Research on Security Requirements of Internet of Things Based on Radio Frequency Identification Technology

1 Introduction

According to the definition of the International Telecommunication Union, the Internet of Things mainly solves the problem of the interconnection of goods to articles, people to goods, and people to people. At present, the Internet of Things (IoT: the Internet ofThings) has become a hot spot in the academic and industrial circles. It is called the third wave of the world's information industry following the computer and the Internet. The Internet of Things is considered to be an extension of the Internet in the physical world. It integrates with the Internet through a variety of information sensing devices, such as Radio Frequency Identification (RFID), infrared sensors, global positioning systems, and laser scanners [2]. The goal is to make all items connected to the network as a whole, and the system can automatically identify, locate, track, monitor, and trigger events in real-time.

The Internet of Things (IoT) based on RFID refers to connecting all the items in the real world, such as wireless radio frequency identification (RFID) and other sensing devices, to the Internet to realize intelligent identification and management of these items. RFID is the core technology of realizing the Internet of Things. Because of its unique low cost and high reliability, RFID is considered as one of the most important and promising information technologies in the 21st century. With the continuous development of RFID technology at home and abroad, RFID has been widely used in various fields such as article identification, electronic ticketing, product anti-counterfeiting, identification, and asset management by virtue of its unique advantages.

The continuous development of RFID-based IoT technologies and the widespread application of RFID-based IoT systems have also brought complex security issues to system operators and users. At present, due to the unclear definition of the RFID-based IoT system and the unclear threat model, it is difficult to conduct a comprehensive analysis of the RFID-based IoT security requirements. This article attempts to establish an abstract model of RFID-based IoT system and establish a corresponding threat model. Finally, based on the basic four dimensions of information security (confidentiality, integrity, availability, auditability), RFID-based IoT is given. System security requirements.

This article will study the system structure of RFID-based IoT, analyze its potential security threats, and propose corresponding security requirements. Section II describes the research status of IoT security; Section III describes the RFID-based IoT architecture; Section IV describes the potential threats and attacks of RFID-based IoT systems; Section 5 addresses each of the sections described in Section IV. This kind of security issue puts forward the security requirements based on the RFID Internet of Things system; at the end, it concludes and looks forward to the full text.

2 related research

At present, the security issues of RFID-based IoT have received extensive attention. The research content mainly focuses on the following two aspects: the security of the RFID system itself and the security issues of RFID related information in the traditional Internet.

The RFID system itself includes a tag, a reader and a radio communication channel between the tag and the reader. RFID systems are vulnerable to various active and passive attacks: Mitrokotsa et al. analyzed the attacks and threats of RFID systems from the four levels of the physical layer, network transport layer, application layer, and policy layer, and summarized the corresponding solutions. Juels [3] believes that the security issues of RFID systems can be summarized as two aspects of privacy and authentication: The main issue is the traceability in terms of privacy, that is, how to prevent attackers from tracking RFID tags in any form; mainly in terms of authentication. Make sure that only valid readers can communicate with the tags. At present, there are three main methods for securing the security of RFID systems: physical methods (Kill commands, electrostatic shielding, active interference, and BlockerTag methods), security protocols (hash locks, hash chains, challenge response mechanisms, re-encryption mechanisms, etc.) ), and a combination of the above methods.

Since RFID-related information is related to user privacy and trade secrets in the business layer, the issue of secure transmission and storage of RFID-related information in the Internet is also worth studying and discussing. Consistent with the issue of secure transmission in the traditional Internet, security technologies such as Virtual Private Networks (VPN) and Transport Layer Security (TLS) can be used to ensure the confidentiality and integrity of RFID-related information on the Internet.

3 RFID-based IoT system
The RFID-based IoT system analyzes both the physical world and the logical space. The physical world of the IoT system consists of countless commodities and wireless sensor devices. In the logical space, RFID-based IoT systems generally consist of a tag layer, a radio frequency communication layer, a reader/writer layer, an Internet layer, and an application system layer. .

The contents of the various components of the RFID-based IoT in definition 1 and their relationships are shown in detail. The physical description is as follows: The physical world: The physical world is composed of a variety of real objects, including items, computers, and wireless sensors. In the Internet of Things, these objects are all physically interconnected.

Label layer: The label layer consists of RFID tags and items. The RFID tag is similar to the bar code on the package of the article and records the information of the goods. It is usually attached to the article or embedded in the article. According to its energy source, RFID tags can be divided into passive, semi-passive and active three categories.

Radio Frequency Communication Layer: RFID is a non-contact automatic identification technology that automatically identifies target objects and obtains relevant data information through radio frequency signals. The reader sends a radio frequency signal of a certain frequency through the transmitting antenna. When the tag enters the working area of ​​the transmitting antenna, an induced current is generated. The chip in the tag obtains the energy to be activated; the tag transmits its own encoding and other information through its built-in transmitting antenna; The receiving antenna receives the carrier signal sent from the tag and transmits it to the reader via the antenna regulator.

The reader/writer layer: The RFID reader/writer is actually a wireless transmitting and receiving device with an antenna. The device that reads/writes RFID tags mainly includes two parts of a radio frequency module and a digital signal processing unit. Big computing power and storage space. The reader interprets and decodes the RF signal received from the tag layer, and then sends it through the Internet to the application system for processing. Internet layer: In the RFID-based IoT system, the tag layer and the reader/writer layer communicate with each other through radio frequency signals, and the reader/writer layer and the application layer communicate with each other via the Internet.

Application system layer: The application system is used to implement orderly management of RFID tags. It is mainly used in the fields of article identification, electronic ticketing, product anti-counterfeiting, identification, and asset management. The application system usually includes a background database system, which can be a database system running on any hardware platform, and can be selected by the user according to actual needs. Generally, it is assumed that its computing power and storage capacity are strong, and the database stores RFID tag-related information.

4 RFID-based IoT security threats

With the rapid promotion and application of RFID technology, its data security problem has even surpassed the security boundary of the original computer information system in some areas and has become a widespread concern. The main reasons are as follows:

(1) Weak tag computing power: RFID tags have unique limitations in terms of computing power and power consumption [7]. RFID tags have extremely limited storage space. For example, the cheapest tag has only 64-128 bits of ROM and can only accommodate Unique identifier. Because of the limited cost of the label itself, the label itself is difficult to have sufficient security capabilities, and it is extremely easy for an attacker to control. A malicious user may use a legitimate reader or construct a reader by himself and directly communicate with the label, read and tamper with. Even delete the data stored in the tag. Without the protection of a sufficiently trusted security mechanism, the security, effectiveness, integrity, availability, and authenticity of the label are not guaranteed.

(2) Vulnerability of wireless networks: The label layer and the reader/writer layer communicate using wireless RF signals. There is no physical or visible contact (via electromagnetic waves) during the communication process, and the inherent vulnerability of the wireless network Make the RFID system vulnerable to various forms of attack. This provides flexibility and convenience for application system data collection while also exposing the transmitted information to a wide audience.

(3) Privacy security of business applications: In the traditional network, the security of the network layer and the security of the service layer are independent of each other, while the network connection and service use in the Internet of Things are closely integrated, and the information transmitted in the Internet of Things is secure. The issue of sexuality and privacy has also become an important factor restricting the further development of the Internet of Things.

According to the structure of RFID's IoT system, we classify the IoT threats and attacks into two categories (see Table 1): One is for entity-based threats in the IoT system, mainly for the tag layer, reader layer, and applications. System-level attacks; one is for the threat of communication processes in the Internet of Things, including communication threats at the RF communication layer and Internet layer.

Such attacks are basically the same as attacks in the traditional sense of the Internet. They can be solved using existing mature security technologies and cryptographic mechanisms. No detailed explanation is provided here.

5 RFID-based IoT security needs

Based on the above analysis of security threats, we identified the objects that need to be protected in the RFID-based IoT include tags, readers, application systems, and communications at the RF communication layer and Internet layer. Therefore, we believe that building a secure IoT system must also proceed from the four basic requirements of information security (confidentiality, availability, integrity, and auditability) to comprehensively consider physical and communication security in IoT systems.

5.1 Label layer

The protected data in the tag includes four types:

(1) label identification;

(2) The key used to authenticate and control data access within the tag;

(3) business data within the label;

(4) The tag's execution code.

Confidentiality: means that the data in the tag cannot be accessed by unauthorized users. In particular, tag identification, because it is relatively fixed and closely associated with objects in the physical world, including people, the confidentiality of the tag identification is of particular concern as a privacy issue. When protecting the confidentiality of a tag, in addition to the security policy in the traditional security field, it is also necessary to consider the low-cost and low-performance characteristics of the tag when it is implemented. In other words, because the tags are often very small and cost-effective, their computing power is very important. When considering the introduction of traditional encryption mechanisms, authentication mechanisms, and access control, it must fully consider the problem of computing power when it is implemented.

Integrity: refers to the data in the tag can not be modified by unauthorized users. Integrity here is mainly used to protect the business data in the tags from being modified by malicious users because these data often include a lot of service-related information. Especially when labels are used in financial payment systems, these data often have direct economic significance. The integrity protection of the tag identification, the key within the tag, and the execution code of the tag cannot be focused on because it can be implemented with some conventional hardware protection measures.

Availability: The data and functions in the tag can be read and responded normally. Labels or stickers stuck to the surface of the item or embedded in the item, the chips attached to the item's labels and labels can easily be destroyed. In addition, EPCglobal specifies that the KILL command [20] in the tag can delete some or all of the data in the tag and permanently disable it. The KILL command is developed for privacy purposes. Attackers can use this command to destroy the tag and even permanently destroy the tag. . Therefore, to ensure the availability of tags, so that it can respond to the reader's request.

Auditability: It means that any read/write operations on tags can be audited and tracked to ensure the auditability of the tags.

5.2 Reader Layer

The protected data in the reader includes three types: (1) a key for mutual authentication with the tag, (2) data related to the tag, and (3) an execution code of the reader.

Confidentiality: It means that the data in the reader can only be accessed by authorized users. In particular, when a key is mutually authenticated with the tag, once the key information is leaked, the attacker is likely to fake the reader and communicate with the tag. Therefore, the confidentiality of the key in the reader must be guaranteed. Unlike tags, readers do not need to strictly consider cost and performance issues, so they can protect their confidentiality through traditional encryption mechanisms.

Integrity: It means that the data in the reader can only be modified by the authorized user. In particular, the protection of tag-related information is not modified by the attacker because it is often related to the business.

Availability: refers to the reader can send requests and respond to the label's reply normally. The attacker may use or destroy the reader, so it is necessary to guarantee the availability of the reader.

Auditability: refers to any operation of the reader on the tag, including both reading and writing can be monitored, tracked and audited.

5.3 Application Layer

There are three types of RFID-related protected data in application systems:

(1) Data related to tags;

(2) User-related data;

(3) Data related to business applications (such as shopping records, bank transactions, etc.);

(4) Code.

Confidentiality: refers to the data in the application system cannot be accessed by unauthorized users. In particular, information relating to tags and related to users, such information often involves the privacy of the user[8]. Generally, it exists in a back-end database. Once acquired by an attacker, the privacy of the user cannot be guaranteed. In addition, the confidentiality of data related to business applications must also be safeguarded because attackers are likely to track the user’s whereabouts through analysis of the data and even analyze the user’s spending habits.

Integrity: It means that the data in the application system cannot be modified by unauthorized users. In particular, user-related data and business application data, once modified by the attacker, may cause great economic losses.

Availability: It means that the application system can operate normally and meet the needs of users.

Auditability: It means that the application can be monitored, tracked and audited.

5.4 Radio Communication Layer

The object that the radio communication layer is protected includes: (1) Communication data; (2) Communication channel.

Confidentiality: refers to the protection of the confidentiality of communications data at the RF communication layer. The RF communication layer communicates through radio frequency signals. The attacker can use the eavesdropping technology to analyze various electromagnetic characteristics generated during the normal operation of the microprocessor to obtain the RFID tag between the reader and the reader or other RFID communication device. Communication data. Also, since the forward channel from the reader to the tag has a large coverage, it is less secure than the back channel from the tag to the reader. Therefore, the confidentiality of communication data at the RF communication layer is particularly important.

Integrity: It means that the protection of RF communication layer communication data cannot be modified without authorization. The attacker can use the inherent vulnerability of the RF communication layer wireless network to tamper with or replay the message to destroy the normal communication between the reader and the tag. Therefore, encryption, hash, or CRC check code is required to ensure communication. The integrity of the data.

Availability: It means that the protection communication channel can communicate normally. Radio frequency signals are easily subject to interference. Malicious attackers may destroy radio communication channels by interfering with broadcasts or blocking channels. Therefore, the availability of radio communication layers needs to be guaranteed.

5.5 Internet layer

The needs of the Internet layer for confidentiality, integrity, and availability are basically the same as those of the traditional Internet, and will not be repeated here.

6 Conclusions and Prospects

This paper proposes an abstract model based on RFID for the Internet of Things and conducts threat modeling. Finally, based on the abstract model and the threat model, the security requirements of the Internet of Things (IoT) based on RFID are given from the four dimensions of information security.

At present, the security issue has become an important factor hindering the further development of RFID-based IoT. If its security cannot be fully guaranteed, personal information, trade secrets and military secrets in the IoT system may be stolen or be stolen by people. The use of lawless elements will inevitably seriously affect economic security, military security and national security. However, the Internet of Things system is large and complex, involving many kinds of technical systems such as embedded systems, network systems, control systems, software systems, and security systems. It is believed that after a long-term, in-depth and continuous research, the proposed security requirements can be presented. The development of some RFID-based Internet of things provides a certain reference for safety and convenience. In the next study, we will explore how to apply relevant technologies and management methods to design a complete security framework for RFID-based IoT systems.

About the Author:

School of Software, Fudan University: Peng Peng (1987-), female, graduate student; Han Weili (1975-), male, associate professor, Ph.D.; Zhao Yiming (1961-), male, associate professor; Zhou Jiansuo (1973-), male, Beijing, China Dr. Dong Haoran (1964-), Senior Engineer, Denko Electronic Design Co., Ltd., Male, Senior Engineer, Beijing Zhongdian Huada Electronic Design Co., Ltd.

Glitter Glue

Glitter Glue,Glitter Adhesive ,Eye Glitter Glue ,Glitter Primer

Sandwich Panel Co., Ltd. , http://www.nbpaints.com