Jan C. A. van der Lubbe

A comprehensive RFID solution to enhance inpatient medication safety

Errors involving medication administration can be costly, both in financial and in human terms. Indeed, there is much potential for errors due to the complexity of the medication administration process. Nurses are often singled out as the only responsible of these errors because they are in charge of drug administration. Nevertheless, the interventions of every actor involved in the process and the system design itself contribute to errors (Wakefield et al. (1998). Proper inpatient medication safety systems can help to reduce such errors in hospitals. In this paper, we review in depth two recent proposals (Chien et al. (2010); Huang and Ku (2009)) that pursue the aforementioned objective. Unfortunately, they fail in their attempt mainly due to their security faults but interesting ideas can be drawn from both. These security faults refer to impersonation and replay attacks that could produce the generation of a forged proof stating that certain medication was administered to an inpatient when it was not. We propose a leading-edge solution to enhance inpatient medication safety based on RFID technology that overcomes these weaknesses. Our solution, named Inpatient Safety RFID system (IS-RFID), takes into account the Information Technology (IT) infrastructure of a hospital and covers every phase of the drug administration process. From a practical perspective, our system can be easily integrated within hospital IT infrastructures, has a moderate cost, is very ease to use and deals with security aspects as a key point.

Flaws on RFID grouping-proofs. Guidelines for future sound protocols

During the last years many RFID authentication protocols have been proposed with major or minor success (van Deursen and Radomirovic, 2008). Juels (2004) introduced a different and novel problem that aims to evidence that two tags have been simultaneously scanned. He called this kind of evidence a yoking-proof that is supposed to be verifiable offline. Then, some authors suggested the generalization of the proof for a larger number of tags. In this paper, we review the literature published in this research topic and show the security flaws of the proposed protocols, named RFID grouping-proofs generally. More precisely, we cryptanalyze five of the most recent schemes and we also show how our techniques can be applied to older proposals. We provide some guidelines that should be followed to design secure protocols and preclude past errors. Finally, we present a yoking-proof for low-cost RFID tags, named Kazahaya, that conforms to the proposed guidelines.

Robust labeling methods for copy protection of images

In the European project SMASH a mass multimedia storage device for home usage is being developed. The success of such a storage system depends not only on technical advances, but also on the existence of an adequate copy protection method. Copy protection for visual data requires fast and robust labeling techniques. In this paper, two new labeling techniques are proposed. The first method extends an existing spatial labeling technique. This technique divides the image into blocks and searches an optimal label- embedding level for each block instead of using a fixed embedding-level for the complete image. The embedding-level for each block is dependent on a lower quality JPEG compressed version of the labeled block. The second method removes high frequency DCT-coefficients in some areas to embed a label. A JPEG quality factor and the local image structure determine how many coefficients are discarded during the labeling process. Using both methods a perceptually invisible label of a few hundred bits was embedded in a set of true color images. The label added by the spatial method is very robust against JPEG compression. However, this method is not suitable for real-time applications. Although the second DCT-based method is slightly less resistant to JPEG compression, it is more resistant to line-shifting and cropping than the first one and is suitable for real-time labeling.

Cryptanalysis of an EPC Class-1 Generation-2 standard compliant authentication protocol

Recently, Chen and Deng (2009) proposed an interesting new mutual authentication protocol. Their scheme is based on a cyclic redundancy code (CRC) and a pseudo-random number generator in accordance with the EPC Class-1 Generation-2 specification. The authors claimed that the proposed protocol is secure against all classical attacks against RFID systems, and that it has better security and performance than its predecessors. However, in this paper we show that the protocol fails short of its security objectives, and in fact offers the same security level than the EPC standard it tried to correct. An attacker, following our suggested approach, will be able to impersonate readers and tags. Untraceability is also not guaranteed, since it is easy to link a tag to its future broadcast responses with a very high probability. Furthermore, readers are vulnerable to denial of service attacks (DoS), by obtaining an incorrect EPC identifier after a successful authentication of the tag. Moreover, from the implementation point of view, the length of the variables is not compatible with those proposed in the standard, thus further discouraging the wide deployment of the analyzed protocol. Finally, we propose a new EPC-friendly protocol, named Azumi, which may be considered a significant step toward the security of Gen-2 compliant tags.

Cryptographic puzzles and distance-bounding protocols: Practical tools for RFID security

Widespread adoption of RFID technology is being slowed down because of increasing public concerns about associated security threats. This paper shows that it is possible to enhance the security of RFID systems by requiring readers to perform a computational effort test. Readers must solve a cryptographic puzzle - one of the components of the Weakly Secret Bit Commitment (WSBC) sent by tags - to obtain the static identifier of the interrogated tag. The method we present is based on a simple concept already used in security applications such as anti-spam or TCP SYN flooding protection, yet original in the RFID context until now. The scheme provides privacy protection while being an effective countermeasure against the indiscriminate disclosure of the whole contents of a large number of tags. Then, we scrutinize the combined use of cryptographic puzzles and distance-bounding protocols. First, a classical and relatively straight-forward solution is presented. Secondly, we introduce a protocol named Noent, that follows a new approach that reduces drawbacks associated with WSBC such as key delegation, whilst gaining all the advantages of employing distance-bounding protocols such as the certainty on the distance between a tag and reader.

Semantic segmentation of videophone image sequences

A system for segmentation of head-and-shoulder scenes into semantic regions, to be applied in a model-based coding scheme on video telephony, is described. The system is conceptually divided into three levels of processing and uses successive semantic regions of interest to locate the speaker, the face and the eyes automatically. Once candidate regions have been obtained by the low level segmentation modules, higher level modules perform measurements on these regions and compare these with expected values to extract the specific region searched for. Fuzzy membership functions are used to allow deviations from the expected values. The system is able to locate satisfactorily the facial region and the eye regions.

Feature selection for paintings classification by optimal tree pruning

In assessing the authenticity of art work it is of high importance from the art expert point of view to understand the reasoning behind it. While complex data mining tools accompanied by large feature sets extracted from the images can bring accuracy in paintings authentication, it is very difficult or not possible to understand their underlying logic. A small feature set linked to a minor classification error seems to be the key to understanding and interpreting the obtained results. In this study the selection of a small feature set for painting classification is done by the means of building an optimal pruned decision tree. The classification accuracy and the possibility of extracting knowledge for this method are analyzed. The results show that a simple small interpretable feature set can be selected by building an optimal pruned decision tree.

Weaknesses in two recent lightweight RFID authentication protocols

The design of secure authentication solutions for low-cost RFID tags is still an open and quite challenging problem, though many algorithms have been published lately. In this paper, we analyze two recent proposals in this research area. First, Mitras scheme is scrutinized, revealing its vulnerability to cloning and traceability attacks, which are among the security objectives pursued in the protocol definition [1]. Later, we show how the protocol is vulnerable against a full disclosure attack after eavesdropping a small number of sessions. Then, we analyze a new EPC-friendly scheme conforming to EPC Class-1 Generation-2 specification (ISO/IEC 180006-C), introduced by Qingling and Yiju [2]. This proposal attempts to correct many of the well known security shortcomings of the standard, and even includes a BAN logic based formal security proof. However, notwithstanding this formal security analysis, we show that Qingling et al.s protocol offers roughly the same security as the standard they try to improve, is vulnerable to tag and reader impersonation attacks, and allows tag traceability.

Tracking of global motion and facial expressions of a human face in image sequences

We present a system in which the global motion (3D rotation and translation) and the local motion (facial expressions) of the face of a talking person are estimated automatically from an input image sequence. First, the shape of the facial features, such as eyes and mouth, are robustly extracted from the images. Then, based on the extracted shape of the facial features, the global motion and facial expressions are estimated. No human assistance is necessary throughout the process. The system relies on the use of a priori knowledge about the scene and facial motions. In the feature extraction scheme this a priori knowledge is modeled by a descriptive tree of the scene and geometric shape representations of the facial features. The global motion can be easily obtained from these facial features. In the local motion estimation scheme the a priori knowledge is modeled in a belief network, in which knowledge about muscle actuators is represented, e.g., the interactions between the muscle actuators and their visible manifestations. A few experiments are included to illustrate the system.

Privacy-Preserving User Data Oriented Services for Groups with Dynamic Participation

In recent years, services that process user-generated data have become increasingly popular due to the spreading of social technologies in online applications. The data being processed by these services are mostly considered sensitive personal information, which raises privacy concerns. Hence, privacy related problems have been addressed by the research community and privacy-preserving solutions based on cryptography, like [1-5], have been proposed. Unfortunately, the existing solutions consider static settings, where the computation is executed only once for a fixed number of users, while in practice applications have a dynamic environment, where users come and leave between the executions. In this work we show that user-data oriented services, which are privacy-preserving in static settings, leak information in dynamic environments. We then present building blocks to be used in the design of privacy-preserving cryptographic protocols for dynamic settings. We also present realizations of our ideas in two different attacker models, namely semi-honest and malicious.