Security analysis and review of digital signature-based low-cost RFID tag authentication

BACKGROUND: In logistic processes, radio frequency identification (RFID) technology provides possibilities for improving the integrity of shipments, the performance of supply chains and for enabling leaner processes. RFID tags are used in logistics to identify and authenticate users, products or shipments. Especially cheap, passive long-range low-cost RFID tags are of interest, but these provide security-related challenges. In new implementations of this RFID technology the threats and risks must be carefully considered as they can result in system malfunctioning, revenue losses and illegal activities. Hence, there is a need for cryptography techniques for low-cost RFID tags. Various lightweight security mechanisms that take into account the limitations of the tags have been designed. The potentiality of using asymmetric cryptography and digital signatures in tags is one such mechanism that enables more secure tag authentication. RESULTS: This paper explores how asymmetric digital signatures have been used for RFID tag authentication. The paper provides a literature overview of the methods used in both research and in commercial products, and provides knowledge about gained and missing protection in such use cases. A method based on asymmetric Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures has been developed for the authentication of low-cost RFID tags. In addition to this, the paper categorizes RFID threats to categories as presented in IETF RFC 4949 and analyzes how using asymmetric cryptography-based digital signatures protects against described threats and attacks suitable for low-cost RFID tags that do not use additional security mechanisms. CONCLUSIONS: This paper finds that asymmetric cryptography and digital signatures are suitable for low-cost RFID tags and that usage of them gives additional security, especially against physical data modification and impersonation attacks. The research underlines that IETF RFC 4949 is suitable for categorization of threats and attacks towards RFID technology. In addition to this, systematic threat and attack categorization and analysis enables the specification of further threats.