Threats in supply chains, such as counterfeiting, product piracy and product recall, are growing dramatically in terms of volume, sophistication, and countries affected. No longer is the phenomenon specific for certain products or markets. The high dimensional problem of piracy goods calls for multi-faceted and diverse solution approaches that go beyond today’s techniques, such as paper pedigree and optical security features. For these reasons we study trust and security in RFID-based product authentication systems.
We first present a formal definition for product authentication process and then derive the general chain of trust as well as functional and nonfunctional security requirements for product authentication. Most of the scientific literature that covers the topic focuses on cryptographic tag authentication only. This paper, however, provides a broader view including also other known approaches, most notably location-based authentication. To derive the functional security requirements, we employ the concept of misuse cases that extends the use case paradigm well known in the field of requirements engineering.We argue that the level of security of any RFIDbased product authentication application is determined by how it fulfills the derived set of functional and nonfunctional requirements. The security of different RFID-based product authentication approaches is analyzed. To study how RFID supports secure product authentication in practice, we investigate how the current EPC standards conform to the functional security requirements of product authentication and show how the unaddressed requirements could be fulfilled. The benefits of implementing a service that detects the cloned tags in the level of the network’s core services are identified.
- Investigation of product authentication concepts that are available for existing low-cost RFID tags
- Detection of cloned RFID tags from incomplete RFID traces
- Evaluation of product authentication concepts with regards to security and business aspects
- Mikko Lehtonen, How to secure supply chains against counterfeit products using low-cost RFID, Dissertation, ETH Zürich, No. 18762, 2009
- Lehtonen, M., Michahelles, F., Fleisch, E.: Trust and Security in RFID-based Product Authentication Systems. IEEE Systems Journal, Special Issue on RFID Technology: Opportunities and Challenges, Vol. 1, No. 2, pp. 129-144, December 2007.
- Lehtonen, M., Michahelles, F., Fleisch, E.: How to Detect Cloned Tags in a Reliable Way from Incomplete RFID Traces. In 2009 IEEE International Conference on RFID, Orlando, Florida, April 27-28, 2009, pp. 257 – 264.
- Lehtonen, M., Ruhanen, A., Michahelles, F., Fleisch, E.: Serialized TID Numbers – A Headache or a Blessing for RFID Crackers? In 2009 IEEE International Conference on RFID, Orlando, Florida, April 27-28, 2009, pp. 233 – 240.
- Lehtonen, M., Ostojic, D., Ilic, A., Michahelles, F., : Securing RFID Systems by Detecting Tag Cloning. In proceedings of H. Tokuda et al. (Eds.): 7th International Conference, Pervasive 2009, Nara, Japan, May 11-14, 2009. LNCS 5538, pp. 291–308.
- Protecting EPC Tags, Michahelles, F. and Lehtonen, M., Inside the labs column in RFID Journal, 1. August, 2008.
- Staake, Thorsten; Michahelles, Florian; Fleisch, Elgar; Williams, John R.; Min, Hao; Cole, Peter; Lee, Sang-Gug; McFarlane, Duncan; Murai, Jun: Flagship Project Anti-Counterfeiting & Secure Supply Chain, Auto-ID Labs White Paper, 2006.
- Thorsten Staake, Frederic Thiesse, and Elgar Fleisch: Extending the EPC network: the potential of RFID in anti-counterfeiting. In Proceedings of the 2005 ACM symposium on Applied computing (SAC ’05), Lorie M. Liebrock (Ed.). ACM, New York, NY, USA, 1607-1612.