**2. Basic of RFID technology architecture**

The RFID system architecture consists of a reader and a tag (also known as a label or chip). The reader queries the tag, obtains information, and then takes action based on that informa‐ tion. That action may display a number on a hand held device, or it may pass information on to a POS system, an inventory database or relay it to a backend payment system thousands of miles away. Let's looks at some of the basic components of a typical RFID system.

### **2.1. RFID tag/label**

RFID units are in a class of radio devices known as transponders. A transponder is a combi‐ nation transmitter and receiver, which is designed to receive a specific radio signal and au‐ tomatically transmit a reply. Transponders used in RFID are commonly called tags, chips, or labels, which are fairly interchangeable, although "chip" implies a smaller unit, and "tag" is used for larger devices. The designator label is mainly used for the labels that contain an RFID device. Tags are categorized into four types based on the power source for communi‐ cation and other functionality (Figure 1):


**•** A semi-passive tag is a passive tag that uses a battery to power on-board circuitry, but not to produce return signals. When the battery is used to power a sensor, they are often called sensor tags. They typically are smaller and cheaper than active tags, but have greater functionality than passive tags because more power is available for other purposes. Some literature uses the terms "semi-passive" and "semi- active" inter‐ changeably. [3]

**Figure 1.** Passive and Active Tag Processes

Chapter is divided on several parts. We will be talk about basic of RFID, possibility of tech‐ nology in postal and logistics processes, other mobile technology in processes, security of technology with contents to postal services, impact of operational characteristic on the read‐ ability and finally results of testing RFID technology in our laboratory of Automated identi‐

The RFID system architecture consists of a reader and a tag (also known as a label or chip). The reader queries the tag, obtains information, and then takes action based on that informa‐ tion. That action may display a number on a hand held device, or it may pass information on to a POS system, an inventory database or relay it to a backend payment system thousands of

RFID units are in a class of radio devices known as transponders. A transponder is a combi‐ nation transmitter and receiver, which is designed to receive a specific radio signal and au‐ tomatically transmit a reply. Transponders used in RFID are commonly called tags, chips, or labels, which are fairly interchangeable, although "chip" implies a smaller unit, and "tag" is used for larger devices. The designator label is mainly used for the labels that contain an RFID device. Tags are categorized into four types based on the power source for communi‐

**•** A passive tag uses the electromagnetic energy it receives from an interrogator's transmis‐ sion to reply to the interrogator. The reply signal from a passive tag, which is also known as the backscattered signal, has only a fraction of the power of the interrogator's signal. This limited power significantly restricts the operating range of the tag. Since passive tags are low power devices, they can only support data processing of limited complexity. On the other hand, passive tags typically are cheaper, smaller, and lighter than other types of

**•** An active tag relies on an internal battery for power. The battery is used to communicate to the interrogator, to power on-board circuitry, and to perform other functions. Active tags can communicate over greater distance than other types of tags, but they have a finite battery life and are generally larger and more expensive. Since these tags have internal

**•** A semi-active tag is an active tag that remains dormant until it receives a signal from the interrogator to wake up. The tag can then use its battery to communicate with the inter‐ rogator. Like active tags, semi- active tags can communicate over a longer distance than passive tags. Their main advantage relative to active tags is that they have a longer bat‐ tery life. The waking process, however, sometimes causes an unacceptable time delay when tags pass interrogators very quickly or when many tags need to be read within a

tags, which are compelling advantages for many RFID applications. [3]

power, they can respond to lower power signals than passive tags. [3]

miles away. Let's looks at some of the basic components of a typical RFID system.

fication and data capture (AIDC Lab) of University of Žilina.

**2. Basic of RFID technology architecture**

398 Radio Frequency Identification from System to Applications

cation and other functionality (Figure 1):

very short period of time. [3]

**2.1. RFID tag/label**

Like bar codes in an earlier time, RFID is the next revolution in AIDC technology. Most of the advantages of RFID are derived from the reliance on radio frequencies rather than light (as is required in optical technology) to transmit information. This characteristic means that RFID communication can occur:


#### *2.1.1. Carrier frequencies*

Today, there are four carrier frequencies implemented for RFID that are popular globally: 125 KHz, 13.56 MHz, UHF ranging from 866 to 950 MHz depending on national radio regu‐ lations, and microwave frequencies of 2.45 GHz and 5.8 GHz. There is also the frequency range 430-440 MHz, which is allocated to amateur radio usage around the world. The ISM band 433.05-434.790 MHz is located near the middle of the amateur radio band. The amateur radio band has emerged as an RFID channel in a number of applications. The frequency range has been called the 'optimal frequency for global use of Active RFID'. [1]

the lock command, the kill command is irreversible. The kill command also prevents ac‐ cess to a tag's identifier, in addition to any memory that may be on the tag. While the lock command provides security, the primary objective of the kill command is personal priva‐ cy. RFID tags could be used to track individuals that carry tagged items or wear tagged articles of clothing when the tags are no longer required for their intended use, such as to expedite checkout or inventory. The ability to disable a tag with the kill command pro‐

Possibility of RFID in Conditions of Postal Operators

http://dx.doi.org/10.5772/53285

401

The second component in a basic RFID system is the interrogator or reader, which wireless‐ ly communicate with a tag. Readers can have an integrated antenna, or the antenna can be separate. The antenna can be an integral part of the reader, or it can be a separate device. Handheld units are a combination reader/antenna, while larger systems usually separate the

The reader retrieves the information from the RFID tag. The reader may be self-con‐ tained and record the information internally; however, it may also be part of a localized system such as a POS cash register, a large Local Area Network (LAN), or a Wide Area

There is also Middleware, software that controls the reader and the data coming from the tags and moves them to other database systems. It carries out basic functions, such as filter‐

RFID systems work, if the reader antenna transmits radio signals. These signals are captured

tag, which corresponds to the corresponding radio signal (Figure 2).

vides a mechanism to prevent such tracking.[1]

ing, integration and control of the reader. [1]

**Figure 2.** The interaction between the reader and RFID tag [2]

**2.2. RFID reader (Interrogator)**

antennas from the reader.

Network (WAN).

#### *2.1.2. Functionality*


the lock command, the kill command is irreversible. The kill command also prevents ac‐ cess to a tag's identifier, in addition to any memory that may be on the tag. While the lock command provides security, the primary objective of the kill command is personal priva‐ cy. RFID tags could be used to track individuals that carry tagged items or wear tagged articles of clothing when the tags are no longer required for their intended use, such as to expedite checkout or inventory. The ability to disable a tag with the kill command pro‐ vides a mechanism to prevent such tracking.[1]

#### **2.2. RFID reader (Interrogator)**

*2.1.1. Carrier frequencies*

400 Radio Frequency Identification from System to Applications

*2.1.2. Functionality*

es. These include:

er requirements.

security feature.

Today, there are four carrier frequencies implemented for RFID that are popular globally: 125 KHz, 13.56 MHz, UHF ranging from 866 to 950 MHz depending on national radio regu‐ lations, and microwave frequencies of 2.45 GHz and 5.8 GHz. There is also the frequency range 430-440 MHz, which is allocated to amateur radio usage around the world. The ISM band 433.05-434.790 MHz is located near the middle of the amateur radio band. The amateur radio band has emerged as an RFID channel in a number of applications. The frequency

**•** The primary function of a tag is to provide an identifier to an interrogator, but many types of tags support additional capabilities that are valuable for certain business process‐

**•** Memory - memory enables data to be stored on tags and retrieved at a later time. Memory is either write once, read many (WORM) memory or re-writeable memory, which can be modified after initialization. Memory enables more flexibility in the design of RFID sys‐ tems because RFID data transactions can occur without concurrent access to data stored in an enterprise subsystem. However, adding memory to a tag increases its cost and pow‐

**•** Environmental sensors. The integration of environmental sensors with tags is an example of the benefit of local memory. The sensors can record temperature, humidity, vibration, or other phenomena to the tag's memory, which can later be retrieved by an interrogator. The integration of sensors significantly increases the cost and complexity of the tags. Moreover, while many tag operations can be powered using the electromagnetic energy from an interrogator, this approach is not workable for sensors, which must rely on bat‐ tery power. Tags typically are only integrated with sensors for high-value, environmen‐

**•** Security functionality, such as password protection and cryptography. Tags with onboard memory are often coupled with security mechanisms to protect the data stored in that memory. For example, some tags support a lock command that, depending on its im‐ plementation, can prevent further modification of data in the tag's memory or can pre‐ vent access to data in the tag's memory. In some cases, the lock command is permanent and in other cases, an interrogator can "unlock" the memory. EPCglobal standards, Inter‐ national Organization for Standardization (ISO) standards, and many proprietary tag de‐ signs support this feature. Some RFID systems support advanced cryptographic algorithms that enable authentication mechanisms and data confidentiality features, al‐ though these functions are most commonly found on RFID-based contactless smart cards and not tags used for item management. Some tags offer tamper protection as a physical

**•** Privacy protection mechanisms. EPC tags support a feature called the kill command that permanently disables the ability of the tag to respond to subsequent commands. Unlike

tally sensitive, or perishable objects worthy of the additional expense.

range has been called the 'optimal frequency for global use of Active RFID'. [1]

The second component in a basic RFID system is the interrogator or reader, which wireless‐ ly communicate with a tag. Readers can have an integrated antenna, or the antenna can be separate. The antenna can be an integral part of the reader, or it can be a separate device. Handheld units are a combination reader/antenna, while larger systems usually separate the antennas from the reader.

The reader retrieves the information from the RFID tag. The reader may be self-con‐ tained and record the information internally; however, it may also be part of a localized system such as a POS cash register, a large Local Area Network (LAN), or a Wide Area Network (WAN).

There is also Middleware, software that controls the reader and the data coming from the tags and moves them to other database systems. It carries out basic functions, such as filter‐ ing, integration and control of the reader. [1]

RFID systems work, if the reader antenna transmits radio signals. These signals are captured tag, which corresponds to the corresponding radio signal (Figure 2).

**Figure 2.** The interaction between the reader and RFID tag [2]

#### **2.3. Security of RFID technology**

Let's start with the first question: What are the security risks with RFID? The information inside [passive] RFID tags is vulnerable to alteration, corruption, and deletion due to low processing speed and low memory. In contrast, some high-end active RFID readers and tags tend to improve security through use of cryptography, challenge-response protocols, rotat‐ ing passwords, and tamper detection technology. These devices have more processing pow‐ er and more memory than their passive counterparts. They are more expensive and need a battery to give a boost to the processing power. The passive RFID devices do not need a bat‐ tery. The tags wake up when they receive a signal from a reader.

Another privacy issue that has raised is what flashes up on a scanner as someone walks near the interrogator (especially the active interrogators that have a much wider scanning region

Possibility of RFID in Conditions of Postal Operators

http://dx.doi.org/10.5772/53285

403

Make sure the RFID infrastructure is secured with physical security control mechanisms. If the company can afford it, it could use, for example, AXCESS's ActiveTag system, a singlesystem approach to automatic monitoring and tracking applications right from your desk‐ top computer, including Asset Management, Personnel and Vehicle Access Control,

It is the semi-conductor companies who manufacture RFID tags. Unlike security firms, the semi-conductors have practically no experience in security. These companies are more inter‐ ested in getting the customers to buy their products rather than in the discussion of product vulnerabilities and countermeasures. Another problem is the vendors who become too over‐

With a switched reader, you will be not able to read the tags. An adversary can defeat an encryption by switching readers after gaining physical access to the location that sends en‐

Now, how does an adversary make the switch? One possibility is to switch with a fake read‐ er. Another possibility is to tamper with the original reader. It is so easy to do so with a port‐ able handheld device, particularly the ones that can fit into the palm of most hands. The tampered or replaced reader can be modified to allow the adversary to control a legitimate reader nearby from a distance and write counterfeit serial numbers on the RFID tags. It also can be modified to automatically change the original RFID numbers stored in the reader's

That is why it is important to secure custody for the reader even when a RFID handler is not using the device. It is also important for the organizations to ensure that a legitimate reader can reject an invalid RFID number counterfeited on the tag or in the reader's database.

You should determine what countermeasures you need to mitigate the risks of counterfeit‐

Personnel Monitoring, Production and Process Control, and Inventory Tracking.

than those of passive interrogators). The scanner could show:

**•** Linkage to RFIDs that identify the user of passport in suit pocket

confident that their products will not be easy to break.

database and replace it with invalid numbers.

ing threats before RFID is fully implemented.

**•** Clothing origins

*2.3.2. Counterfeiting*

crypted communications.

**•** Contents of origins

**•** Contents of briefcase or handbag

**•** Which credit cards being carried

Now let's go the second question: How can we categorize the attacks on RFID technolo‐ gy? The management can start with the four categories of the attacks that are unique to the RFID infrastructure: war-walking and lifting, counterfeiting, denial-of-service, and weak cryptography.

#### *2.3.1. War-walking and war-lifting*

War-driving, also known as the wireless LAN driving is a technique of using a Wi-Fibased laptop or PDA to detect Wi-Fi wireless networks while driving in a vehicle, such as a small truck or an automobile. Legitimate war-drivers do not use services without proper authorization.

In the RFID technology arena, we add the wireless RFID driving to the description of wardriving. It is not necessary to have a LAN as an access point that a remote wireless device can pick up. A war-driver can use the device to pick up the information from unsecured tags affixed to an item, case, or pallet. What is more is that the war-driver could disable the RFID deactivation mechanisms when the items leave the retail stores.

In addition, the war-driver can read and get the information from the RFID tags of pur‐ chased goods that a passerby carries in a shopping bag. This can happen only if the tags are not properly deactivated when they leave a retail store or a warehouse.

War-walking is more bold than war-driving. War-walkers do not need a wireless device to find the RFID tags. With fake credentials or cards, they can bypass physical checks and find the system that uses RFID tags to monitor the movements of conference attendees.

Let's assume the cracker goes beyond finding the system. The cracker either runs away or removes the passive RFID tags from the objects, say, inside one case by sawing or etching the tags away. The cracker replaces them with the counterfeited tags, and reattaches the tag with original RFID data to the like objects in another case, all without being detected. This technique is known as lifting.

In another instance, a corporate spy walks around, scans the entire stock of a competing re‐ tail outlet, rewrites the tags of cheap products and replaces with better product labels and even hides products in a metal-lined tag and replaces with new tags on shelf. Passive tags do not work very well when they come into contact with a metallic surface.

Another privacy issue that has raised is what flashes up on a scanner as someone walks near the interrogator (especially the active interrogators that have a much wider scanning region than those of passive interrogators). The scanner could show:

**•** Clothing origins

**2.3. Security of RFID technology**

402 Radio Frequency Identification from System to Applications

weak cryptography.

proper authorization.

technique is known as lifting.

*2.3.1. War-walking and war-lifting*

Let's start with the first question: What are the security risks with RFID? The information inside [passive] RFID tags is vulnerable to alteration, corruption, and deletion due to low processing speed and low memory. In contrast, some high-end active RFID readers and tags tend to improve security through use of cryptography, challenge-response protocols, rotat‐ ing passwords, and tamper detection technology. These devices have more processing pow‐ er and more memory than their passive counterparts. They are more expensive and need a battery to give a boost to the processing power. The passive RFID devices do not need a bat‐

Now let's go the second question: How can we categorize the attacks on RFID technolo‐ gy? The management can start with the four categories of the attacks that are unique to the RFID infrastructure: war-walking and lifting, counterfeiting, denial-of-service, and

War-driving, also known as the wireless LAN driving is a technique of using a Wi-Fibased laptop or PDA to detect Wi-Fi wireless networks while driving in a vehicle, such as a small truck or an automobile. Legitimate war-drivers do not use services without

In the RFID technology arena, we add the wireless RFID driving to the description of wardriving. It is not necessary to have a LAN as an access point that a remote wireless device can pick up. A war-driver can use the device to pick up the information from unsecured tags affixed to an item, case, or pallet. What is more is that the war-driver could disable the

In addition, the war-driver can read and get the information from the RFID tags of pur‐ chased goods that a passerby carries in a shopping bag. This can happen only if the tags are

War-walking is more bold than war-driving. War-walkers do not need a wireless device to find the RFID tags. With fake credentials or cards, they can bypass physical checks and find

Let's assume the cracker goes beyond finding the system. The cracker either runs away or removes the passive RFID tags from the objects, say, inside one case by sawing or etching the tags away. The cracker replaces them with the counterfeited tags, and reattaches the tag with original RFID data to the like objects in another case, all without being detected. This

In another instance, a corporate spy walks around, scans the entire stock of a competing re‐ tail outlet, rewrites the tags of cheap products and replaces with better product labels and even hides products in a metal-lined tag and replaces with new tags on shelf. Passive tags

the system that uses RFID tags to monitor the movements of conference attendees.

do not work very well when they come into contact with a metallic surface.

tery. The tags wake up when they receive a signal from a reader.

RFID deactivation mechanisms when the items leave the retail stores.

not properly deactivated when they leave a retail store or a warehouse.


Make sure the RFID infrastructure is secured with physical security control mechanisms. If the company can afford it, it could use, for example, AXCESS's ActiveTag system, a singlesystem approach to automatic monitoring and tracking applications right from your desk‐ top computer, including Asset Management, Personnel and Vehicle Access Control, Personnel Monitoring, Production and Process Control, and Inventory Tracking.

#### *2.3.2. Counterfeiting*

It is the semi-conductor companies who manufacture RFID tags. Unlike security firms, the semi-conductors have practically no experience in security. These companies are more inter‐ ested in getting the customers to buy their products rather than in the discussion of product vulnerabilities and countermeasures. Another problem is the vendors who become too over‐ confident that their products will not be easy to break.

With a switched reader, you will be not able to read the tags. An adversary can defeat an encryption by switching readers after gaining physical access to the location that sends en‐ crypted communications.

Now, how does an adversary make the switch? One possibility is to switch with a fake read‐ er. Another possibility is to tamper with the original reader. It is so easy to do so with a port‐ able handheld device, particularly the ones that can fit into the palm of most hands. The tampered or replaced reader can be modified to allow the adversary to control a legitimate reader nearby from a distance and write counterfeit serial numbers on the RFID tags. It also can be modified to automatically change the original RFID numbers stored in the reader's database and replace it with invalid numbers.

That is why it is important to secure custody for the reader even when a RFID handler is not using the device. It is also important for the organizations to ensure that a legitimate reader can reject an invalid RFID number counterfeited on the tag or in the reader's database.

You should determine what countermeasures you need to mitigate the risks of counterfeit‐ ing threats before RFID is fully implemented.

#### *2.3.3. Denial of service*

RFID radio signals area also very easy to block or jam. This can cause denial-of-service not only to the RFID tags but also at the data and network level.

will not work. The memory, the area size, and power consumption, must be set properly in

Possibility of RFID in Conditions of Postal Operators

http://dx.doi.org/10.5772/53285

405

Let's assume light-weight cryptography for the RFID tag is well designed and is one of the protection mechanisms to defend the RFID infrastructure from attacks. In reality, 100 per‐ cent protection from cryptography is not possible. What is possible is the mitigation of risks to cryptographic attacks to an acceptable level. Another possibility is to let other protection mechanisms take over at the software/hardware level if one protection mechanism degrades or fails. They include firewalls, intrusion detection systems, scanners, RFID monitoring, fail‐

As shown in Figure 3., these protections form the core of the Defense-in-Depth model of three rings. The middle ring focuses on access and audit controls. Access controls are best achieved with a WSSO for each user via SAML Auditing is accomplished with an examina‐

Overlapping the core and middle rings are the operating systems that include both, for ex‐ ample, firewalls and access controls, such as Windows 2000 security, Windows 2003 Server Security, UNIX and Linux security, and Web security. Also included are the automated tools

> **Security policies, standards, guidelines', procedures**

> > Firewalls IDS, VPN, P PKI Scanners Failovers, Crypto

> > > Access control, Audit control

Win 2000, 2003, Server Linux and Unix, Web Security

order for all three to get the computation to work properly.

tion of security practices and mechanisms within the organization.

and devices to assess network vulnerabilities.

*2.3.5. Defence in depth*

over servers, VPNs, and PKI.

**Figure 3.** RFID Defence-In-Depth

Hackers and crackers can launch a denial-of-service attack by using electromagnetic fog to block RFID scanning and flooding a retail outlet with radio waves at the same frequencies as RFID scanners, thus causing chaos at check-outs. They also can hide a transmitter in a cat at a parking lot. This transmitter can block radio signals, causing an RFID-enabled store to close, and send a malicious virus to an EPC IS server containing the RFID data.

#### *2.3.4. Weak cryptography*

Although we expect the price for passive tags to drop below five cents per unit in a few years, we must acknowledge that these tags are computationally weak for the standard ba‐ sic symmetric key cryptographic operations. Because more expensive RFID tags have more processing power and memory they can perform advanced cryptographic functions. Most low-cost tags are readable; many have limited writeable capability. This is because these tags are designed with basic functionality to keep the costs low.

Although we can get around this problem in a limited way via minimalist cryptography and Elliptic Curve Cryptography (ECC), they are more appropriate for other RFID devices, smart cards.

To overcome some of the confusing policies on when to use the kill command, the AUTO-ID Center and EPCglobal have proposed to put thef chip tags to sleep for a while rendering them inoperable temporarily and: then wake up these tags later on with a pair of sleep/wake commands.

As mentioned previously, the basic functionality of the low-cost RFID tags does not allow the basic cryptographic operations, due to limited processing power and little memory and size of the chip. To make it work, the tag must have memory of several megabytes and be rateable. The scheme for this cryptography is pseudonym throttling. It sores a short list of random identifiers of pseudonyms and goes into a cycle. Very little computation, if any, is involved, as contrasted to standard cryptography that requires quite a bit of computation and more complex circuitry.

The ECC is widely accepted for its efficient deployment of the public key mechanism. ECC is known for its compactness due to the novel way it uses arithmetic units to perform com‐ plex computations. It is much more compact then RSA, allowing the low-cost tags to be RFID-enabled. To get the ECC to work properly in RFID tags, we cannot overlook three im‐ portant things: an adequate memory, the size of the area into which the ECC is installed, and the amount of power the tag can consume and emit signals to perform a simple compu‐ tation. If the memory is too low, the ECC will not work. If the memory is adequate but the circuitry does not give enough power to consume, the ECC will not work. If the size of the area is too small regardless of memory size or the amount of power consumption, the ECC will not work. The memory, the area size, and power consumption, must be set properly in order for all three to get the computation to work properly.

#### *2.3.5. Defence in depth*

*2.3.3. Denial of service*

404 Radio Frequency Identification from System to Applications

*2.3.4. Weak cryptography*

smart cards.

commands.

and more complex circuitry.

RFID radio signals area also very easy to block or jam. This can cause denial-of-service not

Hackers and crackers can launch a denial-of-service attack by using electromagnetic fog to block RFID scanning and flooding a retail outlet with radio waves at the same frequencies as RFID scanners, thus causing chaos at check-outs. They also can hide a transmitter in a cat at a parking lot. This transmitter can block radio signals, causing an RFID-enabled store to

Although we expect the price for passive tags to drop below five cents per unit in a few years, we must acknowledge that these tags are computationally weak for the standard ba‐ sic symmetric key cryptographic operations. Because more expensive RFID tags have more processing power and memory they can perform advanced cryptographic functions. Most low-cost tags are readable; many have limited writeable capability. This is because these

Although we can get around this problem in a limited way via minimalist cryptography and Elliptic Curve Cryptography (ECC), they are more appropriate for other RFID devices,

To overcome some of the confusing policies on when to use the kill command, the AUTO-ID Center and EPCglobal have proposed to put thef chip tags to sleep for a while rendering them inoperable temporarily and: then wake up these tags later on with a pair of sleep/wake

As mentioned previously, the basic functionality of the low-cost RFID tags does not allow the basic cryptographic operations, due to limited processing power and little memory and size of the chip. To make it work, the tag must have memory of several megabytes and be rateable. The scheme for this cryptography is pseudonym throttling. It sores a short list of random identifiers of pseudonyms and goes into a cycle. Very little computation, if any, is involved, as contrasted to standard cryptography that requires quite a bit of computation

The ECC is widely accepted for its efficient deployment of the public key mechanism. ECC is known for its compactness due to the novel way it uses arithmetic units to perform com‐ plex computations. It is much more compact then RSA, allowing the low-cost tags to be RFID-enabled. To get the ECC to work properly in RFID tags, we cannot overlook three im‐ portant things: an adequate memory, the size of the area into which the ECC is installed, and the amount of power the tag can consume and emit signals to perform a simple compu‐ tation. If the memory is too low, the ECC will not work. If the memory is adequate but the circuitry does not give enough power to consume, the ECC will not work. If the size of the area is too small regardless of memory size or the amount of power consumption, the ECC

close, and send a malicious virus to an EPC IS server containing the RFID data.

only to the RFID tags but also at the data and network level.

tags are designed with basic functionality to keep the costs low.

Let's assume light-weight cryptography for the RFID tag is well designed and is one of the protection mechanisms to defend the RFID infrastructure from attacks. In reality, 100 per‐ cent protection from cryptography is not possible. What is possible is the mitigation of risks to cryptographic attacks to an acceptable level. Another possibility is to let other protection mechanisms take over at the software/hardware level if one protection mechanism degrades or fails. They include firewalls, intrusion detection systems, scanners, RFID monitoring, fail‐ over servers, VPNs, and PKI.

As shown in Figure 3., these protections form the core of the Defense-in-Depth model of three rings. The middle ring focuses on access and audit controls. Access controls are best achieved with a WSSO for each user via SAML Auditing is accomplished with an examina‐ tion of security practices and mechanisms within the organization.

Overlapping the core and middle rings are the operating systems that include both, for ex‐ ample, firewalls and access controls, such as Windows 2000 security, Windows 2003 Server Security, UNIX and Linux security, and Web security. Also included are the automated tools and devices to assess network vulnerabilities.

**Figure 3.** RFID Defence-In-Depth

The outer ring is a set of security policies including business continuity policy, risk assess‐ ment policy, password protection management policy, and server security policy.

**•** The best way to prevent MIM and application layer attacks is to use a secure way.

A replay attack is when a hacker uses a sniffer to grab packets off the wire. After the packets are captured, the hacker can extract information from the packets such as authentication in‐ formation and passwords. Once the information is extracted, the captured data can be placed back on the network or replayed. Some level of authentication of the source of event

Possibility of RFID in Conditions of Postal Operators

http://dx.doi.org/10.5772/53285

407

ONS is a service that, given an EPC, can return a list of network-accessible service endpoints pertaining to the EPC in question. ONS does not contain actual data regarding the EPC; it contains only the network address of services that contain the actual data. This information should not be stored on the tag itself; the distributed servers in the Internet should supply the information. ONS and EPC help locate the available data regarding the particular object.

Since ONS is a subset of Domain Name Server (DNS), all the threats to the DNS also apply to ONS. There are several distinct classes of threats to the DNS, most of which are DNS-re‐ lated instances of general problems; however, some are specific to peculiarities of the DNS

**•** *Packet Interception—Manipulating Internet Protocol (IP) packets carrying DNS information* In‐ cludes MIM attacks and eavesdropping on request, combined with spoofed responses that modify the "real" response back to the resolver. In any of these scenarios, the attacker

**•** *Query Prediction—Manipulating the Query/Answer Schemes of the User Datagram Protocol (UDP)/IP Protocol* These ID guessing attacks are mostly successful when the victim is in a

**•** *Denial of Service (DOS)* DNS is vulnerable to DOS attacks. DNS servers are also at risk of

There may be cases where the Electronic Product Code (EPC) of an RFID tag is regarded as highly sensitive information. Even if the connections to EPCIS servers were secured using Secure Sockets Layer (SSL) /Transport Layer Security (TLS), the initial ONS look-up process

**•** *Name Chaining or Cache Poisoning* Injecting manipulated information into DNS caches.

can tell either party (usually the resolver) whatever it wants them to believe.

**•** *Betrayal by Trusted Server* Attackers controlling DNS servers in use.

being used as a DOS amplifier to attack third parties.

**•** *Authenticated Denial of Domain Names*

*2.4.4.2. ONS and confidentiality*

*2.4.3. TCP replay attack*

*2.4.4. Attacks on ONS*

protocol.

known state.

generator can help stop TCP replay attacks.

*2.4.4.1. Known threats to DNS/ONS*

Implementing the Defense-in-Depth is not as easy as it seems. Administrators must often choose from among a dizzying array of specialized hardware and software products to meet their organizations' need for network security.

To realize both best-of-breed application choice and full management integration, network administrators should consider an enterprise security solution built on an open architectural platform. With well-defined interfaces, this enables third-party security applications to plug in seamlessly with the overall security policy. In addition, an open architecture can leverage Application Programming Interfaces (APIs) to develop and deploy custom applications to meet specific network security needs.

#### **2.4. RFID data collection tool-backend communication attack**

Middleware and backend communication occur using JMS, SOAP, or HTTP. There are two types of attacks that can have an impact on the backend: MIM application layer attack and a TCP replay attack.

#### *2.4.1. MIM Attack*

A MIM attack occurs when someone monitors the system between you and the person you are communicating with. When computers communicate at low levels of the network layer, they may not be able to determine who they are exchanging data with. In MIM attacks, someone assumes a user's identity in order to read his or her messages. The attacker might be actively replying as you to keep the exchange going and to gain more information. MIM attacks are more likely when there is less physical control of the network (e.g., over the In‐ ternet or over a wireless connection).

#### *2.4.2. Application layer attack*

An application layer attack targets application servers by deliberately causing a fault in a server's operating system or applications, which results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of the situation, gaining control of your application, system, or network, and can do any of the following:


**•** The best way to prevent MIM and application layer attacks is to use a secure way.

#### *2.4.3. TCP replay attack*

The outer ring is a set of security policies including business continuity policy, risk assess‐

Implementing the Defense-in-Depth is not as easy as it seems. Administrators must often choose from among a dizzying array of specialized hardware and software products to meet

To realize both best-of-breed application choice and full management integration, network administrators should consider an enterprise security solution built on an open architectural platform. With well-defined interfaces, this enables third-party security applications to plug in seamlessly with the overall security policy. In addition, an open architecture can leverage Application Programming Interfaces (APIs) to develop and deploy custom applications to

Middleware and backend communication occur using JMS, SOAP, or HTTP. There are two types of attacks that can have an impact on the backend: MIM application layer attack and a

A MIM attack occurs when someone monitors the system between you and the person you are communicating with. When computers communicate at low levels of the network layer, they may not be able to determine who they are exchanging data with. In MIM attacks, someone assumes a user's identity in order to read his or her messages. The attacker might be actively replying as you to keep the exchange going and to gain more information. MIM attacks are more likely when there is less physical control of the network (e.g., over the In‐

An application layer attack targets application servers by deliberately causing a fault in a server's operating system or applications, which results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of the situation, gaining control

**•** introduce a virus program that uses your computers and software applications to copy

**•** introduce a sniffer program to analyze your network and gain information that can even‐

of your application, system, or network, and can do any of the following:

**•** Read, add, delete, or modify your data or operating system,

tually be used to crash or corrupt your systems and network,

**•** disable other security controls to enable future attacks.

**•** abnormally terminate your data applications or operating systems,

ment policy, password protection management policy, and server security policy.

their organizations' need for network security.

406 Radio Frequency Identification from System to Applications

**2.4. RFID data collection tool-backend communication attack**

meet specific network security needs.

ternet or over a wireless connection).

viruses throughout your network,

*2.4.2. Application layer attack*

TCP replay attack.

*2.4.1. MIM Attack*

A replay attack is when a hacker uses a sniffer to grab packets off the wire. After the packets are captured, the hacker can extract information from the packets such as authentication in‐ formation and passwords. Once the information is extracted, the captured data can be placed back on the network or replayed. Some level of authentication of the source of event generator can help stop TCP replay attacks.

#### *2.4.4. Attacks on ONS*

ONS is a service that, given an EPC, can return a list of network-accessible service endpoints pertaining to the EPC in question. ONS does not contain actual data regarding the EPC; it contains only the network address of services that contain the actual data. This information should not be stored on the tag itself; the distributed servers in the Internet should supply the information. ONS and EPC help locate the available data regarding the particular object.

#### *2.4.4.1. Known threats to DNS/ONS*

Since ONS is a subset of Domain Name Server (DNS), all the threats to the DNS also apply to ONS. There are several distinct classes of threats to the DNS, most of which are DNS-re‐ lated instances of general problems; however, some are specific to peculiarities of the DNS protocol.


#### *2.4.4.2. ONS and confidentiality*

There may be cases where the Electronic Product Code (EPC) of an RFID tag is regarded as highly sensitive information. Even if the connections to EPCIS servers were secured using Secure Sockets Layer (SSL) /Transport Layer Security (TLS), the initial ONS look-up process was not authenticated or encrypted in the first place. The DNS-encoded main part of the EPC, which identifies the asset categories, will traverse every network between the middle‐ ware and a possible local DNS server in clear text and is susceptible to network taps placed by internet service providers (ISPs) and governmental organizations.

it in? How much of that information can potentially be lost? Once these risks are evaluated, you can begin to plan how to secure it. A good way to evaluate the risk is to ask five classic

Possibility of RFID in Conditions of Postal Operators

http://dx.doi.org/10.5772/53285

409

**• Who** is going to conduct the attack or benefit from it? Will it be a competitor or an un‐

**• What** do they hope to gain from the attack? Are they trying to steal a competitor's trade secret? If it is a criminal enterprise, are they seeking customers' credit card numbers? **• When** will the attack happen? When a business is open 24 hours a day, 7 days a week, it

**• Where** will it take place? Will the attack occur at your company's headquarters or at an outlying satellite operation? Is the communications link provided by a third party

**• How** will they attack? If they attack the readers via an RF vulnerability, you need to limit how far the RF waves travel from the reader. If the attacker is going after a known vulner‐ ability in the encryption used in the tag reader communications, you have to change the

RFID technology enables an organization to significantly change its business processes to:

**•** Increase its effectiveness, which improves mission performance and makes the imple‐ menting organization more resilient and better able to assign accountability, and

**•** Respond to customer requirements to use RFID technology to support supply chains and

This section reviews the major high-level business risks associated with RFID systems so that organizations planning or operating these systems can better identify, characterize, and

Business process risk - direct attacks on RFID system components potentially could under‐ mine the business processes the RFID system was designed to enable. For example, a ware‐ house that relies on RFID to automatically track items removed from its inventory may not

Business intelligence risk - an adversary or competitor potentially could gain unauthorized access to RFID-generated information and use it to harm the interests of the organization implementing the RFID system. For example, an adversary might use an interrogator to de‐ termine whether a shipping container holds expensive electronic equipment, and then target

Privacy risk - the misuse of RFID technology could violate personal privacy when the RFID application calls for personally identifiable information to be on the tag or associated with

investigative questions: "who?", "what?", "when?", "where?" and "how?"

is easy to forget that attacks can occur when you are not there.

encryption type, and, therefore, also change all of the tags.

manage the risk in their environments. The risks are as follows:

be able to detect theft if the RFID system fails.

the container for theft when it gets a positive reading.

**•** Increase its efficiency, which results in lower costs.

known group of criminals?

vulnerable?

*2.5.1. Type of RFID risks*

other applications.[16]

#### *2.4.4.3. ONS and integrity*

Integrity refers to the correctness and completeness of the returned information. An attacker controlling intermediate DNS servers or launching a successful MIM attack on the commu‐ nication could forge the returned list of Uniform Resource Identifiers (URIs). If no sufficient authentication measures for the EPCIS are in place, the attacker could deliver forged infor‐ mation about this or related EPCs from a similar domain.

### *2.4.4.4. ONS and authorization*

Authorization refers to protecting computer resources by only allowing the resources to be used by those that have been granted the authority. Without authorization, a remote attack‐ er can do a brute-force attack to query the corresponding EPCIS servers until a match is found. In case the complete serial number is not known, the class identifier of the EPC may be enough to determine the kind of object it belongs to. If using the EPCglobal network be‐ comes ubiquitous and widespread, the attacker could add fake serial numbers to the cap‐ tured, incomplete EPC and query the corresponding EPCIS servers to find a match. This can be used to identify assets of an entity, be it an individual, a household, a company, or any other organization. If you wore a rare item or a rare combination of items, tracking you could be accomplished just by using the object classes.

#### *2.4.4.5. ONS and authentication*

Authentication refers to identifying the remote user and ensuring that he or she is who they say they are.

#### *2.4.4.6. Mitigation attempts*


#### **2.5. Risk and vulnerability assessment**

The assessment of risks and vulnerabilities go hand in hand. To begin evaluating your sys‐ tem, you need to ask questions regarding the assessment and tolerance of the risks: what types of information are you talking about at any given point in the system and what form is it in? How much of that information can potentially be lost? Once these risks are evaluated, you can begin to plan how to secure it. A good way to evaluate the risk is to ask five classic investigative questions: "who?", "what?", "when?", "where?" and "how?"


#### *2.5.1. Type of RFID risks*

was not authenticated or encrypted in the first place. The DNS-encoded main part of the EPC, which identifies the asset categories, will traverse every network between the middle‐ ware and a possible local DNS server in clear text and is susceptible to network taps placed

Integrity refers to the correctness and completeness of the returned information. An attacker controlling intermediate DNS servers or launching a successful MIM attack on the commu‐ nication could forge the returned list of Uniform Resource Identifiers (URIs). If no sufficient authentication measures for the EPCIS are in place, the attacker could deliver forged infor‐

Authorization refers to protecting computer resources by only allowing the resources to be used by those that have been granted the authority. Without authorization, a remote attack‐ er can do a brute-force attack to query the corresponding EPCIS servers until a match is found. In case the complete serial number is not known, the class identifier of the EPC may be enough to determine the kind of object it belongs to. If using the EPCglobal network be‐ comes ubiquitous and widespread, the attacker could add fake serial numbers to the cap‐ tured, incomplete EPC and query the corresponding EPCIS servers to find a match. This can be used to identify assets of an entity, be it an individual, a household, a company, or any other organization. If you wore a rare item or a rare combination of items, tracking you

Authentication refers to identifying the remote user and ensuring that he or she is who they

**•** *VPN or SSL Tunneling* With data traveling between the remote sites, it needs to be ex‐

**•** *DNS Security Extensions (DNSSEC)* ensure the authenticity and integrity of DNS. This can be done using Transaction Signatures (TSIG) or asymmetric cryptography with Rivest,

The assessment of risks and vulnerabilities go hand in hand. To begin evaluating your sys‐ tem, you need to ask questions regarding the assessment and tolerance of the risks: what types of information are you talking about at any given point in the system and what form is

**•** *Limit Usage* Use the ONS only in intranet and disallowing any external queries.

changed over an encrypted channel like VPN or SSL Tunneling.

Shamir, & Adleman (RSA) and digital signature algorithms (DSAs).

by internet service providers (ISPs) and governmental organizations.

mation about this or related EPCs from a similar domain.

could be accomplished just by using the object classes.

*2.4.4.3. ONS and integrity*

408 Radio Frequency Identification from System to Applications

*2.4.4.4. ONS and authorization*

*2.4.4.5. ONS and authentication*

*2.4.4.6. Mitigation attempts*

**2.5. Risk and vulnerability assessment**

say they are.

RFID technology enables an organization to significantly change its business processes to:


This section reviews the major high-level business risks associated with RFID systems so that organizations planning or operating these systems can better identify, characterize, and manage the risk in their environments. The risks are as follows:

Business process risk - direct attacks on RFID system components potentially could under‐ mine the business processes the RFID system was designed to enable. For example, a ware‐ house that relies on RFID to automatically track items removed from its inventory may not be able to detect theft if the RFID system fails.

Business intelligence risk - an adversary or competitor potentially could gain unauthorized access to RFID-generated information and use it to harm the interests of the organization implementing the RFID system. For example, an adversary might use an interrogator to de‐ termine whether a shipping container holds expensive electronic equipment, and then target the container for theft when it gets a positive reading.

Privacy risk - the misuse of RFID technology could violate personal privacy when the RFID application calls for personally identifiable information to be on the tag or associated with the tag. For example, if a person carries products that contain RFID tags, those tags may be surreptitiously read by an adversary. This could reveal that person's personal preferences such as where they shop, or what brands they buy, or it might allow them to track that per‐ son's location at various points in time.[16]

**3. RFID in procedural conditions of logistic operators**

supply chain to provide the product to the customer.

have their results optimized and meet the clients' expectations.

advantage of this process.

effectiveness, and differentiation.

nal value for their suppliers and customers.

and dynamic supply chain need to be developed.

external customers.

future are:

firm.

Supply chain can be defined as the parts that are involved, directly or indirectly, in fulfilling a customer request (Chopra and Peter 2007). By this definition, it can be seen that a supply chain consists of manufacturers, warehouses, retailers, transporters, and customers. The purpose of a supply chain is to maximize the value generated for the customer; namely, maximizing the difference between the final product worth and the total expended by the

Possibility of RFID in Conditions of Postal Operators

http://dx.doi.org/10.5772/53285

411

In order to succeed, the supply chain must be conducted to minimize the costs incurred. Supply chain management (SCM) is responsible for optimizing the flows within its opera‐ tional stages which include raw materials, manufacturing, distribution, and transportation in order to minimize the total cost of the supply chain. SCM is a unification of a series of concepts about integrated business planning that can be joined together by the advances in information technology (IT) (Shapiro 2007), yet many companies have not completely taken

In today's world, the competition between companies, more demanding customers, and re‐ duced margins make the scenario more difficult for companies to succeed, to this context, SCM is an important practice for companies that want not only to keep in business but also

Responsiveness in the supply chain has gained importance and it is a trend that appa‐ rently will dictate future decisions regarding supply chain design. According to Kovack, Langley, and Rinehart (1995), the themes that will have influence on logistics on the near

**•** Strong corporate leadership will enhance logistics value through focusing on efficiency,

**•** Value realization requires marketing of logistics capabilities within the company and to

**•** Emphasis on the "scientific" aspect of logistics management in order to enhance the "art" of creating customer satisfaction. Enhancing logistics value through integrating product, information, and cash flows for decision-making linking external and internal processes. Logistics value enhanced by ownership of responsibility internally and externally to the

**•** Focus of successful companies is to create internal value for their organizations and exter‐

From these themes, it can be seen that SCM plays and will continue to play an active role in successful companies' routines. In order to achieve better results in the supply chain and better responsiveness to customers' necessities, new techniques such as real-time inventory

Externality risk - RFID technology potentially could represent a threat to non-RFID net‐ worked or collocated systems, assets, and people. For example, an adversary could gain un‐ authorized access to computers on an enterprise network through Internet Protocol (IP) enabled interrogators if the interrogators are not designed and configured properly. Multi‐ ple RFID interrogators operating in a confined space may cause hazards of electromagnetic radiation to fuel, ordinance or people in the vicinity.

#### *2.5.2. Risks in supply chain management and tracking applications*

Tracking applications are used to identify the location of an item, or more accurately, the lo‐ cation of the last interrogator that detected the presence of the tag associated with the item. An example of an intentional attack on an RFID business process is cloning, which occurs when an adversary reads information from a legitimate RFID tag and then programs anoth‐ er tag or device to emulate the behavior of the legitimate tag. Another attack on an RFID business process would be removing a tag from the item it is intended to identify and at‐ taching it to another unrelated item.

Supply chain management involves the monitoring and control of products from manufac‐ ture to distribution to retail sale. Supply chain management typically bundles several appli‐ cation types, including asset management, tracking, process control, and payment systems. Supply chain systems record information about products at every stage in the supply chain. Ideally, tags are affixed to products during the manufacturing process or soon afterward. As a product moves through the supply chain, to the customer, and to post-sale service, the tag's identifier can be used by all supply chain participants to refer to a specific item.

In addition, supply chain systems that use active tags can track larger objects such as cargo containers. Tags on these containers can store a manifest of the items shipped in each con‐ tainer. This manifest can be automatically updated when items are removed from the con‐ tainer. Potential problems are not just limited to the RF subsystem. If the network supporting the RFID system is down, then the RFID system is likely down as well. In supply chain applications, network failures at any point in the chain have the potential to impact the business processes of any subsequent link in the chain. For example, if a supplier is un‐ able to write manifest data to a tag, then the recipient cannot use that data in its operations even if its RFID interrogators and network infrastructure are fully functional. Servers host‐ ing RFID middleware, databases, analytic systems, and authentication services are all points of failure.

Any efforts to assess business process risk need to be comprehensive, because such a wide variety of potential threats exist. All of these threats have the potential to undermine the supported business process and therefore the mission of the implementing organization.[3]
