Security and Privacy in RFID-Enabled Supply Chains
Abstract
Supply chain is a network involving multiple parties such as suppliers, transporters, storage facilities, distributors, and retailers that participate in the production, delivery, and sale of a product. It is difficult to monitor a supply chain since the involving parties are distributed at multiple locations or even across countries. RFID technology, when combined with networking technology, enables product information to be collected, integrated, shared, and queried in supply chains at various levels (e.g., item, pallet, case, and container) in real time manner. While RFID technology has greatly facilitated the supply chain management, it is still challenging to design a secure, privacy-preserving, and efficient RFIDenabled supply chain system. The wireless communications between RFID readers and tags are subject to a variety of attacks. An adversary may eavesdrop, replay, and manipulate RFID communications to obtain tag identifier, track tag location, impersonate tag and reader, and trigger denial of service. This dissertation focuses on secure and privacy-preserving tag authentication in various supply chain application scenarios. Our first work is on attacks and improvements of an existing mutual authentication protocol and a tag secret update protocol for RFID-enabled supply chains. Our second work improves the efficiency of an RFID-enabled supply chain system by designing the system in two security modes. In the weak security mode, the tagged products can be processed in a highly efficient way. In the strong security mode, our system guarantees a high level of security, while its efficiency is lower than that in the weak security mode. Our third work addresses the tag authentication problem in the scenario of third-party logistics(3PL). We firstly formalize the security and privacy requirements of RFID systems for 3PL supply chains considering the existence of the internal adversaries as well as the external adversaries. We propose two different protocols, one is based on aggregate message authentication codes, the other is based on aggregate signature scheme. Our solutions enable a third-party to check tag existence without knowing tag secrets. Our fourth work focuses on path authentication in RFID-enabled supply chains. We propose a single-game-based privacy notion for RFID-enabled path authentication which has been proven to be stronger than existing privacy notions for path authentication. We also propose two new path authentication schemes, one for closed supply chains, and another for dynamic supply chains.