Secure Ownership and Ownership Transfer in RFID Systems

Ton van Deursen1*, Sjouke Mauw1, Saša Radomirović1, and Pim Vullers1,2
1 University of Luxembourg, Luxembourg.
2 Radboud University Nijmegen, The Netherlands.
We present a formal model for stateful security protocols. This model is used to define ownership and ownership transfer as concepts as well as security properties. These definitions are based on an intuitive notion of ownership related to physical ownership. They are aimed at RFID systems, but should be applicable to any scenario sharing the same intuition of ownership.
We discuss the connection between ownership and the notion of desynchronization resistance and give the first formal definition of the latter. We apply our definitions to existing RFID protocols, exhibiting attacks on desynchronization resistance, secure ownership, and secure ownership transfer.
RFID protocols, ownership, desynchronization resistance, ownership transfer, formal verification
* Supported by a grant from the Fonds National de la Recherche (Luxembourg).

1   Introduction

Radio frequency identification (RFID) is expected to become a key technology in supply chain management, because it has a large potential to save costs. Two of the cost-saving advantages of this technology are the improved efficiency of inventory tracking and the reduction of counterfeit products. The former is due to the fact that RFID is contactless and requires no line of sight between the RFID reader and the RFID tag attached to a product. The latter is because RFID tags can store and process information as well as execute simple communication protocols.

As products flow through a supply chain, their ownership is transferred from one partner to the next. This transfer of ownership extends to the RFID tags attached to these products. This means that at some point in time a supply chain partner owns the products and RFID tags legally, by means of a title, and physically by the fact that the goods are at his premises. In general, ownership of an object allows one to (exclusively) interact with the object, modify the object, and transfer ownership of the object to someone else.

In this work, we propose and attempt to validate a definition of ownership in RFID systems, which is inspired by the legal and physical meaning of ownership. We use this definition as a basis to define secure ownership, in Section 3, and secure ownership transfer in RFID protocols in Section 4. These definitions are particularly relevant for RFID systems in supply chains, but we expect them to be also applicable to other scenarios that share the same intuition of ownership, such as future parcel delivery systems. The definitions of these properties are, to the best of our knowledge, the first formal definitions proposed. We attempt to validate them by considering a published protocol designed for ownership transfer. We exhibit a flaw in the protocol and demonstrate attacks on secure ownership and secure ownership transfer.

6   Related Work

Work on ownership transfer in RFID systems has thus far mostly focused on designing ownership transfer protocols, but not on their security requirements. A notable exception is the work by Song [7]. It provides a first survey of security requirements related to ownership transfer. Song also proposes a set of protocols for secure ownership transfer based on earlier work by Song and Mitchell [6]. However, this set of protocols suffers from the same flaws that are described in Section 5 and by Van Deursen and Radomirović [8].

The first treatment of ownership transfer in RFID systems is due to Molnar et al. [9]. They describe a protocol that relies on a trusted center. Readers send tag pseudonyms to the center requesting the real identity of a tag. If the reader is the owner of the tag it receives the identity. Owners of tags can ask the trusted center to transfer the ownership of a tag to a new owner. The trusted center subsequently refuses identity requests from the old owner, and accepts them from the new owner. A trusted party is also used by the protocol of Saito et al. [10]. Here, the trusted party shares a key with the tag which is used to update the owner's key. Hence an ownership transfer consists of a request to the trusted party to encrypt the new owner's key for the tag.

Osaka et al. [11] are among the first to propose a two-party ownership transfer protocol. Lei and Cao [12], Jäppinen and Hämäläinen [13], and Yoon and Yoo [5] describe a flaw in the protocol by Osaka et al. and propose an improved version of the protocol.We describe an attack on Yoon and Yoo's protocol in Section 4.2.

Lim and Kwon [14] propose a protocol which, compared to other solutions, uses a more computationally intensive mutual authentication method based on key chains. Solutions based on symmetric encryption have also been proposed by Fouladgar and Afifi [15] and Koralalage et al. [16]. Finally, one of the most recent protocols in this area is due to Dimitriou [17]. Its distinguishing feature is that it enables the owner of a tag to revert the tag to its original state. This is useful for after-sales services, since it makes it possible for the tag's new owner to let a retailer recognize a sold tag.

7   Conclusion and Future Work

We have presented formal definitions of ownership and ownership transfer, as well as their secure variants. We have demonstrated the applicability of our definitions by exhibiting attacks on secure ownership, exclusive ownership, and secure ownership transfer on a recently proposed ownership transfer protocol [5]. As an application of our definitions we have formalized desynchronization resistance. We have used this formalization to uncover a flaw in a stateful RFID protocol [6].

While we consider a formal definition of ownership to be of independent interest, it will clearly become much more valuable when combined with existing security and privacy properties. For instance, in a parcel delivery system, where RFID tags are attached to parcels, non-repudiation for obtaining ownership of RFID tags and untraceability of these tags by unauthorized entities become important.We have only briefly indicated the connections between untraceability and exclusive ownership. A useful next step is to study conditions under which untraceable protocols can be safely composed with ownership transfer protocols. This requires in particular an investigation into the interplay between two or more untraceable protocols out of a set of protocols.

Another direction concerns the construction of ownership transfer protocols and proofs of their correctness. The model used in this work has been designed in such a way that the verification of our security requirements should be possible with a model checking tool.

We are grateful to Carst Tankink, Erik de Vink, and the anonymous reviewers for their valuable comments which helped to improve this work.

References

  1. Cremers, C., Mauw, S.: Operational semantics of security protocols. In: Scenarios: Models, Algorithms and Tools (Dagstuhl 03371 post-seminar proceedings, September 7-12, 2003). Volume 3466 of Lecture Notes in Computer Science. (2005) 66-89
  2. Ryan, P., Schneider, S., Goldsmith, M., Lowe, G., Roscoe, B.: Modelling and Analysis of Security Protocols. Addison-Wesley Professional (2001)
  3. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory IT-29(2) (1983) 198-208
  4. Rudolph, E., Graubmann, P., Grabowski, J.: Tutorial on message sequence charts. Computer Networks and ISDN Systems 28(12) (1996) 1629-1641
  5. Yoon, E., Yoo, K.: Two security problems of RFID security method with ownership transfer. In: Proc. IFIP International Conference on Network and Parallel Computing, IEEE Computer Society (2008) 68-73
  6. Song, B., Mitchell, C.: RFID authentication protocol for low-cost tags. In: Proc. First ACM Conference on Wireless Network Security, ACM (2008) 140-147
  7. Song, B.: RFID tag ownership transfer. In: Proc. Workshop on RFID Security. (2008)
  8. van Deursen, T., Radomirović, S.: Attacks on RFID protocols. Cryptology ePrint Archive, Report 2008/310 (2008) http://eprint.iacr.org/.
  9. Molnar, D., Soppera, A., Wagner, D.: A scalable, delegatable pseudonym protocol enabling ownership transfer of RFID tags. In: Proc. Selected Areas in Cryptography. Volume 3897 of Lecture Notes in Computer Science., Springer (2005) 276-290
  10. Saito, J., Imamoto, K., Sakurai, K.: Reassignment scheme of an RFID tag's key for owner transfer. In: Proc. Embedded and Ubiquitous Computing. Volume 3823 of Lecture Notes in Computer Science., Springer (2005) 1303-1312
  11. Osaka, K., Takagi, T., Yamazaki, K., Takahashi, O.: An efficient and secure RFID security method with ownership transfer. In: Proc. Computational Intelligence and Security, Springer-Verlag (2006) 778-787
  12. Lei, H., Cao, T.: RFID protocol enabling ownership transfer to protect against traceability and dos attacks. In: Proc. The First International Symposium on Data, Privacy, and E-Commerce, IEEE Computer Society (2007) 508-510
  13. Jäppinen, P., Hämäläinen, H.: Enhanced RFID security method with ownership transfer. In: Proc. International Conference on Computational Intelligence and Security, IEEE Computer Society (2008) 382-385
  14. Lim, C., Kwon, T.: Strong and robust RFID authentication enabling perfect ownership transfer. In: Proc. Conference on Information and Communications Security. Volume 4307 of Lecture Notes in Computer Science., Springer (2006)
  15. Fouladgar, S., Afifi, H.: A simple privacy protecting scheme enabling delegation and ownership transfer for RFID tags. Journal of Communications 2 (2007) 6-13
  16. Koralalage, K., Reza, S.M., Miura, J., Goto, Y., Cheng, J.: POP method: an approach to enhance the security and privacy of RFID systems used in product lifecycle with an anonymous ownership transferring mechanism. In: Proc. ACM Symposium on Applied Computing, ACM (2007) 270-275
  17. Dimitriou, T.: rfidDOT: RFID delegation and ownership transfer made simple. In: Proc. 4th International Conference on Security and Privacy in Communication Networks, ACM (2008) 1-8
  18. Fokkink, W.: Introduction to Process Algebra. Texts in Theoretical Computer Science. An EATCS Series. Springer-Verlag (2000)