Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Security System to Balance Privacy and Supply Chain

An authentication technique called "zero knowledge proofs" can purportedly balance the commercial benefits of RFID in the supply chain with the privacy concerns of consumers.
Aug 12, 2005This article was originally published by RFID Update.

August 12, 2005—The RFiD Society has published a short paper about a newly proposed approach to RFID privacy and security. It is an authentication technique called "zero knowledge proofs" that can purportedly balance the commercial benefits of RFID in the supply chain with the privacy concerns of consumers. Stephan Engberg is the leading proponent of the patented approach, and he has founded RFIDSec in an effort to commercialize it with the ZEROLEAK product line.

In essence, zero knowledge proof allows the interrogator of a tag -- i.e., the RFID reader device -- to verify its identity in a way that does not compromise any of the tag's data. (The paper linked below includes a detailed description of the concept.) Once the reader has "proven" its identity through a series of authentication commands, it is able to read the contents of the tag. The system is dual mode. While the tag is traveling through the supply chain, it is in "EPC mode" and offers all the track-and-trace functionality expected of RFID technology to enhance the supply chain. Upon checkout, the tag is switched to "privacy mode," at which point it is either totally disabled ("killed") or configured to share its identity for the purposes of subsequent warranty servicing and recalls.

There are a number of ways the paper asserts that the zero knowledge proof security methodology is complimentary to that employed by EPC:
  1. It can only ever expose identity information, that is, information related to the authentication between tag and reader.
  2. It only requires a closed, local computer system to run. The EPC approach, by contrast, requires the full EPCglobal Network infrastructure, including the ONS and EPC discovery services.
  3. The EPC system makes available an index of information stored on each tag, and "there is no control over the amount of information that might be made available through that index." Zero knowledge makes a point to avoid sharing extraneous information.
  4. Lastly, zero knowledge allows for some flexibility in the strength of authentication. Such flexibility allows an application designer to configure a system to be either more or less secure, depending on the needs of the application.
These supposed superior qualities of zero knowledge do not imply that it should be used in favor of EPC. On the contrary, the paper explicitly states that "the proposed solution is to use RFID chips that combine the strengths of ... both EPC and zero knowledge." In so doing, supply chain benefits, theft prevention, anti-tag counterfeiting, and consumer privacy protections are all achieved.

Without more data on zero knowledge, it is hard to know how well it can live up to the claims. But one thing is for sure: the more resources that are devoted to balancing supply chain benefits with consumer privacy and security, the better for everyone involved.

Read the full paper
  • Previous Page
  • 1
  • Next Page

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations