210 likes | 314 Views
Executive Post Graduate Programme in e-Governance (EPGP-EG), 2013-14 Identity Management. Threats for RFID. Presented by. GROUP # 3 Pravin Kolhe M. Jyothi Rani Sanjay Singh Vivek Srivastava Chandan Kumar Jha. July-2013, IIM Indore. 1. What is RFID.
E N D
Executive Post Graduate Programme in e-Governance (EPGP-EG), 2013-14 Identity Management Threats for RFID Presented by GROUP # 3 Pravin Kolhe M. Jyothi Rani Sanjay Singh VivekSrivastava Chandan Kumar Jha July-2013, IIM Indore
1. What is RFID • RFID = Radio Frequency IDentification. • RFID is ADC (Automated Data Collection) technology that:- • uses radio-frequency waves to transfer data between a reader and a movable item to identify, categorize, track. • is fast and does not require physical sight or contact between reader/scanner and the tagged item. • attempts to provide unique identification and backend integration that allows for wide range of applications.
3. TYPES OF Threats for RFID • Broadly threats are categorized based on:- Confidentiality, Integrity, Availability as- • Spoofing identity • Tampering with data • Repudiation • Information disclosure • Denial of service • Elevation of privilege
4. Spoofing identity • “Spoofing occurs when an attacker successfully poses as an authorized user of a system” • A competitor or thief performs an unauthorized inventory of a store by scanning tags with an unauthorized reader to determine the types and quantities of items. • An attacker trying to save money by buying expensive goods that have RFID price tags spoofed to display cheaper prices.
4. MITIGATING Spoofing identity • Appropriate authentication, • Protect secrets, • Don’t store secrets
5. Tampering with data • “Data tampering occurs when an attacker modifies, adds, deletes, or reorders data” • For Eg:- • An attacker modifies a passport tag to appear to be a citizen in good standing. • An attacker adds additional tags in a shipment that makes the shipment appear to contain more items than it actually does.
5. MITIGATING Tampering with data • Appropriate authentication, • Message authentication codes • Digital signatures, • Tamper-resistant protocols
6. Repudiation • “Repudiation occurs when a user denies an action and no proof exists to prove that the action was performed” • A retailer denies receiving a certain pallet, case, or item. • The owner of the EPC number denies having information about the item to which the tag is attached.
6. Mitigating Repudiation • Digital signatures, • Timestamps, • Audit trails
7. Information disclosure • “Information disclosure occurs when information is exposed to an unauthorized user” • A bomb in a restaurant explodes when there are five or more Americans with RFID-enabled passports detected. • An attacker blackmails an individual for having certain merchandise in their possession. • A sufficiently powerful directed reader reads tags in your house or car.
7. MITIGATING Information disclosure • Authorization, • Privacy-enhanced protocols, • Encryption,
8. Denial of service • “Denial-of-service denies service to valid users. Denial-of-service attacks are easy to accomplish and difficult to guard against.” • An attacker with a powerful reader jams the reader. • An attacker intrudes into the system thereby aborting the transactions.
8. Mitigating Denial of service • Appropriate authentication, • Appropriate authorization, • Filtering, • Throttling, • Quality of Service
9. Elevation of privilege • “A user logging on to the database to know the product’s information can become an attacker by raising his/her status in the information system from a user to a root server administrator and write or add malicious data into the system.” • A system user modifies the authorisation & authentication privileges to transfer money to his account.
9. Mitigating Elevation of privilege • Run with least privilege • Hierarchy based privilege • Restricted privilege to user.
10. Assign Risk with DREAD • Damage potential (1-10) • Reproducibility (1-10) • Exploitability (1-10) • Affected Users (1-10) • Discoverability (1-10)
12. CONCLUSION • RFID is extensively used worldwide due to its efficient and convenient features. • Still, it has threats & vulnerabilities associated with it. • Despite the proposed mitigation strategies yet it is not possible to design full-proof RFID system. • Extensive research is being carried out for reliable RFID system.
Contact: - Pravin Kolhe, Executive Engineer Water Resources Department, Government of Maharashtra Email:- pravinkolhe82@gmail.com www.pravinkolhe.com PPT downloaded from www.pravinkolhe.com
Thank You…! GROUP # 3, EPGP-EG, IIM Indore, 2013-14