New Directions in Detection, Security and Privacy for - UVA ...


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Hello. Thank you for coming to my proposal presentation, entitled New Directions in Detection, Security and Privacy for RFID.
  • My one-sentence thesis statement is “Multi-Tags”, “Yoking-Proofs”, and PUFs can improve reliability, security, and privacy in RFID Systems. In the next 20 minutes I hope to convince you of this.
  • Our progress to date is as follows. We published four refereed papers in premier IEEE conferences with several more papers in preparation. Our work has also formed the basis of an NSF Cyber Trust proposal submitted last week. In addition, Deutsche Telekom, the largest telecommunications company in the European Union, has offered to patent our multi-tags idea for commercialization.
  • I will start with a brief introduction to RFID and its history. RFID stands for radio frequency identification, which uses radio signals to uniquely identify objects. An RFID System consists of readers, tags, and back-end servers for information processing. There are three general types of RFID tags: passive, semi-passive, and active. Passive tags have no batteries on-board. They use power from the reader for computation and for communication. Semi-passive tags have batteries on-board, however the batteries are used for data processing only. The power harvested from the reader is still used for communication. Active tags have batteries on-board and they can use them for both computations and communications. The three major RFID frequencies are: Low frequency of 125kHz, High of 13.56 MHz, and ultra high of 915 MHz in the US. Two main coupling mechanisms used for read-tag communication. In inductive coupling, the reader creates a magnetic field between itself and the tag, and the tag harvests the power from its field for its operation. In backscatter coupling, or far-field propagation as it is sometimes called, the reader sends a signal to the tag, which tag backscatters back to the reader. I placed several tags, readers and antennas on this table – please feel free to play with them.
  • RFID technology originated with Radar, which was invented in 1935. Electronic Article Surveillance was invented in the early 60s. In the 70s, first patent on access control technology using RFID was filed. In 1999 the first book on RFID was published. In the same year, the Auto-ID Center was formed at MIT, for developing protocols and standards for Electronic Product Code (EPC), to be used as a substitute for bar-code. Over 100 large companies and organizations, including Wal-Mart and the US Department of Defense, financed these efforts. In 2004 the Auto-ID center was transformed into a newly formed non-profit EPCglobal organization. At the end of 2006, the first RFID-enabled game console was marketed.
  • Our proposal spans three intertwined areas: tag detection, security and privacy in RFID. Traditional RFID systems have one tag per object. We propose tagging objects with multiple tags, to improve tag detection. This will benefit applications that require high tag detection rate, tag reliability and durability. We will compare our multi-tag approach with systems using single-tagged objects, as well as with multiple-readers systems. We will also analyze various combinations of these two approaches. On the security front, we will devise RFID auditing algorithms, such as “Yoking-Proofs”. “ Yoking-Proof” protocols generate proofs which guarantee that groups of tags were read nearly-simultaneously. We will create a framework for inter-tag communication in which passive/battery-less tags communicate with each other through the reader. We will define privacy in RFID in a way that takes physical attacks into consideration. We will also design algorithms for security and privacy in RFID, based on physically unclonable functions, and design and evaluate PUF prototypes that avoid the drawbacks of previous approaches.
  • Bar-code scanning requires a line-of-sight visibility, and the scan rate is at most a few bar-codes per second. On the other hand, RFID does not require line-of-sight, and hundreds of RFID tags can be read per second. However, these benefits have a price. RFID tag detection is unreliable due to the ubiquitous radio noise permeating the environment, which can interfere with the readers’ ability to successfully identify tags. In addition, liquids such as milk, water, juice etc., or metals, can absorb or reflect radio waves, in ways that impede tag detection. In 2005, Wal-Mart conducted tag detection experiments that showed only 90% tag detection rate at case level, 95% tag detection rate on conveyor belts, and only 66% tag detection rate of individual items inside fully loaded pallets. Our preliminary experimental data with commercial RFID equipment supports these results. If objects are tagged with multiple tags, the detection rate will be higher.
  • Some applications of multi-tags include supply chain management, access control (especially for disabled people), luggage tracking, embedding tags into trees to help detect and discourage illegal deforestation.
  • One of the reasons multi-tags are effective in improving tag detection is improved expected tag orientation to the reader. Let beta be the angle between the reader’s signal and the tag. The voltage generated on-board a tag is proportional to sin(beta) for inductive coupling and to sin^2(beta) for far-field propagation. The distance at which the reader can detect the tag is proportional to the sixth root of the voltage for inductive coupling, and to the square root of the voltage for far-field propagation. Therefore, it is important to make the angle beta as close to 90 degrees as possible. To maximize the grazing angle beta, it is best to position the tags perpendicular to each other for two and three tag ensembles and to position four tags ensembles parallel to the faces of a tetrahedron, a platonic solid. For this tag positioning, the expected grazing angle beta is as shown on the graphs, assuming uniform signal distribution. You can see the sharp double digit increase in the expected angle value when the number of tags is increased from one to two and from two to three, but only a single digit angle increase from three tags to four tags. This suggests that the law of diminishing returns comes into effect pretty quickly. We computed the expected angle using simulation 1 to 4 tags and analytics for one and for two tags.
  • Here is a summary of some of the benefits and costs of multi-tags. Multi-tags increase the expected induced voltage aboard a tag which increases the expected communication distance. Multi-tags increase the amount of memory per object, increase probability of object detection, improve reliability, and durability of the system. Multi-tags can also enhance security and enable new applications. The cost of these improvements is the increased system cost, modest complication of manufacturing process for some types of multi-tags, and potential increase of tags’ interrogation time, depending on the anti-collision algorithm.
  • We will experimentally evaluate multi-tags using equipment from different manufacturers to ensure impartiality of results. We will use readers by Alien Technology and ThingMagic, and tags by Alien Technology and UPM Raflatac, the leading tag manufacturer is the world. We will determine tag detection for a cart full of non-metallic and non-liquid objects, about 20-25 of them. We will repeat the experiments for metal and liquid objects. To determine the detection probability, we will rotate a cube with tags attached to its faces in different planes, and perform similar experiments for tetrahedra. In our experiments, we will vary distances between objects and the reader antennas, vary reader antennas geometry, and vary readers’ emitted power. We will compare multi-tags with single-tags and multiple readers.
  • Preliminary representative experimental results with commercial RFID equipment support our theoretical expectations. The four curves here show the detection probabilities for all combinations of 1 and 2 tags and 1 and 2 readers, averaged over multiple experiments. The X axis represents the objects, and the Y axis represents the average object detection probabilities. The lowest, dark blue curve shows the detection probabilities of traditional RFID systems with one reader and one tag per object, yielding an average detection probability of 57.8%. The yellow curve shows the detection probabilities for two readers and one tag per object, with an average detection probability of 63.9%. the orange curve shows the detection probabilities for one reader and two tags per object, with an average detection probability of 82.6%. and the blue curve shows the detection probabilities for two readers and two tags per object, with an average detection probability of 86.6%. As you can see, the difference of adding an extra reader is relatively small: about 6 percent in the 1-tag case, and 4% in the 2-tag case. However, the difference of adding an extra tag is quite dramatic: about 24.8 percent in the 1-reader case, and 22.7% in the 2-reader case. This data clearly indicates that adding a tag is substantially more beneficial than adding a reader, by a factor of 4 to 5 in terms of detection improvements. This experiment also demonstrates that two tags and one reader outperform one tag and two readers by 18.7% in terms of detection probability.
  • We now turn to the issues of security and privacy in RFID systems. As Alice carries insecure RFID tags from A to B to C, her movements may be tracked surreptitiously, violating her privacy. Privacy-preserving RFID algorithms try to prevent illicit tag tracking.
  • The term security in RFID is often overloaded to include privacy. Before describing our proposed contributions to RFID security and privacy, I will first explain these concepts. Tag identification is secure if an adversary cannot determine a tag’s ID. The identification is also private if in addition to the tag hiding its ID from an adversary, an adversary cannot associate multiple tag readings with the same tag. Tag authentication algorithms ensure that the tag is authentic, in other words, that it is not a clone. In message authentication algorithms, the tag signs a message that it receives from the reader, or that it receives via sensors. Recent work shows that passive/powerless RFID tags can perform sensing by harvesting the energy from the readers. Ownership transfer algorithms securely and privately transfer tags from one owner to another. The goal of secure ownership transfer algorithms is to ensure that tag owners cannot be tracked. Auditing algorithms verify that readers comply with the data collection policy.
  • Yoking-Proofs protocols belong to the category of auditing algorithms, however they also have roots in message authentication algorithms. The term yoking refers to joining together, or simultaneous presence of multiple tags. Yoking proofs try to yoke/join reading of multiple tags. The key observation in yoking-proofs is that passive tags can communicate with each other through the reader. I will say more about this interesting new communication paradigm later. The problem statement in yoking-proofs is the following. The reader should identify a group of tags nearly-simultaneously (i.e., within some predetermined time period t), and generate an unforgeable proof that this was the case. Applications of yoking proofs include: Verifying that a medicine bottle was sold together with the instruction leaflet; or that tools were sold together with the safety devices; or verifying that matching parts were delivered together, etc.
  • We postulate the following assumptions and solution goals. We assume that tags are passive (i.e., they have no batteries on-board), and have limited computational abilities, but they can compute a keyed hash function. We also assume that tags can maintain some state between protocol runs, and that the verifier is trusted and reasonably powerful (i.e., a PC or server). The protocols should allow readers to be adversarial and make it infeasible for readers to forge valid proofs. We want our protocols to allow the verifier to be off-line , and detect replays of valid proofs by adversarial readers. To ensure near-simultaneous reading of tags, the protocol can rely on FCC RFID regulations which require protocol termination within 400ms. If the an adversarial reader violates these regulations, a tag can use an on-board capacitor discharge to implement timeout. Yoking proofs formulations were invented by Ari Juels who gave a protocol for a pair of tags, and left the problem of generalizing the protocol to more than two tags open for future research. Aside from generalizing this yoking protocol to arbitrary numbers of tags, we also found and fixed flaws in previous papers on this topic.
  • The idea of our generalized yoking proof protocol is to construct a chain of mutually dependent message authentication code computations. The reader accesses the first tag that computes a MAC of its state and starts the timer, then the reader passes the value computed by the tag to the next tag, which computes its own MAC, and so on. After reading the last tag, the reader passes the computed value back to the first tag, which closes the chain. We can prove that it is infeasible for the reader to forge a proof. We also define anonymous yoking - a new class of privacy-preserving yoking-proofs, and we propose new private yoking protocols. We can show how yoking proofs can be sped up by splitting this chain into multiple arcs , where each arc is constructed independently, and then arcs are joined together.
  • As mentioned before, passive tags can communicate with each other through the reader. We believe that this communication paradigm will add heterogeneity in ubiquitous computing frameworks, with both active and passive devices communicating with each other. We showed that “yoking-proofs” rely on this paradigm, and propose to develop new applications of inter-tag communication. Battery-less sensing can be performed with powerless RFID tags, and inter-tag communication can allow tags to share sensor information. Tags can be used as mailboxes or proxies for reader-to-reader communication. Tags can also communicate location information or ensure simultaneous reader authentication, etc.
  • Known digital cryptographic function implementations require thousands of gates. RFID researchers are looking for low-complexity and consequently low-cost solutions to security and privacy in RFID. Some low-complexity solutions include: use of pseudonyms or one-time pads, and minimal complexity and power hash functions. In this proposal we concentrate on solutions that rely on hardware support. We believe that for low-complexity implementations we need to utilize randomness that is an inherent part of any chip design. For some protocols a combination of physical and digital cryptography can be used. As part of our quest for hardware-based solutions to security and privacy in RFID, we propose to give a definition of privacy for RFID taking physical attacks into account. Our work so far has been based on physically unclonable functions , PUFs for short. Security of a PUF is based on wire delays, gate delays, and quantum mechanical fluctuations that are inherent in chip designs today. A PUF can be characterized by its uniqueness , which is probability that it computes a value different from the value computed by another PUF for the same input. A PUF can also be characterized by its reliability , which is the probability that the PUF will output the value observed in the reference environment (i.e., the one with no power or temperature fluctuations). Another characteristic of a PUF is unpredictability , which is the characteristic of how hard it is to predict a PUF’s output for a never before tried input. In essence, this is a characteristic of how hard it is to model a PUF. We propose to more precisely define this characteristic. My thesis proposal writeup details previous works on PUFs, and we will design PUFs that avoid the drawbacks of previous methods.
  • We propose RFID identification, authentication, and MAC algorithms based on PUFs. To privately identify a tag, the tag will send its ID to the reader and update its ID using the PUF. For this algorithm to work, it is important for the PUF to be reliable. For privacy, it is important to have no loops in the desired chain, and no PUF outputs should collide. We assume that an adversary cannot physically overwrite an ID of another PUF with observed tag ID. Otherwise, an adversary will gain considerable tracking advantage. The main point is that from a single ID, a PUF can extract multiple pseudo-IDs that it can use for identification. For a non-privacy-preserving authentication, the reader can send multiple challenges to a tag. The tag will compute PUF values for these challenges and send them to the reader. The reader will verify that at least the desired fraction of values is correct. PUFs can also be used to sign messages. For example, yoking proofs require messages to be signed and PUFs can also sign sensitive sensor data such as temperature. MAC protocols that we propose are different from standard cryptographic MAC protocols. Our MAC protocols require large keys whereas standard MAC protocols have short keys, and our MACs cannot be used in all scenarios. We will design MAC protocols for large and small message spaces.
  • Ownership transfer in RFID occurs when a tag changes hands, which can occur in case of a sale or rental, for example. It is desired to preserve the privacy of tag owners. Past owners should not be able to track current and future owners, and current and future owners should be able to track previous owners back in time. When tags can change owners, physical security becomes especially important since current owners can tamper with their own tags in order to track future owners. We propose to devise new PUF-based privacy-preserving ownership transfer protocols that rely on knowledge of the sequence of owners, trusted authority, or short period of privacy.
  • In terms of gate count, a PUF compares favorably to known cryptographic hash functions that require thousands of gates to implement. In contrast, existing PUFs require only about 550 gates for a 64-bit input – an order of magnitude improvement over standard hash functions. Of course, the PUF’s low gate count comes at a cost. In particular, the PUF’s output is only probabilistically accurate, and it is hard to analytically characterize a PUF, making it difficult to assess its complexity and security. Also several different PUFs may produce identical outputs for the same input, requiring algorithms to protect against impersonation attacks. PUFs also require extra storage at the back-end database to store all the challenge response pairs recorded for each tag. Plus, PUFs create a different attack target for adversaries. Instead of trying to recover a key for keyed hash functions, an adversary would try to model the PUF based on the known challenge response pairs. In addition, PUFs add physical security to otherwise vulnerable RFID tags. With PUFs it is much more difficult for an adversary to break the tag, or create a clone of the PUF/tag and remain undetected .
  • A good PUF design and PUF-based algorithms should make it difficult for an adversary to use a clone PUF for impersonation. A good PUF should be resistant to modeling attacks. A PUF should resist hardware-tampering attacks that attempt to measure wire delays and/or try to learn secret data stored underneath the PUF’s wires. PUFs should not leak substantial information about its computation through side channels. Existing PUF has some weaknesses. It has an oscillating counting circuit which computes the delay by counting and increases the tag manufacturing cost. In addition, the delay values of this PUF follow a Gaussian distribution, requiring filtering of some challenges and longer computation times. The reliability of existing PUFs is also relatively low. We propose to design and evaluate better PUF prototypes in collaboration with our EE colleagues. We will design a sub-threshold voltage PUF without an oscillating circuit, which will require less time to run. We will also include non-linear delays in our PUF circuit, to make modeling difficult.
  • In conclusion, we propose tagging objects with multiple-tags to improve object detection and the reliability of the system in general. On the security front, we design generalized yoking-proofs for RFID auditing. We propose a new inter-tag communication framework and its applications. We also propose secure and private RFID algorithms based on physical unclonable functions. In the next five months, we plan to complete our experiments with multi-tags, develop new privacy definitions for RFID, design and evaluate new improved PUF circuits, and publish additional papers on these topics. Thank you.
  • Some works observed the need for better object detection. X uses two antennas per object to better determine a tag’s location. Y places four differently positioned tags on an object to determine its moving direction. Z mentions that multiple tags per object can be used to increase reliability to help visually impaired. Q randomly places two tags on playing cards to increase cards detection. The work of W splits tag ID into two parts: Class ID and Pure ID. At sale time Pure ID is pilled off leaving only Class ID to enhance individual privacy. E uses up to three tags to better determine object-person interaction. In contrast to these works, we take a systematic approach to developing a theory of multi-tags, proposing optimal tag placement, quantify improvements obtained with multi-tags, analyzing effect of multi-tags on different tag interrogation algorithms, suggest ways to enhance security with multi-tags, and offer appealing new applications.
  • We define different types of multi-tags. Redundant tags are identical disconnected tags attached to an object. Complimentary tags are disconnected tags having distinct functionality that compliment each other for the common purpose (e.g., to speed up parallelizable computation or subdivide function computation). Dual-Tags is a pair of connected tags. Triple-Tags and n-Tags in general refer to n inter-connected tags.
  • The concept of a physical unclonable function was introduced by Ravikanth in his Ph.D. thesis in 2001. His work is mainly structured around optical PUFs. Silicon PUFs were introduced by Gassend and others in 2002. They designed a PUF, characterized its operation under changing voltage and temperature values, and showed how it can be used for circuit authentication. They have also introduced controlled PUFs that use cryptographic hash functions. A couple of works mentioned possible PUF application to RFID. Tuyls and others gave an off-line reader authentication algorithm using PUFs. Their algorithm relies on a public key cryptography, which may be expensive to implement aboard low-cost tags.
  • New Directions in Detection, Security and Privacy for - UVA ...

    1. 1. New Directions in Detection, Security and Privacy for RFID Leonid Bolotnyy and Gabriel Robins Department of Computer Science, UVa
    2. 2. Thesis Multi-tags, “yoking-proofs”, and physical unclonable functions can improve reliability, security, and privacy in radio frequency identification (RFID) systems.
    3. 3. Progress <ul><li>L. Bolotnyy and G. Robins, Multi-Tag Radio Frequency Identification Systems, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 83-88, 2005 </li></ul><ul><li>L. Bolotnyy and G. Robins, Randomized Pseudo-Random Function Tree Walking Algorithm for Secure Radio Frequency Identification, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 43-48, 2005 </li></ul><ul><li>L. Bolotnyy and G. Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006 </li></ul><ul><li>L. Bolotnyy and G. Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007 </li></ul><ul><li>Several additional papers in progress </li></ul><ul><li>NSF Cyber Trust proposal (submitted January 2007) </li></ul><ul><li>Deutsche Telekom (largest in EU) offered to patent our multi-tags idea </li></ul>
    4. 4. Introduction <ul><li>RFID </li></ul><ul><li>Tags types: </li></ul><ul><li>Frequencies: Low (125KHz), High (13.56MHz), UHF (915MHz) </li></ul><ul><li>Coupling methods: </li></ul>passive semi-passive active Reader antenna Reader antenna signal signal Inductive coupling Backscatter coupling
    5. 5. History <ul><li>Auto-ID Center formed - 1999 </li></ul><ul><li>EPCglobal formed - 2004 </li></ul><ul><li>Radar invented - 1935 </li></ul><ul><li>EAS invented - early 1960’s </li></ul><ul><li>First RFID book published - 1999 </li></ul><ul><li>First RFID patent filed - 1973 </li></ul><ul><li>First RFID game marketed - 2006 </li></ul>
    6. 6. Thesis Proposal <ul><li>Improve tag detection </li></ul><ul><li>Improve security and privacy </li></ul>Inter-tag communication Definition of privacy Auditing algorithms for RFID “ Yoking-Proofs” PUF-based security Algorithms PUF design
    7. 7. Why Multi-Tag RFID? <ul><li>Bar-codes vs. RFID </li></ul><ul><ul><li>line-of-sight </li></ul></ul><ul><ul><li>scanning rate </li></ul></ul><ul><li>Unreliability of tag detection </li></ul><ul><ul><li>radio noise is ubiquitous </li></ul></ul><ul><ul><li>liquids and metals are opaque to RF </li></ul></ul><ul><ul><ul><li>milk, water, juice </li></ul></ul></ul><ul><ul><ul><li>metal-foil wrappers </li></ul></ul></ul><ul><ul><li>Wal-Mart experiments (2005) </li></ul></ul><ul><ul><ul><li>90% tag detection at case level </li></ul></ul></ul><ul><ul><ul><li>95% detection on conveyor belts </li></ul></ul></ul><ul><ul><ul><li>66% detection of individual items inside fully loaded pallets </li></ul></ul></ul><ul><ul><li>Our preliminary experiments support data above </li></ul></ul>
    8. 8. Applications of Multi-Tags
    9. 9. The Power of an Angle <ul><li>Inductive coupling: voltage ~ sin(β), distance ~ (power) 1/6 </li></ul><ul><li>Far-field propagation: voltage ~ sin 2 (β), distance ~ (power) 1/2 </li></ul>B-field β <ul><li>Optimal Tag Placement: </li></ul>1 4 3 2
    10. 10. Benefits and Costs of Multi-Tags <ul><li>PROS </li></ul><ul><ul><li>increases expected induced voltage on tag </li></ul></ul><ul><ul><li>increases operational range of system </li></ul></ul><ul><ul><li>increases memory per object </li></ul></ul><ul><ul><li>improves availability </li></ul></ul><ul><ul><li>improves reliability </li></ul></ul><ul><ul><li>improves durability </li></ul></ul><ul><ul><li>provides potential security enhancement </li></ul></ul><ul><ul><li>new applications </li></ul></ul><ul><li>CONS </li></ul><ul><ul><li>increases system cost </li></ul></ul><ul><ul><li>modestly complicates manufacturing </li></ul></ul><ul><ul><li>potentially increases tags’ interrogation time </li></ul></ul>
    11. 11. Experimental Apparatus and Experiments with Multi-Tags <ul><li>Equipment </li></ul><ul><li>Experiments </li></ul><ul><ul><li>Measure detection of ~20 multi-tagged objects </li></ul></ul><ul><ul><ul><li>With/without metals and liquids </li></ul></ul></ul><ul><ul><li>Rotate multi-tagged object mixes </li></ul></ul><ul><ul><ul><li>1, 2, 3, & 4 tags per object </li></ul></ul></ul><ul><ul><li>Vary tag, reader, and antenna types </li></ul></ul><ul><ul><li>Vary distances, geometry, power </li></ul></ul><ul><ul><li>Multi-tags vs. multiple readers </li></ul></ul>
    12. 12. Preliminary Experimental Results 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Object Number Average Detection Probability 1 Reader, 2 Tags 82.6% 2 Readers, 1 Tag 63.9% 2 Readers, 2 Tags 86.6% 1 Reader, 1 Tag 57.8% Δ=24.8% Δ=22.7% Δ= 4.0% Δ=18.7% Δ= 6.1%
    13. 13. Security and Privacy in RFID <ul><li>Privacy </li></ul>A B C Alice was here: A, B, C privacy
    14. 14. Security and Privacy in RFID <ul><li>Privacy: difficult to track tags </li></ul><ul><li>Security </li></ul><ul><ul><li>Secure Identification </li></ul></ul>f(r, ID) <ul><ul><li>Tag Authentication </li></ul></ul>c f(c) <ul><ul><li>Message Authentication </li></ul></ul><ul><ul><li>Ownership Transfer </li></ul></ul><ul><ul><li>Auditing </li></ul></ul>m σ (m)
    15. 15. “Yoking-Proofs” <ul><li>Applications – verify that: </li></ul><ul><ul><li>medicine bottle sold together with instructions </li></ul></ul><ul><ul><li>tools sold together with safety devices </li></ul></ul><ul><ul><li>matching parts were delivered together </li></ul></ul><ul><ul><li>several forms of ID were presented </li></ul></ul><ul><ul><li>a group of people was present at a meeting </li></ul></ul><ul><li>Problem Statement: Generate proof that a group of passive tags were identified nearly-simultaneously </li></ul><ul><li>Key Observation: Passive tags can communicate </li></ul><ul><li>with each other through reader </li></ul><ul><li>Yoking : joining together / simultaneous presence of multiple tags </li></ul>
    16. 16. Assumptions and Goals <ul><li>Assumptions </li></ul><ul><ul><li>Tags are passive </li></ul></ul><ul><ul><li>Tags have limited computational abilities </li></ul></ul><ul><ul><li>Tags can compute a keyed hash function </li></ul></ul><ul><ul><li>Tags can maintain some state </li></ul></ul><ul><ul><li>Verifier is trusted and powerful </li></ul></ul><ul><li>Solution Goals </li></ul><ul><ul><li>Allow readers to be adversarial </li></ul></ul><ul><ul><li>Make valid proofs improbable to forge </li></ul></ul><ul><ul><li>Allow verifier to verify proofs off-line </li></ul></ul><ul><ul><li>Detect replays of valid proofs </li></ul></ul><ul><li>Timer on-board a tag </li></ul><ul><ul><li>FCC regulations: protocol termination < 400ms </li></ul></ul><ul><ul><li>Capacitor discharge can implement timeout </li></ul></ul>
    17. 17. Generalized “Yoking-Proof” Protocol 1 3 2 4 5 Anonymous Yoking : tags keep their identities private Speedup yoking protocols by splitting chain into arcs Idea: construct a chain of mutually dependent MACs
    18. 18. Inter-Tag Communication in RFID <ul><li>Idea: heterogeneity in ubiquitous computing </li></ul><ul><li>“ Yoking proofs” </li></ul><ul><li>Battery-less sensing </li></ul><ul><li>Tags as mailboxes </li></ul><ul><li>Tags as proxies </li></ul><ul><li>Location access control </li></ul><ul><li>Tags partitioned into groups </li></ul><ul><ul><li>Group leader in charge of authentication and access control </li></ul></ul><ul><li>Subordinate reader-tag authentication </li></ul>
    19. 19. PUF-Based Security and Privacy <ul><li>Digital crypto implementations require 1000’s of gates </li></ul><ul><li>Low-cost alternatives </li></ul><ul><ul><li>Pseudonyms / one-time pads </li></ul></ul><ul><ul><li>Low complexity / power hash function designs </li></ul></ul><ul><ul><li>Hardware-based solutions </li></ul></ul><ul><li>Definition of privacy that incorporates hardware attacks </li></ul><ul><li>PUF definition </li></ul><ul><li>Security is based on: </li></ul><ul><ul><li>wire delays </li></ul></ul><ul><ul><li>gate delays </li></ul></ul><ul><ul><li>quantum mechanical fluctuations </li></ul></ul><ul><li>PUF characteristics </li></ul><ul><ul><li>uniqueness </li></ul></ul><ul><ul><li>reliability </li></ul></ul><ul><ul><li>unpredictability </li></ul></ul>
    20. 20. PUF-Based Algorithms <ul><li>Identification Sequence: ID, p(ID), …, p k (ID) </li></ul><ul><li>It is important to have </li></ul><ul><ul><li>a reliable PUF </li></ul></ul><ul><ul><li>no loops in PUF chains </li></ul></ul><ul><ul><li>no identical PUF outputs </li></ul></ul><ul><ul><li>no impersonation attacks </li></ul></ul><ul><li>MAC based on PUF </li></ul><ul><ul><li>Motivation: “yoking-proofs”, signing sensor data </li></ul></ul><ul><ul><li>large keys </li></ul></ul><ul><ul><li>cannot support arbitrary messages </li></ul></ul><ul><li>Large message set </li></ul><ul><li>Small message set </li></ul><ul><li>Authentication Pairs: c 1 , p(c 1 ), c 2 , p(c 2 ), ..., c n , p(c n ) </li></ul><ul><li>Verify that at least the desired fraction of challenge-response pairs is correct </li></ul>
    21. 21. PUF-Based Ownership Transfer <ul><li>Ownership Transfer </li></ul><ul><li>To maintain privacy we need </li></ul><ul><ul><li>ownership privacy </li></ul></ul><ul><ul><li>forward privacy </li></ul></ul><ul><li>Physical security is especially important </li></ul><ul><li>Solutions </li></ul><ul><ul><li>public key cryptography </li></ul></ul><ul><ul><li>knowledge of owners sequence </li></ul></ul><ul><ul><li>trusted authority </li></ul></ul><ul><ul><li>short period of privacy </li></ul></ul>
    22. 22. Comparison of PUF With Digital Hash Functions <ul><li>Reference PUF: 545 gates for 64-bit input </li></ul><ul><ul><li>6 to 8 gates for each input bit </li></ul></ul><ul><ul><li>33 gates to measure the delay </li></ul></ul><ul><li>Low gate count of PUF has a cost </li></ul><ul><ul><li>probabilistic outputs </li></ul></ul><ul><ul><li>difficult to characterize analytically </li></ul></ul><ul><ul><li>non-unique computation </li></ul></ul><ul><ul><li>extra storage </li></ul></ul><ul><li>Different attack target for adversaries </li></ul><ul><ul><li>model building rather than key discovery </li></ul></ul><ul><li>Physical security </li></ul><ul><ul><li>hard to break tag and remain undetected </li></ul></ul>MD4 7350 MD5 8400 SHA-256 10868 Yuksel 1701 PUF 545 AES 3400 algorithm # of gates
    23. 23. PUF Design <ul><li>Attacks on PUF </li></ul><ul><ul><li>impersonation </li></ul></ul><ul><ul><li>modeling </li></ul></ul><ul><ul><li>hardware tampering </li></ul></ul><ul><ul><li>side-channel </li></ul></ul><ul><li>Weaknesses of existing PUF </li></ul><ul><li>New PUF design </li></ul><ul><ul><li>no oscillating circuit </li></ul></ul><ul><ul><li>sub-threshold voltage </li></ul></ul><ul><li>Compare different non-linear delay approaches </li></ul>reliability
    24. 24. Conclusion and Research Plan <ul><li>Contributions </li></ul><ul><ul><li>Multi-Tags </li></ul></ul><ul><ul><ul><li>tag objects with multiple tags to improve detection </li></ul></ul></ul><ul><ul><li>Security and Privacy </li></ul></ul><ul><ul><ul><li>Yoking proofs </li></ul></ul></ul><ul><ul><ul><li>Inter-tag communication </li></ul></ul></ul><ul><ul><ul><li>Hardware-based security </li></ul></ul></ul><ul><ul><ul><ul><li>PUFs </li></ul></ul></ul></ul><ul><li>Plan for the next 5 months </li></ul><ul><ul><li>finish multi-tag experiments </li></ul></ul><ul><ul><li>define privacy w.r.t. physical attacks </li></ul></ul><ul><ul><li>design / evaluate improved PUF circuits </li></ul></ul><ul><ul><li>publish more papers </li></ul></ul>
    25. 25. <ul><li>Bolotnyy and Robins, Multi-Tag Radio Frequency Identification Systems,IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 83-88, 2005 </li></ul><ul><li>Bolotnyy and Robins, Randomized Tree Walking Algorithm for Secure RFID, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 43-48, 2005 </li></ul><ul><li>Bolotnyy and Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006 </li></ul><ul><li>Bolotnyy and Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007 </li></ul>
    26. 26. Back Up Slides
    27. 27. Related Work on Multi-Tags <ul><li>Two-antennas per tag to determine location </li></ul><ul><li>Four tags per object to determine movement direction </li></ul><ul><li>Multiple tags to increase reliability (for visually impaired) </li></ul><ul><li>Random placement of two tags on playing cards </li></ul><ul><li>Splitting tag ID into Class ID and Pure ID </li></ul><ul><li>Up to three tags to determine object-person interaction </li></ul>
    28. 28. Types of Multi-Tags <ul><li>Triple-Tags </li></ul><ul><li>n-Tags </li></ul><ul><li>Dual-Tags </li></ul><ul><ul><li>Own Memory Only </li></ul></ul><ul><ul><li>Shared Memory Only </li></ul></ul><ul><ul><li>Own and Shared Memory </li></ul></ul><ul><li>Redundant Tags </li></ul><ul><li>Complimentary Tags </li></ul>
    29. 29. Detection Distance with Multi-Tags
    30. 30. Effects of Multi-Tags on Anti-Collision Algorithms Algorithm Redundant Tags Dual-Tags *If Dual-Tags communicate to form a single response **Assuming an object is tagged with two tags No Affect* Doubles Time** Slotted Aloha No Affect* Causes DOS STAC No Affect* Doubles Time** Randomized No Affect No Affect Binary Variant No Affect No Affect Binary
    31. 31. Related Work on “Yoking-Proofs” <ul><li>Saito and Sakurai [2005] </li></ul><ul><ul><li>solution relies on timestamps generated by trusted database </li></ul></ul><ul><ul><li>violates original problem statement </li></ul></ul><ul><ul><li>one tag is assumed to be more powerful than the others </li></ul></ul><ul><ul><li>vulnerable to “future timestamp” attack </li></ul></ul><ul><li>Piramuthu [2006] </li></ul><ul><ul><li>discusses inapplicable replay-attack problem of Juels’ protocol </li></ul></ul><ul><ul><li>independently observes the problem with Saito/Sakurai protocol </li></ul></ul><ul><ul><li>proposed fix only works for a pair of tags </li></ul></ul><ul><ul><li>violates original problem statement </li></ul></ul><ul><li>Juels [2004] </li></ul><ul><ul><li>protocol is limited to two tags </li></ul></ul><ul><ul><li>no timely timer update (minor/crucial omission) </li></ul></ul>
    32. 32. Speeding Up The Yoking Protocol starting / closing tags Idea: split cycle into several sequences of dependent MACs <ul><li>Requires </li></ul><ul><ul><li>multiple readers or multiple antennas </li></ul></ul><ul><ul><li>anti-collision protocol </li></ul></ul>
    33. 33. Related Work on PUF <ul><li>Optical PUF [Ravikanth 2001] </li></ul><ul><li>Silicon PUF [Gassend et al 2002] </li></ul><ul><ul><li>design, implementation, simulation, manufacturing </li></ul></ul><ul><ul><li>authentication algorithm </li></ul></ul><ul><ul><li>controlled PUF </li></ul></ul><ul><li>PUF in RFID </li></ul><ul><ul><li>off-line reader authentication using public key cryptography [Tuyls et al 2006] </li></ul></ul>
    34. 34. PUF-Based Authentication Reader Tag . . . GetID GetResponse(c 1 ) GetResponse(c n ) ID p(c 1 ) p(c n ) α < prob v ≤ 1 and prob f ≤ β ≤ 1 0 ≤ t ≤ n-1 prob v (n) prob f (n) i=t+1 μ i (1-μ) n-i prob v = 1 - ∑ n n i τ j (1- τ) n-j prob f = 1 - ∑ j=t+1 n n j
    35. 35. PUF-Based Identification Algorithm <ul><li>Tag stores its identifier: ID </li></ul><ul><li>Database stores: ID, p(ID), …, p k (ID) </li></ul><ul><li>Upon reader’s query, the tag </li></ul><ul><ul><li>responds with p(ID) </li></ul></ul><ul><ul><li>updates its ID with p(ID) </li></ul></ul><ul><li>Assumptions </li></ul><ul><ul><li>passive adversaries (otherwise, denial of service possible) </li></ul></ul><ul><ul><li>physical compromise of tags not possible </li></ul></ul><ul><ul><li>reliable PUF </li></ul></ul><ul><li>It is important to have </li></ul><ul><ul><li>a reliable PUF </li></ul></ul><ul><ul><li>no loops in PUF chains </li></ul></ul><ul><ul><li>no identical PUF outputs </li></ul></ul>
    36. 36. PUF-Based MAC Algorithms <ul><li>MAC based on PUF </li></ul><ul><ul><li>large keys </li></ul></ul><ul><ul><li>cannot support arbitrary messages </li></ul></ul><ul><ul><li>Motivational example: buyer/seller </li></ul></ul><ul><li>Need to protect against replay attacks </li></ul><ul><li>MAC = (K, τ, υ) </li></ul>K K <ul><li>valid signature σ : υ (M, σ) = 1 </li></ul><ul><li>forged signature σ’ : υ (M’, σ’) = 1, M = M’ </li></ul>σ (m) = c, r 1 , ..., r n , p c (r 1 , m), ..., p c (r n , m) <ul><li>Large message set </li></ul><ul><li>Small message set </li></ul>σ (m) = c, p c (1) (m), ..., p c (n) (m), ..., c+q-1, p c+q-1 (1) (m), p c+q-1 (n) (m)
    37. 37. Using PUF to Detect and Restore Privacy of Compromised System <ul><li>Detect potential tag compromise </li></ul><ul><li>Update secrets of affected tags </li></ul>s 1,0 s 2,0 s 1,1 s 2,1 s 3,1 s 2,2 s 2,3 s 3,0 s 3,4 s 3,5 s 3,2 s 3,3 s 3,7 s 3,6 s 2,4 s 1,2 s 3,9 s 2,5 s 3,10 s 3,8