Zero-knowledge Device Authentication: Privacy & Security Enhanced RFID preserving Business Value and Consumer Convenience

Radio frequency identification (RFID) technology is expected to enhance the operational efficiency of supply chain processes and customer service as well as adding digital functionality to products that were previously non-digital such as, e.g., washing machines automatically adapting to the clothes put into the machine. However, consumer response clearly shows significant concern and resistance related to consumer tracking and profiling as well as problems related to government tracking, criminal or terrorist abuse etc. Multiple conferences warn that RFID take-up is likely dependant on solving the privacy and security problems early. These concerns are not adequately addressed by current technology and legislation. In this paper, we present a model of the lifecycle of RFID tags used in the retail sector and identify the different actors who may interact with a tag. The lifecycle model is analysed in order to identify potential threats to the privacy of consumers and define a threat model. We suggest that the in-store problem is more related to lack of privacy solutions for the consumer himself than for the RFID. We propose a solution to the RFID privacy problem, which through zero-knowledge protocols and consumer control of keys has the potential to ensure consumer privacy needs without reducing corporate value from utilising the potential of RFID. We propose that securing RFIDs will require a physical redesign of RFIDs but that this can be done without leaving security and privacy issues to consent or regulation.