CSAIL Research Abstracts - 2005 link to http://publications.csail.mit.edu/abstracts/abstracts05/index.html link to http://www.csail.mit.edu
bullet Introduction bullet Architecture, Systems
& Networks
bullet Language, Learning,
Vision & Graphics
bullet Physical, Biological
& Social Systems
bullet Theory bullet

horizontal line

RFID Privacy and Security

Ronald L. Rivest, Simson Garfinkel & Stephen A. Weis

Abstract

Low-cost Radio Frequency Identification (RFID) tags may become one of the most pervasive computing technologies in history when affixed to consumer products as "smart-labels". RFID systems essentially consist of microchip transponders, or tags, that respond to wireless signals from transceivers, or tag readers, with unique identification numbers. Tag readers may identify tagged objects by looking up database records associated with that object's tag ID. Typical implementations allow tags to be read without line-of-sight from distances of 2-8 meters, at a rate of several hundred tag reads per second.

For significant consumer market penetration to occur, RFID tags need to be priced around US$0.05. Advances in RFID technology are likely to break this 5-cent barrier in the near future, making RFID an economical replacement for optical bar codes found on everyday consumer items. RFID tags have major performance and usability advantages over optical bar codes and could yield great productivity gains. Because of this, the market size for RFID may be huge; possibly with trillions of tags.

Unfortunately, the universal deployment of low-cost RFID tags may threaten the privacy and security of both individuals and organizations. For example, a corporate spy could monitor the inventory of a store stocking items labeled with insecure tags. Another threat is the tracking of individuals by the insecure tags they carry, violating their "location privacy". Concerns over this issue led to a successful boycott that forced a clothing maker to remove RFID tags from their product [3].

Addressing these issues in the low-cost RFID setting is especially challenging due to the extreme resource scarcity imposed by the US$0.05 price cap. Implementing standard cryptographic algorithms such as DES, AES, or SHA-1 is not a feasible option for several years. Security solutions are needed to provide security and privacy, without prohibitively raising costs.

We have been addressing security and privacy issues in low-cost RFID devices. Overviews of these security issues appear in [6], [7] and [9], while specific security mechanisms are proposed in [5], [8] and [10]. Policy issues related to RFID are discussed in [4] and were part of the agenda of the first annual RFID Privacy Workshop at MIT [1]. Our goal is to continue to develop practical cryptographic primitive designs, design secure RFID protocols, and explore the cost versus security trade-offs of resource-scarce devices.

References:

[1] RFID Privacy Workshop at MIT. November 2003.

[2] Auto-ID Center. http://www.autoidcenter.org.

[3] Jim Crane. Benetton Clothing to Carry Tiny Tracking Transmitters. Associated Press, March 2003.

[4] Simson Garfinkel. Adopting Fair Information Practices to Low Cost RFID Systems. In Ubiquitious Computing International Conference Privacy Workshop, September 2002.

[5] Ari Juels, Ronald L. Rivest, , and Michael Szydlo. The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy. In ACM Computer and Communication Security, May 2003.

[6] Sanjay E. Sarma, Stephen A. Weis, and Daniel W. Engels. RFID Systems and Security and Privacy Implications. In Workshop on Cryptographic Hardware and Embedded Systems, pages 454Š470. LNCS, 2002.

[7] Sanjay E. Sarma, Stephen A. Weis, and Daniel W. Engels. Radio-Frequency Identification: Security Risks and Challenges. In RSA CryptoBytes, 6(1), Winter/Spring 2003.

[8] Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest, and Daniel W. Engels. Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In Security in Pervasive Computing, 2003.

[9] Stephen A. Weis. Security and Privacy in Radio-Frequency Identification Devices. MasterÕs thesis, Massachusetts Institute of Technology, Cambridge, MA 02139, May 2003.

[10] Stephen A. Weis. Security Parallels Between People and Pervasive Devices. In IEEE Conference on Pervasive Computing and Communication. March 2005.

horizontal line

MIT logo Computer Science and Artificial Intelligence Laboratory (CSAIL)
The Stata Center, Building 32 - 32 Vassar Street - Cambridge, MA 02139 - USA
tel:+1-617-253-0073 - publications@csail.mit.edu
(Note: On July 1, 2003, the AI Lab and LCS merged to form CSAIL.)