Your SlideShare is downloading. ×
  • Like
Persistent Security for RFID
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Persistent Security for RFID



Published in Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Prevention of exploitation of “kill” functionality Resilience against de-synchronization attacks Protocols that provide location privacy require synchronization of state between tag and server (pseudonym update). Active attackers seeks to tamper with communication to cause the state to diverge between parties Tension between privacy and availability Persistent security: availability + forward security
  • For instance, fixed ID tags could be used in inventory/ shipment systems. In this case, cloning of a tag may allow for repeated exploitation of the system. In some systems, such as credit card numbers and SSN’s, the knowledge of patterns used to generate the numbers (in addition to the density of valid numbers) has led to some types of exploits that allow attackers to generate new valid credentials corresponding to existing ids without seeing them. The assumption that RFIDs may be more reliable than, say, passwords in an access control system may lead to poor support for revocation. To clone credit cards, attackers require physical control of the card, institutional break-in, or a phishing-type attack. These attacks leave traces that can be used by credit card agencies to evaluate the (non-)culpability of card holders. On the other hand, RFIDs may be cloned through covert interactions that leave no trace. In particular, in combination with delayed exploitation, cloned cards provide greater risks to both institutions and users. The same is true of other applications, such as access control and identification
  • While the PRF requires many invocations of the PRG, if the PRG is very efficient, this just increases clock cycles (control is very simple) so not a problem
  • Caveat: Ad-hoc strategies are available using time slicing, hash chains, etc.


  • 1. Persistent Security for RFID Mike Burmester & Breno de Medeiros RFIDSec’07
  • 2. Talkthrough
    • Why persistent security?
    • What exactly is persistent security?
      • An extensive list of requirements (still minimalist)
      • A strong (composable) security model
    • Is it affordable?
      • Persistent secure solution for each budget
    • Example: forward-secure tag authentication
  • 3. RFID: discardable technology?
    • RFID tags
      • low cost
      • replaceable
      • relatively short-lived
    • Other RFID system components:
      • Not necessarily low-cost
      • upgradeable
      • mid- to long-term life
    • Both: May protect high-value assets
  • 4. RFID Security Services
    • Authentication
      • Cloning protection
      • re-play protection
      • Authenticity of exchanged keys
    • Location privacy
      • Unlinkable anonymous transactions
    • Data confidentiality
      • (Re-)encryption
    • Forward-privacy
      • Forward-anonymity
      • Forward-secrecy of exchanged keys
    • Availability
      • De-synchronization
      • Unauthorized “killing”
    • Persistent security: A long wish list!
  • 5. Why forward security?
  • 6. Lasting effects of compromise
    • If tags compromised, is exposure temporally limited?
    • Examples of potential long-term effects
      • Compromise of a ID/pseudonym that is recycled
      • Compromise of the pattern used to generate IDs/pseudonyms
      • System built without consideration for revocation of credentials
      • Covert compromise combined with delayed exploitation
  • 7. Generic Concerns
    • In the presence of a large-scale adversary
      • E.g., military or industrial espionage
    • Compromise of RFID secrets
      • E.g. through discarded tags
      • May reveal identities of parties involved in previously recorded interactions
      • May disclose session keys of previously exchanged confidential communication
  • 8. Technology-specific concerns
    • RFID vulnerability to physical attacks
      • makes it likely that keys will be compromised
    • Forward-security provides mechanism to prevent “delayed exploitation”
      • particularly insidious in combination with covert key extraction
      • Periodic key changes will limit the ability of an adversary to exploit a vulnerability
  • 9. Flexibility of Trust Design
    • RFID security protocols often assume readers untrusted (all security at back-end server)
    • In some cases it is useful to transfer some trust to the readers
      • What happens if readers compromised? May require large-scale replacement of secrets
      • Possibly unmanageable
    • Forward-security strategies build in mechanisms for key replacement
    • Protocols designed for forward-security (against reader compromise) more resilient under flexible trust assumptions
  • 10. Security model
  • 11. Multiple security requirements
    • Functionality provided by RFID still simple
      • Authentication + simple additional semantics
      • Less than “wireless smart card”
      • More than “smart label”
    • Security requirements multi-faceted
      • Simultaneous provision of multiple services
      • Example: tension between availability and privacy requirements
  • 12. History
    • First formal security model for RFID entity authentication (SecureComm’06)
    • Considers availability threats in addition to authentication and anonymity
    • Has been extended for forward-secure key-exchange (AsiaCCS’07)
  • 13. Unified Security Modeling
    • Guarantees that tensions between different requirements are resolved, or
      • at least clarifies the existence of such tensions
    • Common ground allows for comparison of the virtues and weaknesses of different schemes
    • Modularity and composition
  • 14. Composability Tidbits
    • Composable security modeling is based on indistinguishability between real (protocol) and ideal (specification) simulations
    • Adversary allowed to interact with environment: “not a test tube adversary!”
      • Black-box adversarial simulation
      • No re-winding of the adversary
  • 15. Forward Security
    • Limitations in adversary simulation in composable models make it tricky to define forward-security
    • Forward-security requires that old keys be unpredictable from new keys
      • Easiest way: ideal process generates new keys as truly random
      • What if adversary extracts keys during session? It can detect deterministic behavior for key update
      • Solution: Ideal process must enforce forward-security only among boundaries of fully-completed sessions
  • 16. Practical considerations
  • 17. Practical accommodation
    • Composability framework favors the adoption of as few setup assumptions as possible, to achieve the most general result
    • Strong restrictions in RFID capabilities impose instead a pragmatic approach
      • Aggressive adoption of setup assumptions are needed in order to use basic symmetric-key primitives
  • 18. Basic ingredient: PRGs + 
    •  = 1-way, “randomness preserving” function
      • r, F(k || r || ...)
      • Implied by the simultaneous requirements of authentication and unlinkable anonymity
    • Randomness-preserving function provided by:
      • PRG itself: Use GGM PRG-to-PRF construction. PRF certainly a randomness preserving function.
        • Not so crazy for RFID: adds simple control over PRG code
        • Little additional code footprint or per-cycle power usage
      • Stream cipher: similar
  • 19. Other candidates for 
    • Heuristic constructions based on block ciphers
      • Example: trick to make the block cipher one-way
    • Shamir’s on-the-fly squaring?
    • LFSR-based generators
    • Trade-offs between security and efficiency abound
  • 20. Results
    • Forward-anonymous tag authentication
    • Forward-secure mutual authentication and key-exchange
    • Ongoing work on forward-secure group scanning
  • 21. O-FRAP (Optimistic Forward-secure RFID Auth. Protocol) Server/ reader Tag i r sys r tag || v 2 v 3 Db r tag ,k tag 1) v  F(k tag , r tag ||r sys ) (v 1 ,v 2 ,v 3, v 4 )  v 2) r tag  v 1 1),2) one of curr. k tag or v 4 for new k tag 3) k tag  v 4
  • 22. Availability
    • Availability requires mechanisms to “recover” synchronicity when adversary interferes with session and causes divergence between computed outputs
      • Linear search: Onerous for back-end server (effort of back-end server does not scale with attack)
      • Use of hierarchical keys can be problematic when key compromises are considered
      • Reconciling availability and privacy in a scalable way still a challenge!
  • 23. Persistent Security: Recap
    • Security model simultaneously captures multiple requirements
      • Shows any tension between requirements
      • Facilitates meaningful comparison between competing alternatives
    • Key updates (forward-security) desirable
    • Security modeling makes clear the requirement on primitives
      • Allow maximum flexibility by providing informed choice