academic journal postgraduate diploma network security and ...€¦ · 4.1. rfid system an rfid...

10/10/2013

Internet of Things and RFID Security Issues and

Countermeasures Featuring the Biometric e-Passport:

An Introductory Exploratory Research

By

Leutele Lucia Maria Grey

October 2013

Academic Journal

Postgraduate Diploma

Paper IT8417

Network Security and Forensics

Lecturer: Steve Cosgrove

Leutele Lucia Maria Grey FACULTY OF BUSINESS AND INFORMATION

TECHNOLOGY, PORIRUA.

of 13

©2013 Leutele Grey Leutele LM Grey Information Technology IT8417 Network Security and Forensics Semester 2.2013

ABSTRACT

The combination of three technologies:

Internet of Things (IoT), Radio Frequency

Identification (RFID) and Biometric e-

Passport with a special focus on Security

Threats and Countermeasures. The IoT

refers to uniquely identifiable smart objects

(things) and their virtual representation in

an Internet-like structure. The RFID allows

individual objects to identify each other,

talk to each other at the same time

gradually forming a network of information

called the IoT. This paper describes the

capabilities of both IoT and RFID with a

special focus on security issues and

countermeasures. The biometric e-Passport

is used as a single object case study to

enable close investigation of Security Issues

and Countermeasures. It was found that

while the combination of IoT, RFID and

biometric technologies present a

sophisticated way to secure identification

documents such as e-Passports or digital

passports and travel visas, etc.,

unfortunately the idea entails a host of

security issues. The UN-ICAO is

responsible in overseeing interoperability

and provide security countermeasures to

eliminate security threats in biometric e-

Passports.

Key Words: Internet of Things, RFID,

Biometric e-Passport.

SECTION 1. INTRODUCTION

The IoT comprises of billions of

autonomous internet-connected objects

(ICOs) or "things" that can sense,

Communicate, compute, and potentially

actuate, as well as having intelligent

multimodal interfaces, physical/virtual

identities, and attributes (Zslavask, 2013).

The IoT infrastructure as demonstrated in

Figure 1, incorporates concepts from

pervasive ubiquitous and ambient

computing, which have been evolving since

the late 1990s, as they fuse the digital and

physical worlds by bringing different

concepts and technical components

together.

Figure 1: Internet of Things Architecture

Further, along with the World Wide Web

and mobility, with billions of ICOs and a

diverse abundance of sensors (e.g. RFID),

the IoT is an enabler of ubiquitous sensing.

Further, whiles smart objects are the

building blocks for the IoT, the world

vision for an IoT global networked physical

objects infrastructure, is made possible by

the success of the RFID technology Tags

and an extensive infrastructure of

Internet of Things and RFID Security Issues and Countermeasures

Featuring the Biometric e-Passport an Introductory Exploratory

Research

By

Leutele Lucia Maria Grey

2 October 2013

of 13


networked RFID Readers (Kourtuem,

Kawsar, Fitton & Sundramoorthy, 2010).

While the approach optimally supports

tracking physical objects within well-

defined confines (e.g., warehouses) it limits

the sensing capabilities and deployment

flexibility required by more challenging

application scenarios. For example, the

range of the RFID Tags depend on their

frequency which means that different

frequencies are used on different RFID tags

depending on the application (Ahsan, Shah

& Kingston, 2010). This introductory

exploratory study briefly examines the IoT

and RFID, and introduces the biometric e-

Passport as a single object case study which

will be used to demonstrate security threats

and countermeasures. The rest of this paper

is organised as follows: Section 2 discusses

the other related work. Section 3 focuses on

the Problem Formulation. Section 4

examines the RFID technology. Section 5

explores the biometric e–Passport. Sections

6 and 7 investigates security threats and

countermeasures. Section 8 presents further

discussion and the paper concluded with

section 9.

SECTION 2. OTHER RELATED

WORK

López, Ranasinghe, Harrison and

McFarlane (2012) examine the

technologies fundamental to the IoT and

proposed an architecture that integrates

them into a single platform. Kortuem, et al

(2010) presents a prototyping

experimentation study which identify three

canonical smart object fundamental design

and architectural principles. Welbourne,

Battle, Cole, Gould, Rector, Raymer, and

Borriello (2009) introduce a building-scale,

community-oriented RFID ecosystem

research infrastructure which creates a

microcosm for the IoT aimed to investigate

applications, systems, and social issues

likely to emerge in a real day-to-day setting.

Smith (2011) presents an IoT for the

European Research cluster aimed to define

and promote a common vision of the IoT

featuring: RUSSIA, India, Malaysia,

Korea, China, Japan and USA. d’Hont

(2004) explores the RFID and real life

application profiles that can appropriately

communicate successful application of the

technology. Juels, Molnar and Wagner,

(2005) explore the microchip privacy and

security implications with a new type of

authentication platform deployment in

passports while Kumar, Srinivasan and

Narendran (2012a, 2012b) provide a

cryptographic security analysis of the e-

Passport using the biometric digital facial

image ,a fingerprint; a palm print and iris.

Finally, Roberts (2007) present a broader

practical view of biometric system attack

vectors and outline potential defences.

SECTION 3. PROBLEM

FORMULATION

The e-Passport contains highly sensitive

data of an individual including digital facial

images, the iris, palm of the hand and

fingerprints. Therefore protecting biometric

and biographical data must be considered

highly important to the value and

consistency of an authentication system

against unauthorized access, particularly

when considering the quality of data

protection mechanism (security

mechanisms that are implemented in RFID

chips and biometrics data are vulnerable).

SECTION 4. RFID TECHNOLOGY

Automatic identification technologies such

as RFID are fundamental enablers to the

realization of the IoT because they enable

connecting ‘‘things’’ with their virtual

identity on the Internet (López, et al, 2012;

Juels et al, 2005). For example RFID tags

that are attached to objects, contain and

expose unique identification (UID)

numbers that can be read wirelessly by

interrogating devices used to obtain

information relative to individual instances

of objects, managed by networked back-

end systems (López, et al, 2012). In

addition, miniaturised sensors may now

of 13


monitor the condition of objects,

consequently making it possible to

dynamically act upon changes to the status

of objects such as those derived from their

temperature, humidity, and chemical

composition. This means that historical

records including both identification and

sensor data can be utilized off-line to trace

the evolution of the objects’ location and

status throughout their life cycle (López, et

al, 2012). In addition, low-power radio

communication technologies and the

availability of increasingly powerful low-

cost embedded processors, maximise the

autonomy of objects by providing them

with networking capabilities and local

intelligence (López, et al, 2012). In

addition, the distributed information

infrastructures which use the Internet

Protocols for communication, serve as the

connection hubs for all the ‘things’,

together with other resources such as

databases, data mining tools, and computer

networks (López et al 2012).

4.1. RFID System

An RFID system may consist of various

components as depicted in Figure 2

including the:

RFID Tag (that pick up the code)

RFID Reader (receiver of tag

information, manipulator).

Antenna (tag detector, creates a

magnetic field)

Application malware (user

interface) which connects to the

database enabling objects to

connect to the Information

technology infrastructure (Ahsan et

al, 2010).

Database

These components are integrated thus

allowing the RFID system to induct an

object’s (tag) and perform various

operations on it. In other words the

integration of RFID components enable the

implementation of an RFID solution

infrastructure.

Figure 2: RFID System Component

Source: http://www.bentsystems.com

4.2 RFID Tags

Ahsan et al (2010) explains that an RFID

tag contains a microchip that stores in its

memory the object’s UID number with an

integrated circuit embedded in a silicon

chip. In addition, the RFID memory chip

can be permanently fixed or changeable

depending on the read/write characteristics.

For example, read-only and rewrite circuits

are different as read-only tags contain fixed

data which cannot be changed without

being re-programed electronically (Ahsan

et al, 2010). On the other hand, re-write tags

can be programmed through the reader at

any time without limits (Ahsan et al, 2010).

The RFID tags as pictured in Figure 3,

come in different sizes and shapes

depending on the application and the

environment at which they will be used.

Figure 3: Variety of different shapes and sizes of

RFID tags: Source: Ashan et al 2010

4.3 Five Classes of RFID Tags

RFID tags can also be classified by their

capabilities such as read and write data as

displayed in Figure 4 (Ahsan et al, 2010).

of 13


Figure 4: 5 Classifications of RFID Tags: Source: Ahsan et al (2010)

4.4 Types of RFID Tags

The three types of RFID tags are: passive,

semi-active and active. Semi-active tags

have a combination of active and passive

tags characteristics (Ahsan et al, 2010) and

are compared in Figure 5

Figure 5. Passive and Active RFID

Comparison

SECTION 5. BIOMETRIC

E-PASSPORT

5.1 Case Study

Historically, the biometric e-Passport came

into operation since 1998, however,

according to (Kc et al, 2005), it was only

after the tragic terror attacks of 9/11/2001,

that the U.S. Congress made a mandatory

declaration that by the end of year 2005,

passports of all foreign travellers travelling to

the US including the passports of all those

individuals that are produced in the U.S.

must carry biometric information based on

guidelines issued by the International Civil

Aviation Organization (ICAO) (Kc et al,

2005). An e-Passport is the same as a

traditional passport with the addition of a

small integrated circuit (or “chip”)

embedded in it which stores the same data

visually displayed in the paper passport,

with an acceptable biometric identifier as in

Figure 7 e.g. a digital facial

Figure: 7 ISO Biometric Standard

Requirement

image which will facilitate the use of a face

recognition technology at the port-of-entry;

a UID number and the inclusion of a digital

signature to protect the stored data from

being altered. A biometric identifier is

a measurable physical or behavioural

characteristic of an individual, which can be

of 13


used to verify the identity of that individual

or to compare against other entries when

stored in a database. Basically, the

approved biometric features can be one of

the following: a digital facial photo, or a

digital photo of the palm of the hand, or a

finger print, or the digital image of the iris

and must include a digital signature of the

passport holder, home country and the host

country (Malčík & Drahanský, 2012).

While biometric technologies have

the ability to improve travel document

systems which is a crucial milestone,

naturally, there are security threats due to

the fact that all biometric features are

usually very sensitive information requiring

appropriate treatment along with security

measures (Malčík et al, 2012) which will be

discussed in detail in sections 6, 7, and 8.

With the introduction of the RFID

technology for implementation of the e-

Passport, the ICAO standards required all

country members’ biometric e-Passports to

be labelled with the international logo as

shown in Figure 8.

Moreover, the ISO 14443

standards’ required frequency for

transmission is 13.56 MHz with a short

range (max. 15 cm). Also the passport

RFID chip must provide, among others, the

cryptographic functions, the read/write

memory modules accompanied by memory

modules that are readable only for the tag

itself (i.e. no information from these

memory cells can be retrieved out of the

device) (Malčík et al, 2012). Section 5.2

discusses the e-Passport system design

which is a transition from the user-oriented

document to document-oriented to

programmers or database personnel and

connecting to a logical and physical design

walkthrough before implementation

(Kumar et al, 2012).

5.2 Logical Data Structure The ICAO issued a standardized data

structure called Logical Data Structure

(LDS) aimed to maintain interoperability

(Kolahan & Thapaliya, 2011) as described

in Table 1, for the storage of data

elements (Kumar et al, 2012) To ensure

global interoperability the ICAO

standards states that e-Passport RFID

Tags and Readers must be maintained ,

and that all 16 data groups must be

write protected and can be written only at

the time of issue (Kolahan et al, 2011;

Kumar et al 2012) . Table 1 provides an

example of an e-Passport LDS for an

issuing state in which a hash of data

groups 1-16 are stored in the security data

element (SOD), and each of which should

be signed by the issuing state (Kumar et al,

2012).

Table 1. An e-Passport Logical Data

Structure

5.3. Passport Certification

The biometric authentication procedure for

e-Passports involve two processes namely:

Registration and Verification (Kumar et al,

2012).

of 13


a) Registration

During the registration phase, an e-Passport

applicant registers his/her biometric at a

secure location under human supervision.

In addition, a feature extraction program is

used to encode the biometric data after

which it is stored on the user’s e-Passport

Tag (Kumar et al, 2012).

b) Verification

According to (Kumar et al, 2012), the user

authentication and identity verification

processes at an inspection terminal requires

the user to present a sample of biometric in

which the same feature extraction algorithm

is used to encode the newly supplied

biometric (Kumar et al, 2012). Further, a

matching algorithm is used at the terminal

to measure the degree of similarity between

the registered and supplied biometric

(Kumar et al, 2012). Finally, it is only when

the results showed that the degree of

similarity is greater than a certain threshold

value that the biometric is accepted and the

user identity is verified successfully. In

addition, the chip memory as demonstrated

in Figure 9, is logically

Figure 9: Content hidden in the Chip

Source: (Kumar et al, 2012).

divided into two main regions which means

one is accessible from outside of the chip

(via wireless communication), while the

other one hides its contents inside for the

internal function and is part of the security

of the chip (Kumar et al, 2012). In addition,

the part of the chip memory available for

reading provides sixteen separate data

groups (labelled as DG1, DG2…DG16 (see

Fig. 9 and Table 1.), and each group

incorporates different data. While

dissimilar types of protection are used for

the groups of the stored data the data groups

DG1, DG2, DG3 and DG5 are important

within the scope of the biometric e-

Passports, because they are used for storing

information related to identity check

(Kumar et al, 2012). Section 5.4 presents a

simple RFID System architecture and

functionalities.

5.4 RFID System in a Biometric e-

Passport

Within an e-Passport RFID system, see

Figure 10, the chip contains a UID code.

For example, when the e-Passport traveller

arrived to his/her travel destination, the

customer officer scanned the e-Passport

using a scanner which activates the

microchip. The RFID tag picked up the

code which the RFID reader reads and

emits using a low-level radio frequency

(antenna) magnetic field that energises the

tag. The tag then responds to the reader’s

query and announces its presence via radio

waves (antenna), then transmit its unique

identification data. From here, data is being

decoded and passed to the local application

system database via the e-Passport

middleware which acts as an interface

between the reader and the RFID

application system (Kumar et al, 2012).

Following this, the system will then search

and match the identity code with the

information stored in the host database or

backend system. In this initial stage the

accessibility or authorisation for further

processing can be granted or refused,

depending on results received by the reader

and processed by the database (Kumar et al,

2012; Juels et al, 2005).

of 13


Figure 10. IoT, RFID and Biometric e-

Passport Architecture and Deployment

SECTION 6. SECURITY THREATS

6.1 Introduction

Juels et al, (2005) states that the US and

other governments have conducted major

initiatives continuously in order to fuse

RFID and biometric technologies in a new

generation of e-Passports and other

identity cards. Further the ICAO have

envisaged the RFID chip to having the

capability to reduce fraud, allow for ease

identity checks, and enhance security.

However, RFID and biometric technologies

also entail a host of new security risks.

For example, the most common

security threats (Juels et al, 2005)

faced by biometric e-Passports include:

clandestine scanning and

clandestine tracking,

skimming and cloning,

eavesdropping

Biometric data leakage

Cryptographic weaknesses

6.2 Clandestine Tracking and

Scanning

On the one hand, clandestine scanning is

defined as a secret way of reading the

electronic data of an e-Passport without the

permission of its holder e.g. name, date,

place of birth and nationality can be

retrieved easily by anyone having access to

the reader (Juels et al, 2005). On the other

hand, clandestine tracking is the ability to

locate an individual and it can easily reveal

the location privacy. By comparison, the

clandestine tracking can be more harmful

then the clandestine scanning because the

attacker can keep track of information in a

global scale without physical presence.

6.3 Skimming and cloning

The ISO 14443 standard requires digital

signatures on the e-Passport data thus

allowing the reader to verify that the data

came from the correct passport-issuing

authority. However, digital signatures may

not bind the data to a particular e-Passport

or chip which means they offer no defense

against cloning (Juels et al, 2005).

6.4 Eavesdropping

Eavesdropping is particularly problematic

for three reasons.

• Function creep: The ICAO

guidelines envisaged that e-

Passports will likely to be use not

only in airports, but in areas such as

e-commerce, thus eavesdropping

will be possible in a variety of

circumstances (Juels et al, 2005).

• Feasibility: Given that

eavesdropping is a passive

operation, unlike clandestine

scanning, eavesdropping is feasible

at a longer distance (Juels et al,

2005).

• Detection difficulty: As it is

purely passive and does not involve

powered signal emission,

eavesdropping is difficult to detect

(unlike clandestine scanning)

(Juels et al, 2005).

of 13


6.5 Biometric data-leakage

Among other data, e-Passports include

biometric images, therefore these images

would not need to be secret to support

authentication if the physical environment

were strictly controlled. However, existing

and proposed deployments of e-passports

will facilitate automation, and therefore a

weak human oversight makes the secrecy of

biometric data very important (Juels et al,

2005).

6.6 Cryptographic Weaknesses

Juels et al, (2005) states that the ICAO

guidelines include optional mechanism for

authenticating and encrypting passport-to-

reader communications see Table 2.

Which shows the four protocols PA, AA,

BAC and EAC functions and deficiencies.

Table 2: Cryptograph in E-Passport

ICAO Specifications

Source: Kolahan, H., & Thapaliya, T

(2011)

The ICAO Authentication mechanisms

were developed to ensure that a reader

initially makes optical contact with an e-

Passport, and scans the name, date of birth,

and the UID number in order to derive a

cryptographic key ‘K’ with two functions:

1. It allows the e-Passport to

establish that it is talking to a

legitimate reader before releasing

RFID tag information.

2. It is use to encrypt all data

being transmitted between the e-

Passport and the reader.

It follows then that once a reader knows

the key ‘K’, there is no mechanism for

revoking access which means that an e-

Passport holder travelling to a foreign

country gives that country’s customs officer

the right to scan his or her passport in

perpetuity. Arguably, this method generates

cryptography which has some minor flaws

(Juels et al, 2005) e.g. identity theft.

SECTION 7. COUNTERMEASURES

7.1. Faraday Cages versus the BAC

One of the simplest measures for

preventing unauthorized reading of an e-

Passport is to add a radio frequency (RF)

blocking material on top of the embedded

microchip (used by the US). For example,

materials such as the aluminium fibre are

opaque to RF signals and could be utilized

to create a faraday cage that can be used to

cover the embedded microchip, thus

preventing an intruder from reading the

data from the database inside the e-Passport

(Juels et al, 2005). However, before such a

passport could be read, therefore, it would

have to be physically opened. For this

reason, faraday cages do not prevent

eavesdropping on legitimate conversations

between readers and tags, and as a result,

the ICAO favours the BAC protocol which

is discussed in detail in Section 8.3.

Moreover, the research community has

proposed a number of tools for protecting

RFID privacy, including Blocker Tags and

the Antenna Energy Analysis.

of 13


7.2. The BAC

The long-term keys for BAC have roughly

52 bits of entropy, which is too low to resist

a brute-force attack (Juels et al, 2005).

Therefore, a simple countermeasure here, is

to add a 128-bit secret, unique to each e-

Passport to the key derivation algorithm

(Juels et al, 2005). This means that the

secret will be printed together with other

information on the e-Passport, which will

require a larger passport UID number or a

separate field (Juels et al, 2005). Moreover,

to help with the mechanical reading, the

secret can be represented as a two-

dimensional bar code or written in an

Optical Character Recognition (OCR) font

to the Machine Readable Zone (MRZ) of

each e-Passport (Juels et al, 2005).

7.3. Private Collision Avoidance

(PCA)

According to Juels et al, (2005),even if a

larger e-Passport secret is being used as part

of the key derivation, the ISO 14443 uses

the UID number as part of its PCA protocol.

However, it is important to ensure that the

UID is different on each reading and are not

linked across sessions. Therefore, a simple

countermeasure is to pick a new random

identifier on every tag read (Juels et al,

2005. In general, e-passports and other

UIDs numbers should use the PCA protocol

(Juels et al, 2005).

SECTION 8. DISCUSSION

According to the ICAO standards, when a

private key is compromised, the country

cannot automatically invalidate all the e-

Passports issues with the key. For example,

for each country such as the US, there is a

country signing Chip Authenticator (CA)

which is responsible for creating a

public/private key pair used to sign the

document signer certificate. The PA

Protocol is the only mandatory

cryptographic protocol in the ICAO. Its

primary goal is to allow a Reader to verify

that the biometric face, fingerprint, palm

print or iris data in the e-Passport is

authentic. The AA Protocol is an optional

protocol in the ICAO specification which

deals with skimming and misuse as well as

to prevent eavesdropping between the

Machine Readable Travel Document

(MRTD) and Inspection Systems. A simple

challenge-response mechanism can detect

if a Tag has been substituted or cloned.

BAC is an optional protocol that tries to

ensure that only authenticated Readers can

physically access the e-Passport in order to

read the Tag data. The CA protocol aims to

replace AA as a mechanism to detect cloned

e-Passports. For example, if CA is

performed successfully it can established a

new pair of encryption and Medium Access

Control (MAC) keys to replace the BAC

derived session keys thus enabling secure

messaging (It does this by using the static

key agreement protocol). Note that the e-

Passport Tag already has a CA public key

and private key (in secure memory). The

Terminal Authentication Protocol (TAP) is

a protocol that is executed only if access

biometric data is required. It is a challenge-

response mechanism that allows the Tag to

validate the Reader used in CA. The Reader

proves to the Tag using digital certificates

that it has been authorized by both the home

and visiting nation to read the e-Passport

Tags.

SECTION 9. CONCLUSION

This paper is an introductory exploratory

account of the IoT and RFID with special

focus on security issues and

countermeasures. The Biometric e-Passport

single object case study is used to explore

security issues and countermeasures. The

IoT connects intelligent objects or things

The sensors and RFID technologies enable

the connect objects to firstly identify each

other, then communicate with each other

while forming a network of information,

also known as the IoT. The e-Passport

approved biometric features can be a digital

of 13


facial photo, palm of the hand, a finger

print, or the iris and must include digital

signature of the holder, the issuing state and

the host state. The most common security

issues faced by biometric e-Passports are:

clandestine scanning, clandestine tracking,

skimming and cloning, eavesdropping,

biometric data leakage and cryptographic

weaknesses. The ICAO standards provides

the AA, PA BAC and EAC Protocol

countermeasures to help minimise or

eliminate security threats on e-Passports.

Finally, the research community has

proposed a number of tools for protecting

RFID privacy such as the blocker tags and

the antenna energy analysis.

SECTION 10.

ACKNOWLEDGEMENT

The author acknowledges Whitireia

Polytechnic Educational Institute, Porirua

Wellington, New Zealand.

SECTION 11. REFERENCES

Ahsan, K., Shah, H., & Kingston, P. (2010).

RFID applications: An introductory and

exploratory study. arXiv preprint

arXiv:1002.1179.

Avoine, G., Kalach, K., & Quisquater, J. J.

(2008). E-Passport: Securing international

contacts with contactless chips. In

Financial Cryptography and Data Security

pp. 141-155. Springer Berlin Heidelberg.

CISCO (2008). Wi-Fi Location-Based

Services 4.1 Design Guide.

http://www.cisco.com.

d’Hont, S. (2004). The cutting edge of

RFID technology and applications for

manufacturing and distribution. Texas

Instrument TIRIS, 16.

Juels, A., Molnar, D., & Wagner, D. (2005).

Security and Privacy Issues in E-passports.

In Security and Privacy for Emerging Areas

in Communications Networks, 2005.

Juels, A., Rivest, R. L., & Szydlo, M.

(2003, October). The blocker tag: selective

blocking of RFID tags for consumer

privacy. In Proceedings of the 10th ACM

conference on Computer and

communications security (pp. 103-111).

ACM.

Juels, A., & Pappu, R. (2003, January).

Squealing Euros: Privacy protection in

RFID-enabled banknotes. In Financial

cryptography (pp. 103-121). Springer

Berlin Heidelberg.

Kc, G. S., & Karger, P. A. (2005). Security

and privacy issues in machine readable

travel documents (MRTDs).

Kolahan, H., & Thapaliya, T (2011). Biometric Passport: security and privacy

aspects of machine readable travel.

Informatic, Electronic Government.

Kortuem, G., Kawsar, F., Fitton, D., &

Sundramoorthy, V. (2010). Smart objects

as building blocks for the internet of things.

Internet Computing, IEEE, 14(1), 44-51.

Kumar, V. N., Srinivasan, B., & Narendran,

P. (2012a). Efficient Implementation of

electronic passport scheme using

cryptographic security along with multiple

biometrics. International Journal of

Information Engineering and Electronic

Business (IJIEEB), 4(1), 18.

Kumar, V. N., & Srinivasan, B. (2012b).

Development of Electronic Passport

Scheme for Cryptographic Security and

Face, Fingerprint Biometrics using ASP.

Net. International Journal of Modern

Education and Computer Science

(IJMECS), 4(1), 40.

López, T. S., Ranasinghe, D. C., Harrison,

M., & McFarlane, D. (2012). Adding sense

of 13


to the internet of things. Personal and

Ubiquitous Computing, 16(3), 291-308

Malčík, D., & Drahanský, M. (2012).

Anatomy of biometric passports. BioMed

Research International, 2012.

Roberts, C. (2007). Biometric attack

vectors and defences. Computers &

Security, 26(1), 14-25

SecureComm (2005). First International

Conference on (pp. 74-88). IEEE.

Selevan, S. (2005) Final Report Use of 1)

Sensors and 2) Radio Frequency ID (RFID)

for the National Children’s Study.

Smith, I. , CASAGRAS2. (2011). Internet

of Things around the World. An EU

Framework 7 Projects. RFID I Danmark

2011. Presents 7 IoTs project.

Welbourne, E., Battle, L., Cole, G., Gould,

K., Rector, K., Raymer, S., & Borriello, G.

(2009). Building the internet of things using

RFID: the RFID ecosystem experience.

Internet computing, IEEE, 13(3), 48-55.

Zslavask, A. (2013). Internet of things and

ubiquitous sensing.www.computer.com

SECTION 12: BIBLIOGRAPHY

Bohn, J. (2008). Prototypical

implementation of location-aware services

based on a middleware architecture for

super-distributed RFID tag infrastructures.

Personal and Ubiquitous Computing,

12(2), 155-166.

Bogari, E. A., Zavarsky, P., Lindskog, D.,

& Ruhl, R. (2012). An analysis of security

weaknesses in the evolution of RFID

enabled passport. In Internet Security

WorldCIS, 2012 World Congress on (pp.

158-166). IEEE.

Bose, I., Ngai, E.W., Teo, T.S., &

Spiekermann, S. (2009). Managing RFID

projects in organisations. EJIS, 18(6), 534-

540.

Bolotnyy, L., & Robins, G. (2007). Multi-

tag RFID systems. International Journal of

Internet Protocol Technology, 2(3), 218-

231.

Bolotnyy, L., & Robins, G. (2007, March).

Physically unclonable function-based

security and privacy in RFID systems. In

Pervasive Computing and

Communications, 2007. PerCom'07. Fifth

Annual IEEE International Conference on

(pp. 211-220). IEEE.

Burmester, M., & De Medeiros, B. (2007,

July). RFID security: attacks,

countermeasures and challenges. In

Proceedings of the 5th RFID academic

convocation. The RFID Journal

Conference

Callaghan, V., Clarke, G., & Chin, J.

(2009). Some socio-technical aspects of

intelligent buildings and pervasive

computing research. Intelligent Buildings

International, 1(1), 56-74.

Cavadini, D., Fasel, A. M. D., & Cimasoni,

L. (2009). Introducing the Biometrical

Electronic Passport (ePass).

CISCO (2008). Wi-Fi Location-Based

Services 4.1 Design Guide.

http://www.cisco.com.

CISCO (2008).RFID Tag Considerations.

Chapter 11.

Dodge, M., & Kitchin, R. (2009). Software,

objects, and home space. Environment and

Planning A, 41(6), 1344-1365

Duc, D. N., Lee, H., & Kim, K. (2006).

Enhancing security of EPCglobal Gen-2

of 13


RFID against traceability and cloning.

Auto-ID Labs Information and

Garcia-Alfaro, J., Barbeau, M., & Kranakis,

E. (2008, April). Security threats on EPC

based RFID systems. In Information

Technology: New Generations, Fifth

International Conference on pp. 1242-

1244). IEEE

Garfinkel, S. L., Juels, A., & Pappu, R.

(2005). RFID privacy: An overview of

problems and proposed solutions. Security

& Privacy, IEEE, 3(3), 34-43

Habibi, M. H., Gardeshi, M., & Alaghband,

M. R. (2011). Practical attacks on a RFID

authentication protocol conforming to EPC

C-1 G-2 standard. arXiv preprint

arXiv:1102.0763.

Heim, K. (2007). Man grips future with

microchip implants in hands. Seattle Times,

1.

Henrici, D., & Müller, P. (2004). Tackling

security and privacy issues in radio

frequency identification devices. In

Pervasive Computing (pp. 219-224).

Springer Berlin Heidelberg.

Henzl, M. (2011). Security of Contactless

Smart Cards. In Proceedings of the 17th

Conference STUDENT EEICT pp. 585-589.

Kinoshita, S., Ohkubo, M., Hoshino, F.,

Morohashi, G., Shionoiri, O., & Kanai, A.

(2005). Privacy enhanced active RFID tag.

Cognitive Science Research Paper-

University of Sussex CSRP, 577, 100.

Mitrokotsa, A., Beye, M., & Peris-Lopez,

P. (2009). Classification of RFID Threats

based on Security Principles.

Molnar, D., & Wagner, D. (2004). Privacy

and security in library RFID: issues,

practices, and architectures. In Proceedings

of the 11th ACM conference on Computer

and communications security pp. 210-219.

ACM

Molnar, D., Soppera, A., & Wagner, D.

(2005). Privacy for RFID through trusted

computing. In Proceedings of the 2005

ACM workshop on Privacy in the electronic

society pp. 31-34. ACM

Najera, P., Moyano, F., & Lopez, J. (2009).

Security Mechanisms and Access Control

Infrastructure for e-Passports and General

Purpose e-Documents. J. UCS, 15(5), 970-

991

Nithyanand, R. (2009). A Survey on the

Evolution of Cryptographic Protocols in

ePassports. IACR Cryptology ePrint

Archive, 2009, 200.

Ohkubo, M., Suzuki, K., & Kinoshita, S.

(2003). Cryptographic approach to

“privacy-friendly” tags. In RFID privacy

workshop (Vol. 82). MIT, Cambridge, MA.

Ohkubo, M., Suzuki, K., & Kinoshita, S.

(2005). RFID privacy issues and technical

challenges. Communications of the ACM,

48(9), 66-71.

Pasupathinathan, V., Pieprzyk, J., & Wang,

H. (2008). Security analysis of Australian

and EU e-passport implementation. Journal

of Research and Practice in Information

Technology, 40(3), 187

Peris-Lopez, P., Hernandez-Castro, J. C.,

Estevez-Tapiador, J. M., & Ribagorda, A.

(2006). RFID systems: A survey on security

threats and proposed solutions. In Personal

Wireless Communications (pp. 159-170).

Springer Berlin Heidelberg.

Peris-Lopez, P., Hernandez-Castro, J. C.,

Estevez-Tapiador, J. M., & Ribagorda, A.

(2011). Attacking RFID systems.

Information Security Management

Handbook, 5, 313.

of 13


Popper, D. E. (2007). Traceability: tracking

and privacy in the food system.

Geographical review, 97(3), 365-388.

RFID Security (2008). The Government of

the Hong Kong Special Administrative

Region.

Rotter, P. (2009). Security and Privacy in

RFID Applications. Development and

Implementation of RFID Technology

SA, S. W. (2011). RFID (radio frequency

identification): Principles and applications.

www. eecs. harvard. Edu/rfid-article.

Shih, D. H., Lin, C. Y., & Lin, B. (2005).

Privacy and security aspects of RFID tags.

In The Proceedings of Southwest DSI 2005

Annual Conference, Dallas, TX (pp. 332-

44). China Statistics Press

Singh, G., Kaur, R., & Sharma, H.

(2008).Various Attacks and their

Countermeasure on all Layers of RFID

System.

Sirotich, M. (2007, October). E-Passport

security under the microscope. In The

Second Workshop on the Social

Implications of National Security: (Vol. 2,

pp. 257-280).

Smith, D. B. (2006). Using Radio

Frequency Identification (RFID)

technology in humans in the United States

for total control. Bowie State University

Smith, J. E. (2006). You Can Run, But You

Can't Hide: Protecting Privacy from Radio

Frequency Identification Technology.

NCJL & Tech., 8, 249.

Song, B., & Mitchell, C. J. (2008). RFID

authentication protocol for low-cost tags. In

Proceedings of the first ACM conference on

Wireless network security (pp. 140-147).

ACM

Soon, T., J. & Tievan, L. (2008).RFID

Security. Institute for Infocomm Research

Thiesse, F. (2006). Managing risk

perceptions of RFID. Auto-ID Labs White

Paper WP-BIZAPP-031, Auto-ID Lab St.

Gallen, Switzerland.

Thompson, D. R., Chaudhry, N., &

Thompson, C. W. (2006, March). RFID

security threat model. In Conf. on Applied

Research in Information Technology

Van Kraneneburg, R. (2008). A critique of

ambient technology and the all-seeing

network of RFID. Institute of Network

Cultures Amsterdam

Wang, V. P. J. P. H. (2008). Formal security

analysis of Australian E-passport

implementation. Information Security

2008, 75

Warner, D. J. (2006). Call to Action: The

Fourth Amendment, the future of radio

frequency identification, and society. A.

Loy. LAL Rev., 40, 853

Weis, S. A. (2003). Security and privacy in

radio-frequency identification devices.

Massachusetts Institute of Technology.

Wyld, D. C. (2010). 24-Karat protection:

RFID and retail jewellery marketing.

International Journal of UbiComp (IJU),

1(1).