Radio Frequency Identification (RFID) is an electronic tagging technology that allows objects to be automatically identified at a distance without a direct line-of-sight using an electromagnetic challenge-and-response exchange of data. An RFID system consists of RF readers and RF tags. RF tags are attached to objects, and used as a unique identifier of the objects. RFID technologies enable a number of business and personal applications, and smooth the way for physical transactions in the real world, such as supply chain management, transportation payment, animal identification, warehouse operations, and more. Though bringing great productivity gains, RFID systems may cause new security and privacy threats to individuals or organizations, which have become a major obstacle for their wide adaptions. Therefore, it is important to address the security and privacy issues in RFID systems.
In this dissertation, we investigate security and privacy issues for large-scale RFID systems. Since any object is uniquely identifiable with an RF tag, the tag's ID must be protected from adversaries during data communications in keeping with the authenticity of tags. Hence, we first propose private authentication protocols that RF readers to singulate individual tags without disclosing tags' content to adversaries. To design a secure access protocol, two different approaches are taken, encryption-based and non-encryption-based. In the encryption-based approach, we propose a structured key management with low cost cryptographic operations based on a skip list. This can be applied to a large-scale RFID systems. On the other hand, shared key exchanges are not feasible in some contexts. Hence, we develop a distributed RFID architecture for secure data communications without shared secret. With a novel encoding scheme and jamming technique, the distributed RFID authentication scheme protects tags from various types of adversaries.
With a private authentication protocol, readers can securely validate tags' authenticity. After reading a tag, an RFID system updates object's status or generates data. Thus, any piece of data in the back-end server is associated with a particular tag. For a high quality RFID-based data service, the authenticity of data is of concern. Therefore, we study the verifiable RFID systems, where a set of data related to a tag can be verified in the sense that the data is associated with the tag and any element of the data cannot be modified without being detected. To realize such a verifiable RFID system, we build a new RFID architecture that integrates multiple RFID systems into single exa-scale RFID system, then formulate data verification problem, and then propose data verification protocols.
The proposed solutions are mathematically analyzed, and computer simulations are conducted to measure all aspects of the RFID systems, including the degree of security and the cost of control overhead. Furthermore, we implement a prototype of a verifiable RFID system. The performance evaluations show that the proposed protocols achieve their design goals. We believe this research serves the foundation for the next generation of RFID systems.