 2007.
[15] EMVCo, "About EMV," http://www.emvco.comabout_emv. aspx, Nov. 2009.
[16] epic.org, "Wal-Mart Begins Tagging and Tracking Merchandise with RFID," http://epic.org/2010/07wal-mart-begins-tagging-and-tr.html , July 2010.
[17] A. Francillon, B. Danev, and S. Capkun, "Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars," Proc. 18th Ann. Network and Distributed System Security Symp. (NDSS), 2011.
[18] H. Gilbert, M. Robshaw, and Y. Seurin, "HB#: Increasing the Security and Efficiency of HB+," Proc. Int'l Conf. the Theory and Applications of Cryptographic Techniques Advances in Cryptology (EUROCRYPT), 2008.
[19] Goldiron, "Numerex Unveils Hybrid Tag Includes Active RFID, GPS, Satellite and Sensors," http://goldiron.wordpress.com/2009/02/25 numerex-unveils-hybrid-tag-includes-active-rfid-gps-satellite-and-sensors /, Feb. 2009.
[20] T. Halevi, D. Ma, N. Saxena, and T. Xiang, "Secure Proximity Detection for NFC Devices Based on Ambient Sensor Data," Proc. European Symp. Research in Computer Security (ESORICS), Sept. 2012.
[21] G.P. Hancke and M.G. Kuhn, "An RFID Distance Bounding Protocol," Proc. First Int'l Conf. Security and Privacy for Emerging Areas in Comm. Networks, 2005.
[22] B. Hanlon, B. Ledvina, M. Psiaki, P.M. Kitner., and T.E. Humphreys, "Assessing the GPS Spoofing Threat," GPS World, http://www.gpsworld.com/defense/security-surveillance assessing-spoofin g-threat-3171?page_id=1 , Jan. 2009.
[23] T.S. Heydt-Benjamin, D.V. Bailey, K. Fu, A. Juels, and T. O'Hare, "Vulnerabilities in First-Generation RFID-Enabled Credit Cards," Proc. Int'l Conf. Financial Cryptography and Data Security, 2007.
[24] J. Holleman, D. Yeager, R. Prasad, J. Smith, and B. Otis, "NeuralWISP: An Energy-Harvesting Wireless Neural Interface with 1-m Range," Proc. Biomedical Circuits and Systems Conf. (BioCAS), 2008.
[25] Infowars.com, "Texas Department of Transportation to Instate RFID TxTag," http://www.infowars.com/articles/bbtoll_ roads_tx_tag.htm , Sept. 2005.
[26] ISO, "Near Field Communication Interface and Protocol (NFCIP-1)--ISO/IEC 18092:2004," http://www.iso.org/iso catalogue_detail.htm?csnumber=38578 , 2004.
[27] ITGlobal Consulting LTD, "RFID Toll Road Payment," http://www.itglobalconsulting.comrfidtollroadpayment.asp , 2013.
[28] A. Juels, "RFID Security and Privacy: A Research Survey," IEEE J. Selected Areas in Comm., vol. 24, no. 2, pp. 381-394, Feb. 2006.
[29] A. Juels, D. Molnar, and D. Wagner, "Security and Privacy Issues in E-Passports," Proc. First Int'l Conf. Security and Privacy for Emerging Areas in Comm. Networks (Securecomm), 2005.
[30] A. Juels, R.L. Rivest, and M. Szydlo, "The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy," Proc. ACM Conf. Computer and Comm. Security (CCS), 2003.
[31] A. Juels, P.F. Syverson, and D.V. Bailey, "High-Power Proxies for Enhancing RFID Privacy and Utility," Proc. Fifth Int'l Conf. Privacy Enhancing Technologies, 2005.
[32] A. Juels and S. Weis, "Authenticating Pervasive Devices with Human Protocols," Proc. Int'l Cryptology Conf. (CRYPTO), 2005.
[33] J. Katz and J. Shin, "Parallel and Concurrent Security of the HB and HB+ Protocols," Proc. Int'l Conf. Theory and Applications of Cryptographic Techniques Advances in Cryptology (EUROCRYPT), 2006.
[34] Z. Kfir and A. Wool, "Picking Virtual Pockets Using Relay Attacks on Contactless Smartcard," Proc. Security and Privacy for Emerging Areas in Comm. Networks (Securecomm), 2005.
[35] A. Kobsa, R. Nithyanand, G. Tsudik, and E. Uzun, "Usability of Display-Equipped RFID Tags for Security Purposes," Proc. European Symp. Research in Computer Security (ESORICS), 2011.
[36] K. Koscher, A. Juels, V. Brajkovic, and T. Kohno, "EPC RFID Tag Security Weaknesses and Defenses: Passport Cards Enhanced Drivers Licenses and Beyond," Proc. ACM Conf. Computer and Comm. Security, 2009.
[37] M. Kuhn, "An Asymmetric Security Mechanism for Navigation Signals," Proc. Sixth Information Hiding Workshop, 2004.
[38] Medical News Today, "VeriChip Corporation Announces Phase II Development of in Vivo Glucose-Sensing RFID Microchip with RECEPTORS LLC," http://www.medicalnewstoday.com/ articles 165894.php, Oct. 2009.
[39] N. Saxena, B. Uddin, J. Voris, and N. Asokan, "Vibrate-to-Unlock: Mobile Phone Assisted User Authentication to Multiple Personal RFID Tags," Proc. IEEE Int'l Conf. Pervasive Computing and Comm. (PerCom), 2011.
[40] R. Nithyanand, G. Tsudik, and E. Uzun, "Readers Behaving Badly: Reader Revocation in PKI-Based RFID Systems," Proc. European Symp. Research in Computer Security (ESORICS), 2010.
[41] NYS DMV, "Enhanced Driver Licenses and Non-Driver Identification Cards," http://www.nydmv.state.ny.us/brochC158.pdf , July 2010.
[42] Y. Oren and A. Wool, "Relay Attacks on RFID-Based Electronic Voting Systems," Cryptology ePrint Archive, Report 2009/422, http://eprint.iacr.org/2009422, 2009.
[43] P. Papadimitratos and A. Jovanovic, "GNSS-Based Positioning: Attacks and Countermeasures," Proc. IEEE Military Comm. Conf. (MILCOM), pp. 1-7, Nov. 2008.
[44] P. Papadimitratos and A. Jovanovic, "Protection and Fundamental Vulnerability of Global Navigation Satellite Systems (GNSS)," Proc. Int'l Workshop Satellite and Space Comm. (IWSSC), 2008.
[45] K.B. Rasmussen and S. Čapkun, "Realization of RF Distance Bounding," Proc. USENIX Security Symp., 2010.
[46] RFID Asia, "New Ez-Link Contactless Smart Cards Converge Transit and Payment Applications," http://journal.rfid-asia.info/2008/12new-ez-link-contactless-smart-cards.htm , Dec. 2008.
[47] M.R. Rieback, B. Crispo, and A.S. Tanenbaum, "RFID Guardian: A Battery-Powered Mobile Device for RFID Privacy Management," Proc. Australasian Conf. Information Security and Privacy (ACISP), 2005.
[48] A. Ruhanen et al., "Sensor-Enabled RFID Tag Handbook," http://www.bridge-project.eu/data/FileBRIDGE_WP01_RFID_tag_ handbook.pdf , Jan. 2008.
[49] A. Sample, D. Yeager, and J.R. Smith, "A Capacitive Touch Interface for Passive RFID Tags," Proc. IEEE Int'l Conf. RFID, 2009.
[50] A. Sample, D. Yeager, P. Powledge, and J. Smith, "Design of a Passively-Powered Programmable Sensing Platform for UHF RFID Systems," Proc. IEEE Int'l Conf. RFID, 2007.
[51] N. Saxena and J. Voris, "Still and Silent: Motion Detection for Enhanced RFID Security and Privacy without Changing the Usage Model," Proc. Workshop RFID Security (RFIDSec), June 2010.
[52] D. Schon, H. Lemelson, and W. Effelsberg, "Situation-Aware Choice of the Most Accurate Positioning System," Proc. IEEE Int'l Conf. Pervasive Computing Comm. Workshops (PerCom '12), 2012.
[53] L. Scott, "Anti-Spoofing and Authenticated Signal Architectures for Civil Navigation Signals," Proc. 16th Int'l Technical Meeting of the Satellite Division of the Inst. of Navigation (ION GPS/GNSS), pp. 1543-1552, 2003.
[54] J.R. Smith, P.S. Powledge, S. Roy, and A. Mamishev, "A Wirelessly-Powered Platform for Sensing and Computation," Proc. Eighth Int'l Conf. Ubiquitous Computing (UbiComp), 2006.
[55] sparkfun, "32 Channel San Jose Navigation GPS 5Hz Receiver with Antenna," http://www.sparkfun.com/products8266, 2011.
[56] N.O. Tippenhauer, C. Popper, K.B. Rasmussen, and S. Capkun, "On the Requirements for Successful GPS Spoofing Attacks," Proc. ACM Conf. Computer and Comm. Security (CCS '11), Oct. 2011.
[57] U.S. Dept. of State, "The U.S. Electronic Passport," http://travel.state.gov/passportpassport_2498.html , 2013.
[58] D. Wagner, "Privacy in Pervasive Computing: What Can Technologists Do?" Proc. First Int'l Conf. Security and Privacy for Emerging Areas in Comm. (SecureComm '05), 2005.
[59] J.S. Warner and R.G. Johnston, "Think GPS Cargo Tracking = High Security?" technical report, Los Alamos Nat'l Laboratory, 2003.
[60] Washington State Dept. of Licensing, "Enhanced Driver License/ID Card," http://www.dol.wa.gov/about/news/priorities edl.html, 2013.
18 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool