多國籍企業可使用「無線射頻辨識」(Radio Frequency Identification,簡稱RFID)技術來提昇供應鏈管理的效能,但無線信號傳送屬廣播性質,如何設計有效率的「RFID認證協定」,使RFID標籤於資料讀取時,能保密RFID標籤資料,及保護標籤持有人之隱私,成為RFID供應鏈應用的重要課題。在2007年,Lo等人提出的RFID認證協定,宣稱具有出色的資料安全性(data security)、強健的地點隱私保護(location privacy preservation)、及有效率的後端伺服器資料媒合機制(data matching mechanism)。然而,本研究指出,Lo等人之協定,仍存有可惡意追蹤標籤位置與可偽造標籤等安全弱點;此外,其協定中可信賴的第三者(Trusted Third Party,簡稱TTP)與每一讀取器(Reader)間之密鑰的更新及使用,亦產生矛盾。本文針對Lo等人具隱私保護RFID協定之安全缺點,除了追蹤標籤的隱私問題外,提出了有效改良建議,並歸納分析其於供應鏈應用之可行性。
Radio Frequency Identification (RFID) technology can be used to improve the effectiveness and efficiency of supply chain management of a multi-national enterprise. However, the broadcast of wireless signal during RFID tag reading raises important security issues on how to design an efficient authentication protocol for RFID systems in supply chain application. The protocol must protect the confidentiality of tag information and the privacy of tag holders. In 2007, Lo et al. proposed an RFID authentication protocol with claimed merits including excellent data security, robust location privacy preservation, and efficient data matching mechanism in the backend server. However, as shown in this paper, Lo et al.'s protocol is still vulnerable to tag-tracing and counterfeit tag. Besides, the update of keys shared between Trusted Third Party and each Reader is conflicting with key usage. To overcome these flaws, we propose improvement suggestions to enhance the security of Lo et al.'s scheme. We also discuss its feasibility in supply chain management.