Your SlideShare is downloading. ×
0
RFID Security:   In the Shoulder and on the  Loading Dock Ari Juels RSA Laboratories Joint work with  D. Boneh, E.-J. Goh,...
RFID (Radio-Frequency IDentication)   takes many forms…
“ RFID” really denotes a  spectrum of devices <ul><li>RFID : Any wireless device whose main function is identification of ...
“Smart label” RFID tag <ul><li>Passive tag </li></ul><ul><li>Ordinary range of several meters </li></ul><ul><li>Simply cal...
<ul><li>Cheap! (target of $0.05 apiece)  </li></ul><ul><li>Little memory </li></ul><ul><ul><li>Static 96-bit+ identifier i...
“ Smart labels”: EPC (Electronic Product Code) tags Barcode EPC tag Line-of-sight Radio contact Specifies object type Uniq...
<ul><li>30 April: RFID-tagged cow “Bessie” produces milk </li></ul>2030: Week in the life of a milk carton <ul><li>30 Apri...
<ul><li>6 May 0953h: Supermarket transfers tag ownership to Alice’s smart home </li></ul><ul><li>6 May 1103h: Alice’s refr...
<ul><li>6 May 0953h: Supermarket transfers tag ownership to Alice’s smart home </li></ul><ul><li>6 May 1103h: Alice’s refr...
RFID Today
PROXIMITY CARDS Note: Often just emit static identifiers, i.e., they are just smart labels!
<ul><li>RFID helps secure hundreds of millions of automobiles </li></ul><ul><ul><li>Cryptographic challenge-response </li>...
<ul><li>RFID now offered in all major credit cards in U.S. (“tap-and-go”)… </li></ul><ul><li>Some problems with first gene...
Transit CARDS <ul><li>K. Nohl and H. Plötz on Mifare, 2008 </li></ul>
<ul><li>Dozens of countries issuing RFID-enabled passports </li></ul><ul><li>PASS card and “enhanced” drivers’ licenses (E...
Little EPC at item-level,  mostly cases and pallets Crate #123 (jet engines)
Supply-chain visibility 22 August 2007 01.28 UTC Kansas, USA Crate #123 packed Factory #18762 31 August 2007 22.19 UTC Oki...
<ul><li>Anti-counterfeiting: Better supply-chain visibility means less fraud </li></ul><ul><ul><li>U.S. FDA urging RFID us...
Security and Privacy Challenges
The consumer privacy problem Here’s Mr. Jones… © RSA Laboratories 1500 Euros in wallet Serial numbers: 597387,389473… Wig ...
Privacy approach 1: Cover RFID tags with protective mesh or foil Problems:  (1) Makes locomotion difficult (2) Shops don’t...
Approach 2:  EPC “kill” command for RFID tags Long-term problem:  RFID tags are very useful in “live” state… Short-term pr...
1500 Euros in wallet Serial numbers: 597387,389473… Replacement hip medical part #459382 Good readers, bad tags Mr. Jones ...
Approach 3: Use cryptography Side-channel countermeasures <ul><li>But: </li></ul><ul><li>Not in cheap EPC for a while </li...
RFID on the Loading Dock
Keeping the customer satisfied…  <ul><li>“I want a rock-solid encryption algorithm…  </li></ul>with 20-bit keys.” <ul><li>...
EPC tags and privacy <ul><li>Again, EPC tags have no true cryptographic functionality </li></ul><ul><li>Only explicit EPC ...
A new approach:  Put secret keys on the tags <ul><li>Encrypt   tag data under secret key   </li></ul><ul><li>Apply  secre...
A new approach:  Put secret keys on the tags <ul><li>Encrypt   tag data under secret key   </li></ul><ul><li>Apply  secre...
Privacy through dispersion
Privacy through dispersion Individual shares / small sets reveal no information about medication! E    ( m 1 )  s 1 E   ...
Example application:  Privacy protection on medications Step 1: Receive case at pharmacy Step 2: Pharmacy reads tags, gets...
Some challenges <ul><li>Storage is at a premium in EPC, but no secret-sharing literature on “tiny” shares </li></ul><ul><u...
Some challenges <ul><li>In-store key harvesting </li></ul><ul><ul><li>Preventive idea: Add “chaff,” i.e., bogus or “noise”...
Some challenges Wig  serial #A817TS8 4. We don’t solve tracking problem <ul><ul><li>You’ve already got credit cards, car k...
Another twist: Secret-sharing for authentication <ul><li>A key    is useful not just for consumer privacy, but for authen...
Secret-sharing  across  cases  s 1 s 2 s 3  ’ s’ 1 s’ 2 s’ 3
Secret-sharing  across  cases  s 1 s 2 s 3  ’ s’ 1 s’ 2 s’ 3
But “windows” are not always neat… receivers cannot reconstruct     and    ’  ! s 1 s 2 s 3 s’ 1 s’ 2 s’ 3 Warehouse A W...
SWISS (Sliding Window Information Secret-Sharing) Given    2 out of 4  s i ,   get corresponding   i   s 1 s 2 s 3 s 4 s...
SWISS (Sliding Window Information Secret-Sharing)  1  3  5 Warehouse B s 1 s 2 s 3 s 4 s 5 s 6  1  2  3  4  5  6
SWISS (Sliding Window Information Secret-Sharing) ???? Adversary with more sporadic case access s 1 s 2 s 3 s 4 s 5 s 6  ...
SWISS (Sliding Window Information Secret-Sharing) <ul><li>A  k- out-of- n -SWISS scheme is straightforward with share size...
RFID in the Shoulder
Other RFID applications today: <ul><li>Livestock </li></ul>Animal tagging… “ Not Really Mad” <ul><li>Housepets </li></ul>T...
Human location tracking <ul><li>Schools </li></ul><ul><li>Amusement parks </li></ul><ul><li>Hospitals </li></ul>
A riddle… ??? + =
Human-implantable  RFID ??? + = VeriChip TM
Human-implantable  RFID <ul><li>Excellent test bed for privacy and security concepts! </li></ul><ul><li>Proposed for medic...
Human-implantable RFID <ul><li>Physical coercion and attack </li></ul><ul><ul><li>In 2005, a man in Malaysia had his finge...
Cloneability + privacy <ul><li>Privacy means no linkability or information about identities </li></ul><ul><li>If a tag can...
Cloneability + privacy <ul><li>Homomorphic public-key cryptosystem (e.g., El Gamal) </li></ul><ul><li>Private / public key...
Cloneability + privacy <ul><li>The scheme:  When read, tag chooses fresh  r  and outputs  C  = E PK , r   [“name”] </li></...
The covert-channel problem <ul><li>Suppose there is an identification / authentication system… </li></ul>Authorized Employ...
The covert-channel problem <ul><li>Suppose there is an identification / authentication system… </li></ul>Authorized Employ...
How can we assure Alice of no covert channels? <ul><li>Outputs must be deterministic </li></ul><ul><ul><li>Randomness alwa...
Here’s why… <ul><li>Suppose there were a public CC detector… </li></ul>X18 Ultra CC-Detector TM A 1 A 2 No  CC Yes , CC!
Here’s a covert channel! <ul><li>Create identity for user “Bob” </li></ul><ul><ul><li>Bob could be fictitious  </li></ul><...
Suppose we detect this covert channel B 1 Yes,  CC X18 Ultra CC-Detector TM A 1 A 2 No  CC
Now if there really is a user Bob, we have a problem... X18 Ultra CC-Detector TM A 1 A 2 No  CC
Alice followed by Bob yields  “Yes” X18 Ultra CC-Detector TM A 1 B 1 Yes,  CC
Privacy is broken: We can distinguish between identities! Bob Alice Alice Alice X18 Ultra CC-Detector TM Yes  X18 Ultra CC...
So public CC-verifiability + privacy is impossible <ul><li>But we can achieve it anyway… </li></ul><ul><li>Idea: change th...
So public CC-verifiability + privacy is impossible <ul><li>But we can achieve it anyway… </li></ul><ul><li>Idea: change th...
So public CC-verifiability + privacy is impossible <ul><li>Now let’s show how to achieve it anyway… </li></ul><ul><li>Idea...
Still a difficult problem <ul><li>Constructing a  deterministic  sequence whose values are: </li></ul><ul><ul><li>Publicly...
The message of this talk:  Crypto is not always the hard part! <ul><li>With crypto, we can do: </li></ul><ul><li>Challenge...
The key-management problem Okinawa, Japan Kansas, USA <ul><li>The key poses its own “transport” problems: </li></ul><ul><l...
The RFID key-management problem Body passwords?
To learn more <ul><li>Papers available at RFID CUSP Web site:  www.rfid-cusp.org   </li></ul><ul><ul><li>J. Halamka, A. Ju...
Upcoming SlideShare
Loading in...5
×

RFID Security: In the Shoulder and on the - RSA, The Security ...

501

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
501
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "RFID Security: In the Shoulder and on the - RSA, The Security ..."

  1. 1. RFID Security: In the Shoulder and on the Loading Dock Ari Juels RSA Laboratories Joint work with D. Boneh, E.-J. Goh, J. Halamka, A. Stubblefield, B. Parno, R. Pappu, and J. Westhues WiSec 31 March 2008 All slides © 2008 RSA Laboratories
  2. 2. RFID (Radio-Frequency IDentication) takes many forms…
  3. 3. “ RFID” really denotes a spectrum of devices <ul><li>RFID : Any wireless device whose main function is identification of an object or person… </li></ul>Automobile ignition key Mobile phone Toll payment plaque Basic “ smart label” passive passive semi-passive no crypto no crypto some crypto few cm to many meters range several meters range several cm range
  4. 4. “Smart label” RFID tag <ul><li>Passive tag </li></ul><ul><li>Ordinary range of several meters </li></ul><ul><li>Simply calls out (unique) name and static data </li></ul>“ 74AB8” “ 5F8KJ3” “ Evian bottle #949837428”
  5. 5. <ul><li>Cheap! (target of $0.05 apiece) </li></ul><ul><li>Little memory </li></ul><ul><ul><li>Static 96-bit+ identifier in current ultra-cheap tags </li></ul></ul><ul><ul><li>Up to hundreds of writeable bits </li></ul></ul><ul><li>Little computational power </li></ul><ul><ul><li>At most a few thousand gates (mostly for basic functionality) </li></ul></ul><ul><ul><li>No real cryptographic functions possible </li></ul></ul>Capabilities of “smart label” RFID tag
  6. 6. “ Smart labels”: EPC (Electronic Product Code) tags Barcode EPC tag Line-of-sight Radio contact Specifies object type Uniquely specifies object Fast, automated scanning Provides pointer to database entry for every object, i.e., unique, detailed history
  7. 7. <ul><li>30 April: RFID-tagged cow “Bessie” produces milk </li></ul>2030: Week in the life of a milk carton <ul><li>30 April: Milk transferred to RFID-tagged tank </li></ul><ul><ul><li>Cow identity and milking time recorded in tank-tag database </li></ul></ul><ul><li>1 May: RFID portal on truck records loading of refrigeration tanks </li></ul><ul><ul><li>(Truck also has active RFID (+GPS) to track geographical location and RFID transponder to pay tolls) </li></ul></ul><ul><li>2 May: Chemical-treatment record written to database record for milk barrel </li></ul><ul><ul><li>Bessie’s herd recorded to have consumed bitter grass; compensatory sugars added </li></ul></ul><ul><li>3 May: Milk packaged in RFID-tagged carton; milk pedigree recorded in database associated with carton tag </li></ul><ul><li>4 May: RFID portal at supermarket loading dock records arrival of carton </li></ul><ul><li>5 May: “Smart” shelf records arrival of carton in customer area </li></ul><ul><li>5 May 0930h: “Smart” shelf records removal of milk </li></ul><ul><li>5 May 0953h: Point-of-sale terminal records sale of milk (to Alice) </li></ul>
  8. 8. <ul><li>6 May 0953h: Supermarket transfers tag ownership to Alice’s smart home </li></ul><ul><li>6 May 1103h: Alice’s refrigerator records arrival of milk </li></ul><ul><li>6 May 1405h: Alice’s refrigerator records removal of milk; refrigerator looks up database-recorded pedigree and displays: “ Woodstock, Vermont, 1% fat, light pasturization, artisanal, USDA organic, breed: Jersey, genetic design #81726 ” </li></ul><ul><li>6 May 1807h: Alice’s “smart” home warns domestic robot that milk has been left out of refrigerator for more than four hours </li></ul><ul><li>6 May 1809h: Alice’s refrigerator records replacement of milk </li></ul><ul><li>7 May 0530h: Domestic robot uses RFID tag to locate milk in refrigerator; refills baby bottle </li></ul>2030: Week in the life of a milk carton
  9. 9. <ul><li>6 May 0953h: Supermarket transfers tag ownership to Alice’s smart home </li></ul><ul><li>6 May 1103h: Alice’s refrigerator records arrival of milk </li></ul><ul><li>6 May 1405h: Alice’s refrigerator records removal of milk; refrigerator looks up database-recorded pedigree and displays: “ Woodstock, Vermont, Grade A, light pasturization, artisanal, USDA organic, breed: Jersey, genetic design #81726 ” </li></ul><ul><li>6 May 1807h: Alice’s “smart” home warns domestic robot that milk has been left out of refrigerator for more than four hours </li></ul><ul><li>6 May 1809h: Alice’s refrigerator records replacement of milk </li></ul><ul><li>7 May 0530h: Domestic robot uses RFID tag to locate milk in refrigerator; refills baby bottle </li></ul><ul><li>7 May 2357h: Recycling center scans RFID tag on carton; directs carton to paper-brick recycling substation </li></ul><ul><li>7 May 0531h: Robot discards carton; “Smart” refrigerator notes absence of milk; transfers order to Alice’s PDA/phone/portable server grocery list </li></ul>2030: Week in the life of a milk carton
  10. 10. RFID Today
  11. 11. PROXIMITY CARDS Note: Often just emit static identifiers, i.e., they are just smart labels!
  12. 12. <ul><li>RFID helps secure hundreds of millions of automobiles </li></ul><ul><ul><li>Cryptographic challenge-response </li></ul></ul><ul><ul><li>Philips claims more than 90% reduction in car theft thanks to RFID! </li></ul></ul><ul><ul><li>Some devices, e.g., Texas Instruments DST, are weak [Bono et al. ’05])… </li></ul></ul>AUTOMOBILE IGNITION KEYS f
  13. 13. <ul><li>RFID now offered in all major credit cards in U.S. (“tap-and-go”)… </li></ul><ul><li>Some problems with first generation [Heydt-Benjamin et al. ’07] </li></ul>Credit CARDS
  14. 14. Transit CARDS <ul><li>K. Nohl and H. Plötz on Mifare, 2008 </li></ul>
  15. 15. <ul><li>Dozens of countries issuing RFID-enabled passports </li></ul><ul><li>PASS card and “enhanced” drivers’ licenses (EPC tags) </li></ul>PAssports
  16. 16. Little EPC at item-level, mostly cases and pallets Crate #123 (jet engines)
  17. 17. Supply-chain visibility 22 August 2007 01.28 UTC Kansas, USA Crate #123 packed Factory #18762 31 August 2007 22.19 UTC Okinawa, Japan Crate #123 arrived Dock JHS1872H 25 August 2007 06.08 UTC NYC, USA Crate #123 loaded Cargo ship UAYHQUE
  18. 18. <ul><li>Anti-counterfeiting: Better supply-chain visibility means less fraud </li></ul><ul><ul><li>U.S. FDA urging RFID use to combat counterfeiting of drugs </li></ul></ul><ul><ul><li>Pharmaceutical companies doing item-level trials with EPC today </li></ul></ul>pharmaceuticals
  19. 19. Security and Privacy Challenges
  20. 20. The consumer privacy problem Here’s Mr. Jones… © RSA Laboratories 1500 Euros in wallet Serial numbers: 597387,389473… Wig model #4456 (cheap polyester) 30 items of lingerie Das Kapital and Communist-party handbook Replacement hip medical part #459382
  21. 21. Privacy approach 1: Cover RFID tags with protective mesh or foil Problems: (1) Makes locomotion difficult (2) Shops don’t like distributing tools for theft
  22. 22. Approach 2: EPC “kill” command for RFID tags Long-term problem: RFID tags are very useful in “live” state… Short-term problem: How do I get kill PINs to point of sale?
  23. 23. 1500 Euros in wallet Serial numbers: 597387,389473… Replacement hip medical part #459382 Good readers, bad tags Mr. Jones in 2020 The authentication problem Mad-cow hamburger lunch Counterfeit! Counterfeit! Mr. Jones’s car!
  24. 24. Approach 3: Use cryptography Side-channel countermeasures <ul><li>But: </li></ul><ul><li>Not in cheap EPC for a while </li></ul><ul><li>The theme of today’s talk: The really hard part is key management … </li></ul>AES
  25. 25. RFID on the Loading Dock
  26. 26. Keeping the customer satisfied… <ul><li>“I want a rock-solid encryption algorithm… </li></ul>with 20-bit keys.” <ul><li>“ I want a strong password-reset system… </li></ul>with user-friendly challenge questions like, `What is your favorite color?’” <ul><li>“ I want my retail stores to be able to read RFID-tagged items… </li></ul>but I want tag data to be unreadable after sale… and I don’t want to have to kill or rewrite them…”
  27. 27. EPC tags and privacy <ul><li>Again, EPC tags have no true cryptographic functionality </li></ul><ul><li>Only explicit EPC privacy feature: Kill </li></ul><ul><ul><li>On receiving tag-specific PIN, tag self-destructs </li></ul></ul><ul><li>But commercial RFID users say they: </li></ul><ul><ul><li>Don’t want to manage kill PINs </li></ul></ul><ul><ul><li>Have no channel to communicate secret keys downstream in supply chain </li></ul></ul><ul><li>Key transport is a big problem!!! </li></ul>
  28. 28. A new approach: Put secret keys on the tags <ul><li>Encrypt tag data under secret key  </li></ul><ul><li>Apply secret sharing to spread key  across tags in case </li></ul><ul><ul><li>E.g.,   ( s 1 , s 2 , , s 3 ) </li></ul></ul> E  ( m 1 ) s 1 E  ( m 2 ) s 2 E  ( m 3 ) s 3
  29. 29. A new approach: Put secret keys on the tags <ul><li>Encrypt tag data under secret key  </li></ul><ul><li>Apply secret sharing to spread key  across tags in case </li></ul><ul><ul><li>E.g.,   ( s 1 , s 2 , , s 3 ) </li></ul></ul> E  ( m 1 ) s 1 E  ( m 2 ) s 2 E  ( m 3 ) s 3 Supersteroids 500mg; 100 count Serial #87263YHG Mfg: ABC Inc. Exp: 6 Mar 2010
  30. 30. Privacy through dispersion
  31. 31. Privacy through dispersion Individual shares / small sets reveal no information about medication! E  ( m 1 ) s 1 E  ( m 2 ) s 2 E  ( m 3 ) s 3 ( Super- Steroids) (Super- Steroids) (Super- Steroids)
  32. 32. Example application: Privacy protection on medications Step 1: Receive case at pharmacy Step 2: Pharmacy reads tags, gets keys, decrypts data for its database Step 3: Tags and data are dispersed Data
  33. 33. Some challenges <ul><li>Storage is at a premium in EPC, but no secret-sharing literature on “tiny” shares </li></ul><ul><ul><li>“ Short” shares are 128 bits, but we may want 16 bits or less! </li></ul></ul><ul><ul><li>We needed to create new definitions and constructions </li></ul></ul><ul><li>Scanning errors </li></ul><ul><ul><li>We need robustness in our secret-sharing scheme </li></ul></ul>
  34. 34. Some challenges <ul><li>In-store key harvesting </li></ul><ul><ul><li>Preventive idea: Add “chaff,” i.e., bogus or “noise” shares </li></ul></ul><ul><ul><li>If secret-sharing scheme for case can tolerate d errors, then add 2d/3 bogus shares per case </li></ul></ul><ul><ul><li>Can recover from <d/3 errors in single case, since 2d/3 + d/3 = d </li></ul></ul><ul><ul><li>Hard to reconstruct secrets for two cases mixed together, as we have 4d/3 > d errors </li></ul></ul><ul><ul><li>“ Overinformed” adversary </li></ul></ul>
  35. 35. Some challenges Wig serial #A817TS8 4. We don’t solve tracking problem <ul><ul><li>You’ve already got credit cards, car keys, proximity cards, mobile phones, and so forth </li></ul></ul>
  36. 36. Another twist: Secret-sharing for authentication <ul><li>A key  is useful not just for consumer privacy, but for authentication: </li></ul><ul><ul><li>Read / write “unlock” codes for EPC tags </li></ul></ul><ul><ul><li>Anti-cloning for EPC tags [Juels ’05] </li></ul></ul><ul><ul><li>Symmetric key for challenge-response tag authentication (again, anti-cloning) </li></ul></ul><ul><li>But putting  on case is bad if case is diverted </li></ul><ul><ul><li>Attacker can read / rewrite tags and re-inject goods </li></ul></ul><ul><ul><li>Attacker can clone tags </li></ul></ul>
  37. 37. Secret-sharing across cases  s 1 s 2 s 3  ’ s’ 1 s’ 2 s’ 3
  38. 38. Secret-sharing across cases  s 1 s 2 s 3  ’ s’ 1 s’ 2 s’ 3
  39. 39. But “windows” are not always neat… receivers cannot reconstruct  and  ’ ! s 1 s 2 s 3 s’ 1 s’ 2 s’ 3 Warehouse A Warehouse B
  40. 40. SWISS (Sliding Window Information Secret-Sharing) Given  2 out of 4 s i , get corresponding  i s 1 s 2 s 3 s 4 s 5 s 6 Given  2 out of 4 s i , get corresponding  i Given  2 out of 4 s i , get corresponding  i  1  2  3  4  5  6
  41. 41. SWISS (Sliding Window Information Secret-Sharing)  1  3  5 Warehouse B s 1 s 2 s 3 s 4 s 5 s 6  1  2  3  4  5  6
  42. 42. SWISS (Sliding Window Information Secret-Sharing) ???? Adversary with more sporadic case access s 1 s 2 s 3 s 4 s 5 s 6  1  2  3  4  5  6
  43. 43. SWISS (Sliding Window Information Secret-Sharing) <ul><li>A k- out-of- n -SWISS scheme is straightforward with share size s i linear in n </li></ul><ul><li>It’s not obvious how to get more compact s i </li></ul><ul><li>That’s what our paper [JPP ’08] addresses… </li></ul><ul><ul><li>Tricks using bilinear maps, i.e., pairings </li></ul></ul><ul><ul><li>Size of s i is constant(!) in k , n </li></ul></ul><ul><ul><li>Access structure not perfect </li></ul></ul>s 1 s 2 s 3 s 4 s 5 s 6
  44. 44. RFID in the Shoulder
  45. 45. Other RFID applications today: <ul><li>Livestock </li></ul>Animal tagging… “ Not Really Mad” <ul><li>Housepets </li></ul>The cat came back, the very next day… 50 million+
  46. 46. Human location tracking <ul><li>Schools </li></ul><ul><li>Amusement parks </li></ul><ul><li>Hospitals </li></ul>
  47. 47. A riddle… ??? + =
  48. 48. Human-implantable RFID ??? + = VeriChip TM
  49. 49. Human-implantable RFID <ul><li>Excellent test bed for privacy and security concepts! </li></ul><ul><li>Proposed for medical-patient identification </li></ul><ul><li>Also proposed and used as an authenticator for physical access control, a “prosthetic biometric” </li></ul><ul><ul><li>E.g., Mexican attorney general purportedly used for access to secure facility </li></ul></ul><ul><li>What kind of cryptography does it have? </li></ul><ul><ul><li>None: It can be easily cloned [Halamka et al. ’06] </li></ul></ul><ul><li>So shouldn’t we add a challenge-response protocol? </li></ul><ul><li>Cloning may actually be a good thing </li></ul>+ = VeriChip TM
  50. 50. Human-implantable RFID <ul><li>Physical coercion and attack </li></ul><ul><ul><li>In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric-enabled Mercedes </li></ul></ul><ul><ul><li>What would happen if the VeriChip were used to access ATM machines and secure facilities? </li></ul></ul><ul><li>Perhaps better if tags can be cloned! </li></ul><ul><li>Tags should not be used for authentication— only for identification </li></ul>
  51. 51. Cloneability + privacy <ul><li>Privacy means no linkability or information about identities </li></ul><ul><li>If a tag can be cloned, does that mean it can’t provide privacy? </li></ul><ul><ul><li>Surprisingly, no! </li></ul></ul><ul><li>A very simple scheme allows for simultaneous cloneability and privacy </li></ul>
  52. 52. Cloneability + privacy <ul><li>Homomorphic public-key cryptosystem (e.g., El Gamal) </li></ul><ul><li>Private / public key pair ( SK , PK ) </li></ul><ul><li>Randomized scheme: C = E PK , r [ m ] </li></ul><ul><li>Semantic security: Adversary cannot distinguish C = E PK , r [“ Alice” ] from C ’ * = E PK , s [“ Bob” ] </li></ul><ul><li>Re-encryption property: Given C only, can produce randomized C * = E PK , s [ m ], without knowing m </li></ul>
  53. 53. Cloneability + privacy <ul><li>The scheme: When read, tag chooses fresh r and outputs C = E PK , r [“name”] </li></ul><ul><li>Then: </li></ul><ul><li>Reader with SK can decrypt name </li></ul><ul><li>Semantic Security: Adversary cannot distinguish among tags, i.e., infringe privacy </li></ul><ul><li>Re-encryption property: Adversary can clone a tag: records C and outputs randomized C* </li></ul>
  54. 54. The covert-channel problem <ul><li>Suppose there is an identification / authentication system… </li></ul>Authorized Employees Only Who’s there? E[“Alice”] It’s Alice!
  55. 55. The covert-channel problem <ul><li>Suppose there is an identification / authentication system… </li></ul>Authorized Employees Only Who’s there? E[“Alice” + ?] Alice has low blood pressure and high blood-alcohol Alice recently passed a casino’s RFID reader. Mercury switch indicates that Alice napped on job
  56. 56. How can we assure Alice of no covert channels? <ul><li>Outputs must be deterministic </li></ul><ul><ul><li>Randomness always leaves room for covert emissions </li></ul></ul><ul><li>Could give Alice a secret key to check that outputs are formatted correctly </li></ul><ul><ul><li>E.g., pseudorandom-generator seed for device </li></ul></ul><ul><li>But we don’t want Alice (or a third party) to have to manage sensitive keying material. Again, key management is the problem ! </li></ul><ul><li>Can we enable Alice (or anyone else) to verify covert-freeness publicly , i.e., without exposing secret keys? </li></ul><ul><li>Simultaneous publicly verifiable covert-freeness and privacy are impossible! </li></ul>
  57. 57. Here’s why… <ul><li>Suppose there were a public CC detector… </li></ul>X18 Ultra CC-Detector TM A 1 A 2 No CC Yes , CC!
  58. 58. Here’s a covert channel! <ul><li>Create identity for user “Bob” </li></ul><ul><ul><li>Bob could be fictitious </li></ul></ul><ul><ul><li>Just need output sequence B 1 , B 2 , … </li></ul></ul><ul><li>Alice’s chip does following: </li></ul><ul><ul><li>If no nap, output A 1 , A 2 , A 3 , etc. with Alice’s identity </li></ul></ul><ul><ul><li>If Alice has taken a nap, then flip to Bob’s identity, i.e., output A 1 , A 2 … B 1 , B 2 </li></ul></ul>
  59. 59. Suppose we detect this covert channel B 1 Yes, CC X18 Ultra CC-Detector TM A 1 A 2 No CC
  60. 60. Now if there really is a user Bob, we have a problem... X18 Ultra CC-Detector TM A 1 A 2 No CC
  61. 61. Alice followed by Bob yields “Yes” X18 Ultra CC-Detector TM A 1 B 1 Yes, CC
  62. 62. Privacy is broken: We can distinguish between identities! Bob Alice Alice Alice X18 Ultra CC-Detector TM Yes X18 Ultra CC-Detector TM No
  63. 63. So public CC-verifiability + privacy is impossible <ul><li>But we can achieve it anyway… </li></ul><ul><li>Idea: change the definition of privacy </li></ul><ul><ul><li>Weaken localized privacy, e.g., eliminate privacy across pairwise values </li></ul></ul><ul><ul><li>Allow localized CC-checking, e.g., pairwise </li></ul></ul><ul><ul><li>Localized privacy is least important type of privacy </li></ul></ul><ul><li>Now we can do spot CC-checking… </li></ul>A 1 A 2 A 3 A 4 A 5 A 6 A 7 A 8 A 9 X18 Ultra CC-Detector TM yes / no
  64. 64. So public CC-verifiability + privacy is impossible <ul><li>But we can achieve it anyway… </li></ul><ul><li>Idea: change the definition of privacy </li></ul><ul><ul><li>Weaken localized privacy, e.g., eliminate privacy across pairwise values </li></ul></ul><ul><ul><li>Allow localized CC-checking, e.g., pairwise </li></ul></ul><ul><ul><li>Localized privacy is least important type of privacy </li></ul></ul><ul><li>Now we can do spot CC-checking… </li></ul>A 1 A 2 A 3 A 4 A 5 A 6 A 7 B 1 B 2 X18 Ultra CC-Detector TM yes / no
  65. 65. So public CC-verifiability + privacy is impossible <ul><li>Now let’s show how to achieve it anyway… </li></ul><ul><li>Idea: </li></ul><ul><ul><li>Weaken privacy definition to exclude localized privacy, e.g., privacy across pairwise values </li></ul></ul><ul><ul><li>Allow localized CC-checking, e.g., pairwise </li></ul></ul><ul><ul><li>Localized privacy is least important type of privacy </li></ul></ul><ul><li>Now we can do spot CC-checking… </li></ul>A 1 A 2 A 3 A 4 A 5 A 6 A 7 A 8 A 9 ???
  66. 66. Still a difficult problem <ul><li>Constructing a deterministic sequence whose values are: </li></ul><ul><ul><li>Publicly, pairwise verifiable </li></ul></ul><ul><ul><li>Otherwise unlinkable </li></ul></ul><ul><li>Again, use bilinear maps (with non-standard hardness assumption…) </li></ul><ul><li>We have only solved the problem of covert channels in explicit logical-layer problem </li></ul><ul><ul><li>Timing or power side-channel? </li></ul></ul>
  67. 67. The message of this talk: Crypto is not always the hard part! <ul><li>With crypto, we can do: </li></ul><ul><li>Challenge-response for authentication </li></ul><ul><li>Mutual authentication and/or encryption for privacy </li></ul>Side-channel countermeasures Again, crypto is hard, but really hard part is key management … AES
  68. 68. The key-management problem Okinawa, Japan Kansas, USA <ul><li>The key poses its own “transport” problems: </li></ul><ul><li>It must be tag-specific (usually) </li></ul><ul><li>It must be highly available </li></ul><ul><li>It must be secured at all times </li></ul><ul><li>Like managing 10,000,000,000 passwords! </li></ul>“ Top secret: X-32 cone” crypto key “ Top secret: X-32 cone”
  69. 69. The RFID key-management problem Body passwords?
  70. 70. To learn more <ul><li>Papers available at RFID CUSP Web site: www.rfid-cusp.org </li></ul><ul><ul><li>J. Halamka, A. Juels, A. Stubblefield, and J. Westhues. “The Security Implications of VeriChip Cloning.” Journal of the American Medical Informatics Association (JAMIA), 2006. </li></ul></ul><ul><ul><li>D. Bailey, D. Boneh, E.-J. Goh, and A. Juels. “Covert Channels in Privacy-Preserving Identification Systems.” In ACM CCS, 2007. </li></ul></ul><ul><ul><li>A. Juels, R. Pappu, and B. Parno. “Key Transport in Unidirectional Channels with Applications to RFID Security.” 2008. In submission. </li></ul></ul><ul><ul><li>J. Westhues’s RFID cloning page: http://cq.cx. </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×