RFID Middleware
Vlad Krotov
University of Houston
Bauer College of Business
Summer 2006
Wen-Nung Tsai
tsaiwn@csie.nctu.edu.tw
Source: Forrester, 2004; www.rfidvirus.org
Agenda
• Introduction to Middleware
– EPCglobal Network
– Savant and ONS
• Types of RFID Vendors
• Middleware Functionality
• RFID Middleware
• Threats to RFID Middleware
• RFID Privacy
2
Definition
• Middleware – software that connects two
disparate applications, allowing them to
communicate with each other and to
exchange data (Laudon & Laudon, 2002)
• Middleware – Software that provides a link
between separate software applications.
Middleware sits "in the middle" between
application software that may be working
on different operating systems. (wikipedia)
3
Middleware Layers
Applications
RPC, RMI, and events
Middleware
Request reply layers
protocol
eXternal Data Representation(XDR)
Operating System
分層負責, 分工合作
4
RFID systems: logical view
11
12
Product
ONS Information
Internet
Server (PML Format)
Antenna
RF
Write data Items with Reader Read Transaction Application
to RF tags RF Tags Manager Data Store Systems
Antenna
Trading
Partner
EDI / Systems
1 2 3 4 5 6 7 8 XML
Tag/Item 10
Relationship
Database 9
Tag Interfaces RFID Middleware Other Systems
5
Underlying Drivers of RFID
Middleware
• Standards
• Integration
•Auto-ID Center is a Non-profit organization
supported by major software, consulting, tag and
reader manufacturers and by MIT, Cambridge
University and Adelaide University
In October 2003, the Auto-ID Center was
replaced by the Auto-ID Labs and EPCglobal.
Auto-ID : Methods of collecting data and entering it directly into
computer systems without human involvement. 6
Standards
• Level I:主要規範RFID使用之無線通訊頻道
– ISO 18000系列:ISO 18000-2到ISO 18000-7定義了
135 KHz、13.56MHz、2.45GHz、5.8GHz、860-
930MHz及433MHz
• Level II:規範RFID電子標籤內資料結構
– EPCglobal:EPC (產品電子代碼;電子條碼)
• Level III:系統整合
– Global Data Synchronization Network, GDSN (全球資
料同步網路)
– EPCglobal Network
7
Definitions
Tags The data carriers
Reader The data capture device; portable or fixed (installed), connected to a
Savant or network.
EPC Electronic Product Code: the code carried by the data carrier; the
globally unique pointer for making enquiries about the item
associated with the EPC.
Savant Servers which act as local repositories for EPCs and associated
information, and which support sophisticated, flexible middleware for
serving PML queries.
Object Name Service; the distributed resource that “knows” where
ONS
information about EPCs is held (just like DNS).
Physical Markup Language; like XML, with XQL query structure to
PML allow structured querying and reporting of EPCs and attributed data.
8
EPCglobal Network
• The EPCglobal Network is a set of global
technical standards aimed at enabling
automatic and instant identification of items in
the supply chain and sharing the information
throughout the supply chain. (AutoID)
• The EPCglobal NetworkTM consists of five
fundamental elements:
– ID System (EPC Tags and Readers),
– Electronic Product Code (EPC)
– Object Name Service (ONS)
– Physical Markup Language (PML)
– Savant
9
RFID Middleware Structure
Tag Data Standard / Air Interface
• Designed to process the streams of tag or sensor data
• Accommodates different reader vendors
ALE (Application Level Events)
• Application interface to filter, aggregate, reduce the volume of data prior to
sending events to the back end business application
• Standardizes interfaces between readers, ONS, XML, and Enterprise
Applications
EPCIS (EPC Information Services)
• Recording and exchange of business-level EPC data (PML)
• Describe how the EPC information can be stored and accessed via the Network
ECP IS
Tag Reads
ALE
10
EPC Tags
64 and 96 bit EPC tags have been defined
01 0000A21 00015E 000189DF0
Header EPC Manager Object Class Serial Number
8 Bits 8 – 35 bits 39 – 56 bits 60 – 95 bits
• Allows for unique IDs for 268 million companies
• Each company can then have 16 million object classes
• Each object or SKU can have 68 billion serial numbers assigned to it
Header (8 bits):標頭
Manufacturer (28 bits):廠商代碼
Product (24bits):產品代碼
Serial Number (36 bits):序號;一物一碼
11
GTIN: Global Trade Item Number
EPC-96: GTIN in an EPC
Element Header Type Part. EPC Manager Object Class Serial Number
Bits 8 3 3 27 17 38
Value10 016 3 4 0-134,217,727 0-131,071 0-274,877,906,943
EAN•UCC CP Item Reference
EAN•UCC New element for
0037000 06524 individual item
GTIN
tracking
Procter & Gamble Bounty® paper
towels 15 pack
12
EPC and PML
• EPC – Electronic Product Code
– Header – handles version and upgrades
– EPC Manager – Product Manufacturer Code
– Object Class – Class/Type of Product
– Serial Number – Unique Object Identity
• PML – Physical Markup Language
– Extension of XML
– Representation of Tagged Object Information
– Interaction of Tagged Object Information
13
Savant and PML
• Physical Markup Language (PML) is used
as a common language in the EPCglobal
Network to define data on physical objects.
• Savant is is a software technology that acts
as the central nervous system of the
EPCglobal Network. Savant manages and
moves information in a way that does not
overload existing corporate and public
networks.
14
Savant
• Savant is a middleware developed by Auto-ID to
provide middleware between RFID reader and
databases
• Savant sits between tag readers and enterprise
applications in order to manage the vast amount of
information retrieved from the tags
• Savant manages and moves information in a way that
does not overload existing networks
• Savant has a hierarchical architecture that directs the
flow of data by gathering, storing, and acting on
information and communicating with other Savants
• In a Savant system, lower level Savants process, filter
and direct information to the higher level ones and,
consequently, massive flow of information and network
traffic is reduced
15
Savant and ONS
• Savants
– Manage the flow of EPC data from RFID readers
• Data smoothing
• Reader coordination
• Data forwarding
• Data storage
– Interact with the ONS network
• ONS Servers
– Directory for EPC information, similar to Internet DNS
– Uses the object manager number of the EPC to find
out how to get more information about the product
16
DNS vs. ONS
Would Wide Web EPCglobal Network
DNS ONS
主導網路位置及郵件的途徑 主導產品製造資訊記錄之途徑
WEB Sites EPC Information Services
包含一特定主題資訊來源 特定產品資訊來源
例:過期日期
Search Engines EPC Discovery Services
蒐尋網頁的工具 蒐尋EPCIS之工具
Security Services EPC Trust Services
提供一資料交換及 提供EPC產品資料之
分享信任機制 安全性及流通控制
17
18
19
Types of RFID Vendors (1/4)
• RFID Pure Plays – offer products that
integrate with RFID readers, filter and
aggregate data, and may incorporate
some business rules
– ConnectTerra
– GlobeRanger
– OATSystems
– RF Code
20
Types of RFID Vendors (2/4)
• Application Vendors – offer software ranging
from RFID-enabled applications for warehouse
and asset management to more robust RFID
middleware solutions for reader coordination,
data filtering, and business logic capabilities
– Povia Software
– Manhattan Associates
– RedPrairie
– SAP
21
Types of RFID Vendors (3/4)
• Platform Giants – extend their existing
platforms and middleware to
accommodate RFID
– Sun Microsystems
– IBM
– Oracle
– Microsoft
22
Types of RFID Vendors (4/4)
• Integration Specialists – similar to
platform giants, integration specialists are
adding RFID features like reader
coordination and edge-tier filtering go to
their existing integration technology
– webMethods
– TIBCO
– Ascential Software
23
Middleware Functionality (1/4)
• Reader and device management. RFID
middleware should allow users to configure,
monitor, deploy, and issue commands directly to
readers through a common interface.
• Data management. Once RFID middleware
captures EPC data from readers, it must be able
to intelligently filter and route it to the
appropriate destinations. This capability should
include both low-level logic like filtering out
duplicate reads and more complex algorithms
like content-based routing
24
Middleware Functionality (2/4)
• Application integration. RFID middleware
solutions should provide the messaging, routing,
and connectivity features required to reliably
integrate RFID data into existing SCM, ERP,
WMS, or CRM systems
• Partner integration. Some of the most
promising benefits of RFID will come from
sharing RFID data with partners to improve
collaborative processes like demand forecasting
and vendor-managed inventory
25
Middleware Functionality (3/4)
• Process management and application
development. Instead of just routing RFID data
to business applications, sophisticated RFID
middleware platforms will actually orchestrate
RFID-related end-to-end processes that touch
multiple applications and/or enterprises, like
inventory replenishment. Key process
management and composite application
development features include workflow, role
management, process automation, and UI
development tools.
26
Middleware Functionality (4/4)
• Packaged RFID content. RFID middleware platforms
that include packaged routing logic, product data
schemas, and integration with typical RFID-related
applications and processes like shipping, receiving, and
asset tracking are major assets
• Architecture scalability and administration. This
means that RFID middleware platforms must include
features for dynamically balancing processing loads
across multiple servers and automatically rerouting data
upon server failure. These features should span all tiers
of the architecture — even the edge devices
27
28
Single-Tier RFID Middleware
Architecture
29
Multitier RFID Middleware
Architecture
30
Forrester Research Conclusions
• Manhattan Associates, OAT, and SAP lead with strong
mandate solutions
• Pure plays like GlobeRanger and ConnecTerra also offer
viable solutions for early adopters. But unlike
OATSystems, these vendor offer ―pure‖ middleware
solutions that provide strong reader integration
capabilities and APIs for publishing RFID data to back-
end applications and typically incorporate less packaged
application logic like EPC track-and-trace tools.
• Both Savi Technology and RF Code have specialty
capabilities and experience with active RFID tags
• Most platform and integration vendors lack
generally available products
31
RFID Middleware
• Sun (merged by Oracle on 2010)
• SAP
• Microsoft
• Oracle
EPC Discovery Service (EPC_DS) is an EPCglobal
Network service that allows companies to search for
every reader that has read a particular EPC™ tag.
EPC Information Service (EPC_IS) is an EPC™ network
infrastructure that enables companies to store data associated
with EPCs in secure databases on the Web. 32
Sun‘s RFID Software Architecture
33
Sun‘s Event Manager
34
Sun‘s Information Server
35
SAP
36
Customer
ERP Systems
Value Information Flow
Creation High Resolution
Real-time
Process Based
High Accuracy
Application
Innovation
Middleware
Process Agility
RFID
Process
Alien Device Deployment Kit
Quality and
Measurement Alien RFID Provider
37
BizTalk RFID server provides a common platform
for RFID applications to interact with diverse
RFID devices such as readers and printers.
38
Middleware framework: PINES™
Data Collection & Device Management Engine
Device
Movement and
Management
Device Emulator
Engine and
Engine
UI
Layout Management Engine
Product
Layout Layout Event Information Store
Management UI Store Store
EIS Data PML
Connectr
Server
Real-time
Decision Query Engine
Support and UI
Action
Engine Rule
Notification Graphical Automated
Engine and UI Dashboard Automatic Actuation
Actionable Engine
Rules
39
Source: Persistent Systems
Retail case study: Enabling real-time
decisions
12. Last three hour
1. Raw
promotional offer
event data
alert on product X
11. Promotional
2. Log data offer alert
3. Query o/p data 10. Promotional
offer update
4. Off-take data 9. Promotional
on X product offer update
5. Four hours to close of
retails stores and product
X sales target for the day
not met!
6. Notifications for approval of 8. Approval
promotional offer on product X alert 7. Approval
40
Source: Persistent Systems
RFID中介軟體的發展趨勢
• 應用型中介軟體 (Application Middleware)
– 以API整合、串接RFID設備為目的
– 著重於處理前後端系統的連接問題
• 基本架構型中介軟體 (Infrastructure Middleware)
– 可滿足多對多的介接需求
– 具備資料收集、過濾和平台的管理與維護功能
• 解決方案型中介軟體 (Solution Middleware)
– 提供自動化系統與RFID讀寫器、標籤溝通的介面
– 針對不同領域推出各項創新解決方案
41
Threats to RFID Middleware
(Source: www.rfidvirus.org)
• Sniffing attack(竊聽)
• masquerade attack (Forgery;偽造)
• Replay Attack (重送攻擊)
• Denyal of Service Attack (DoS;阻斷服務攻擊)
• DDoS Attack (分散式阻斷服務攻擊)
• Buffer Overflow Attack(緩衝區溢位攻擊)
• Code Insertion、 SQL injection
42
Why RFID systems are vulnerable
to attacks
• Lots of source code
• Generic protocols
• Back-end databases
• High-value data
• False sense of security
43
RFID-Based Exploits
• Buffer Overflows
– The life of a buffer overflow begins when an attacker
inputs data either directly (i.e. via user input) or
indirectly (i.e. via environment variables).
– This input data is deliberately longer then the
allocated end of a buffer in memory, so it overwrites
whatever else happened to be there.
– Since program control data is often located in the
memory areas adjacent to data buffers, the buffer
overflow can cause the program to execute arbitrary
code
44
RFID-Based Exploits
• Buffer Overflows
– RFID tags are limited to 1024 bits or less.
– However, commands like 'write multiple blocks' from ISO-
15693 can allow a resource-poor RFID tag to repeatedly
send the same data block, with the net result of filling up
an application-level buffer.
– Meticulous formatting of the repeatedly sent data
– An attacker can also use contactless smart cards, which
have a larger amount of available storage space.
– An attacker can really blow RFID middleware's buffers
away, by using a resource rich actively-powered RFID
tag simulating device, like the RFID Guardian
45
RFID-Based Exploits
• Code Insertion
– Malicious code can be injected into an
application by an attacker, using any number
of scripting languages including VBScript, CGI,
Java, JavaScript, and Perl
46
RFID-Based Exploits
• SQL injection
– SQL injection is a type of code insertion attack that
tricks a database into running SQL code that was not
intended.
– Attackers have several objectives:
• They might want to enumerate (map out) the database
structure. Then, the attackers might want to retrieve
unauthorized data, or make equally unauthorized
modifications or deletions.
• Databases also sometimes allow DB administrators to
execute system commands. A system command can be used
to attack the system
47
RFID-Based Worms
• Worm is a program that self-propagates across a
network, exploiting security flaws in widely-used services
• A worm is distinguishable from a virus in that a worm
does not require any user activity to propagate
• Worms usually have a payload, which performs activities
ranging from deleting files, to sending information via
email, to installing software patches
• One of the most common payloads for a worm is to
install a ―backdoor‖ in the infected computer, which
grants hackers easy return access to that computer
system in the future.
48
RFID-Based Viruses
• One can develop RFID based viruses
using SQL language.
• The SQL data can be transmitted to a
system via an RFID tag
49
Tag Collision Problem
• Multiple tags simultaneously respond to query
– Results in collision at the reader
• Several approaches
– Tree algorithm
– Memoryless protocol
– Contactless protocol
– I-code protocol
50
Tree Algorithm
– Reader queries for tags
– Reader informs in case of collision and tags
generates 0 or 1 randomly
– If 0 then tag retransmits on next query
– If 1 then tag becomes silent and starts incrementing
its counter (which is initially zero)
– Counter incremented every time collision reported
and decremented every time identification reported
– Tag remains silent till its counter becomes zero
51
Tree Algorithm – Example
Reader informs tags in case of collision and tags generate 0 or 1
•If 0 then tag retransmits on next query, else tag becomes silent and starts a counter.
Counter incremented every time collision reported and decremented otherwise.
52
Memoryless Protocol
• Assumption: tagID stored in k bit binary string
• Algorithm
– Reader queries for prefix p
– In case of collision queries for p0 or p1
• Time complexity
– Running time – O(n)
– Worst Case – n*(k + 2 – logn)
• Message Complexity – k*(2.21logn + 4.19)
53
Memoryless Protocol – Example
• Reader queries for prefix p
• In case of collision, reader queries for p0 or p1
• Example: consider tags with prefixes: 00111, 01010, 01100, 10101,
10110 and 10111
54
Contactless Protocol
• Assumption: tagID stored in k bit binary string
• Algorithm
– Reader queries for (i)th bit
– Reader informs in case of collision
• Tags with (i)th bit 0 become silent and maintain counter
• Tags with (i)th bit 1 respond to next query for (i+1)th bit
• Time complexity – O(2k)
• Message complexity – O(m(k+1)), where m is
number of tags
55
Contactless Protocol – Example
• Reader queries for (i)th bit
• Reader informs in case of collision
– Tags with (i)th bit 0 become silent and maintain counter
– Tags with (i)th bit 1 respond to next query for (i+1)th bit
• Example: tags with prefixes: 01, 10 and 11
56
I-Code Protocol (1/2)
• Based on slotted ALOHA principle
• Algorithm
– Reader provides time frame with N slots, N
calculated for estimate n of tags
– Tags randomly choose a slot and transmit their
information
– Responses possible for each slot are
• Empty, no tag transmitted in this slot – c0
• Single response, identifying the tag – c1
• Multiple responses, collision – ck
57
I-Code Protocol (2/2)
– New estimate for n :
lower bound
εlb(N, c0, c1,ck) = c1 + 2ck
– Using estimate n, N calculated
– N becomes constant after some time
– Using this N calculate number of read cycles s to identify tags
with a given level of accuracy α
• Time complexity – t0*(s+p)
– t0 is time for one read cycle
– p number of read cycles for estimating N
• Message complexity – n*(s+p)
58
RFID Privacy
• Hidden placement of tags
• Unique identifiers for all objects worldwide
• Massive data aggregation
• Unauthorized development of detailed profiles
• Unauthorized third party access to profile data
• Hidden readers
“Just in case you
want to know, she’s
carrying 700 Euro…”
59
Source: www.rfidprivacy.org
The “Blocker” Tag approach
• “Tree-walking‖ protocol for identifying tags
recursively asks question:
– ―What is your next bit?‖
• Blocker tag always says both ‘0’ and ‘1’!
– Makes it seem like all possible tags are present
– Reader cannot figure out which tags are actually
present
– Number of possible tags is huge, so reader stalls
60
More on blocker tags
• Blocker tag can be selective:
– Privacy zones: Only block certain ranges of RFID-tag
serial numbers
– Zone mobility: Allow shops to move items into privacy
zone upon purchase
• Example:
– Blocker blocks all identifiers with leading ‗1‘ bit
– Items in supermarket carry leading ‗0‘ bit
– On checkout, leading bit is flipped from ‗0‘ to ‗1‘
• PIN required, as for ―kill‖ operation
61
The Challenge-Response
approach
• Tag does not give all its information to reader.
– The closer the reader, the more the processing.
– Tag reveals highest level of authenticated information.
1. Reader specifies which level it wants.
2. Tag specifies level of security, and/or amount of
energy needed.
3. Reader proceeds at that level of security.
4. Tag responds if and only if it gets energy and
security required.
62
Some more approaches
• The Faraday Cage approach.
– Place RFID tags in a protective mesh.
– Would make locomotion difficult.
• The Kill Tag approach.
– Kill the tag while leaving the store.
– RFID tags are too useful for reverse logistics.
• The Tag Encryption approach.
– Tag cycles through several pseudonyms.
– Getting a good model is difficult.
• No ‗one-size-fits-all‘ solution.
• Security hinges on the fact that in the real world, an
adversary must have physical proximity to tags to
interact with them.
63
RFID Middleware
An Introduction
Thank you!
64