Paper 2009/465

Readers Behaving Badly: Reader Revocation in PKI-Based RFID Systems

Rishab Nithyanand, Gene Tsudik, and Ersin Uzun

Abstract

Recent emergence of RFID tags capable of performing public key operations motivates new RFID applications, including electronic travel documents, identification cards and payment instruments. In such settings, public key certificates form the cornerstone of the overall system security. In this paper, we argue that one of the prominent -and still woefully unaddressed- challenges is how to handle revocation checking of RFID reader certificates. This is an important issue considering that these high-end RFID tags are geared for applications such as e-documents and contactless payment instruments. Furthermore, the problem is unique to public key-based RFID systems, since tags (even those capable of complex cryptographic operations) have no clock and thus cannot use traditional (time-based) off-line revocation checking methods. Whereas, on-line methods require unrealistic connectivity assumptions. In this paper, we address the problem of reader revocation in PKI-Based RFID systems. We begin by observing an important distinguishing feature of personal RFID tags used in authentication, access control or payment applications -the involvement of a human user. We then take advantage of the user's awareness and presence to construct a simple, efficient, secure and (most importantly) feasible solution for reader revocation checking. And finally, we evaluate the usability and practical security our solution via usability studies and discuss its feasibility in a case study of e-Passports. In our approach, the main extra feature is the requirement for a small passive on-tag display. However, as discussed in the paper, modern low-power display technology (e.g., e-paper) is low-cost and appealing for other (e.g., authentication and verification) purposes.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
RFIDRevocationEpassportsElectronic Payment CardsSmart Cards
Contact author(s)
rishabn @ uci edu
History
2010-04-07: last of 11 revisions
2009-09-26: received
See all versions
Short URL
https://ia.cr/2009/465
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2009/465,
      author = {Rishab Nithyanand and Gene Tsudik and Ersin Uzun},
      title = {Readers Behaving Badly: Reader Revocation in PKI-Based RFID Systems},
      howpublished = {Cryptology ePrint Archive, Paper 2009/465},
      year = {2009},
      note = {\url{https://eprint.iacr.org/2009/465}},
      url = {https://eprint.iacr.org/2009/465}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.