Trust and Security in RFID-Based Product Authentication Systems

Product authentication is needed to detect counterfeit products and to prevent them from entering the distribution channels of genuine products. Security is a critical property of product authentication systems. In this paper, we study trust and security in RFID-based product authentication systems. We first present a formal definition for product authentication process and then derive the general chain of trust as well as functional and nonfunctional security requirements for product authentication. Most of the scientific literature that covers the topic focuses on cryptographic tag authentication only. This paper, however, provides a broader view including also other known approaches, most notably location-based authentication. To derive the functional security requirements, we employ the concept of misuse cases that extends the use case paradigm well known in the field of requirements engineering. We argue that the level of security of any RFID-based product authentication application is determined by how it fulfills the derived set of functional and nonfunctional requirements. The security of different RFID-based product authentication approaches is analyzed. To study how RFID supports secure product authentication in practice, we investigate how the current EPC standards conform to the functional security requirements of product authentication and show how the unaddressed requirements could be fulfilled. The benefits of implementing a service that detects the cloned tags in the level of the network's core services are identified.