RFID Security and Privacy
References <ul><li>6.857: RFID Security and Privacy,  Massachusetts Institute of Technology, Computer Science and Artifici...
Abstract and Outline <ul><li>Abstract:  What is RFID, how does it affect security and privacy, and what can we do about it...
The tide is turning... Pervasive computing is coming... It’s time to get serious about privacy.
What is RFID? <ul><li>R adio  F requency  Id entification: Identify physical objects through a radio interface. </li></ul>...
RFID System Primer <ul><li>Three Main Components:  </li></ul><ul><li>Tags, or  transponders,  affixed to objects and carry...
RFID Adhesive Labels 4 cm
An RFID “Smart Shelf” Reader   Any Shelf becomes a Smart Shelf by means of the    Flexible Panasonic  Antenna  System.
System Interface Reader 01.203D2A.916E8B.8719BAE03C Tag Database Reader Network Data Processing
RFID Advantages <ul><li>Non-line-of-sight nature </li></ul><ul><li>Dynamic memory : real-time addition of data without rem...
RFID History <ul><li>Earliest Patent: John Logie Baird (1926) </li></ul><ul><li>“ Identify Friend or Foe” (IFF) systems de...
Digression #1:  Related Military Applications <ul><li>IFF still used today for aircraft and missiles. Obviously classified...
Commercial Applications <ul><li>Early Applications: </li></ul><ul><ul><li>Tracking boxcars and shipping containers. </li><...
Supply-Chain Management (Not Gum) <ul><li>First Universal Product Code scanned was on a pack of Juicy Fruit gum in 1976. <...
<ul><li>Example applications: </li></ul><ul><li>Electronic passports </li></ul><ul><li>ID cards and badges </li></ul><ul><...
Modern RFID Applications <ul><li>Supply-Chain Management </li></ul><ul><ul><li>Inventory Control </li></ul></ul><ul><ul><l...
Prada's RFID Closet MIT Prox Card
 
Tag Power Source <ul><li>Passive:  </li></ul><ul><ul><li>All power comes from a reader’s interrogation signal. </li></ul><...
RFID tags are passive, powered by reader, carry identity Privacy issues: Unwanted tracking of people and items Introductio...
<ul><li>Tags might lack writable non-volatile memory </li></ul><ul><ul><li>Takes more energy to permanently write bits </l...
Functionality Classes Ad Hoc Networking Active Read/Write Smart Dust 4 Environmental Sensors Semi-Passive Read/Write Senso...
Operating Frequencies 3 meters 10-20 centimeters 10-20 centimeters Typical Range 10 meters 3 meters 3 meters Maximum Range...
RFID Established Standards <ul><li>13.56 MHz </li></ul><ul><ul><li>ISO 15693 </li></ul></ul><ul><ul><li>ISO 14443  </li></...
RFID Technical Standards <ul><li>ISO 18000-1-Generic Parameters for Air Interface for Global Interface </li></ul><ul><li>I...
Intended read range   Computation   ISO 14443  E-passports, ID cards US$5 ISO 15693 Library books US$0.50 EPC WalMart US...
Frequencies RAILROAD CAR MONITORING TOLL COLLECTION SYSTEMS VEHICLE IDENTIFICATION LONG READ RANGE HIGH READING SPEED LINE...
normal reader (10cm / 3m) malicious reader (50cm / 15m) eavesdrop on tag (???) Read range? eavesdrop on reader (50m / ???)
Asymmetric Channels Reader Tag Eavesdropper Forward Channel Range (~100m) Backward Channel Range (~5m)
Security Risks: Espionage <ul><li>Corporate Espionage: </li></ul><ul><ul><li>Identify Valuable Items to Steal </li></ul></...
Espionage Case Study <ul><li>The US Food and Drug Administration (FDA) recently recommended tagging prescription drugs wit...
Security Risks: Forgery <ul><li>RFID casino chips, Mobil SpeedPass, EZ-Pass, FasTrak, prox cards, €500 banknotes, designer...
Security Risks: Forgery <ul><li>Mandel, Roach, and Winstein @ MIT </li></ul><ul><li>Took a “couple weeks” and $30 to figur...
 
Security Risks: Sabotage <ul><li>If we can’t eavesdrop or forge valid tags, can simply attack the RFID infrastructure. </l...
Adversarial Model <ul><li>Can classify adversaries by their access. </li></ul><ul><li>Three levels of read or write access...
Adversarial Model: Attacks <ul><li>Long-Range Passive Eavesdropper:  </li></ul><ul><ul><li>Forward-Only Logical Read Acces...
Adversarial Model: Countermeasures <ul><li>Countermeasures will degrade an adversary’s access. For example: </li></ul><ul>...
Is it really that bad? <ul><li>Maybe Not.  </li></ul><ul><li>Tags can only be read from a few meters.* </li></ul><ul><li>W...
But…the customer is always right. <ul><li>The public perception of a security risk, whether valid or not, could limit adop...
Digression #2: RFID Public Relations <ul><li>The industry never misses a chance to shoot itself in the foot. </li></ul><ul...
Security Challenge <ul><li>Resources, resources, resources. </li></ul><ul><li>EPC tags ~ 5 cents. 1000 gates ~ 1 cent. </l...
Example Tag Specification Anti-Collision Support Random Number Generator Features 10 μWatts Power Consumption per Read Pas...
Resource Constraints <ul><li>With these constraints, modular math based public-key algorithms like RSA or ElGamal are much...
Hash Locks <ul><li>Rivest, Weis, Sarma, Engels (2003). </li></ul><ul><li>Access control mechanism:  </li></ul><ul><ul><li>...
Hash Lock Access Control Reader Tag metaID ← hash(key) Store ( key,metaID) metaID Store  metaID Locking a tag( metaID) Que...
Hash Lock Analysis <ul><li>+  Cheap to implement on tags:  </li></ul><ul><li>A hash function and storage for  metaID . </l...
Randomized Hash Lock Reader Tag: ID k Knows tag ID 1 ,…, ID n R,hash(R, ID k ) Query? Select random  R Unlocking a tag ID ...
Randomized Hash Lock Analysis <ul><li>+  Implementation requires hash and random number generator </li></ul><ul><ul><ul><l...
Blocker Tags <ul><li>Juels, Rivest, Szydlo (2003). </li></ul><ul><li>Consumer Privacy Protecting Device:  </li></ul><ul><u...
Other Work <ul><li>Efficient Implementations for RFID: </li></ul><ul><ul><li>Feldhofer, Dominikus, and Wolkerstorfer. </li...
RFID Policy <ul><li>Policy can address a lot of privacy issues. </li></ul><ul><li>RSA Security is proposing a “privacy bit...
Simson’s Bill of Rights <ul><li>The RFID Bill of Rights: </li></ul><ul><ul><li>The right to know whether products contain ...
A New Idea: Humans and Tags <ul><li>Tags are dumb. But so are people. </li></ul><ul><li>Hopper and Blum have human-oriente...
Simple trick: Defeating eavesdropping on forward link r m    r “ go ahead” wants to send m picks random r Appears in EPC ...
A first attempt at defeating eavesdropping and unauthorized tag-reading E k (r, ID) k k “ pseudonym” <ul><li>Problem: All ...
Take #2: Independently keyed tags r, F ki (r) Scans through all keys to decode k i “ pseudonym” <ul><li>Problem: Doesn’t s...
Private identification protocols <ul><li>Goal: a tag <-> reader protocol, providing: </li></ul><ul><li>Identification: Aut...
A beautiful method for private identification r, F k i (r), F k ij (r) k i , k ij pseudonym <ul><li>More scalable: O(√N) w...
The tree of secrets Tag    leaf of the tree. Each tag receives the keys on path from leaf to the root. Tag ij generates p...
Analysis: tree of secrets <ul><li>Generalizations: </li></ul><ul><li>Use any depth tree (e.g., lg N) </li></ul><ul><li>Use...
Reducing trust in readers r, F k i (r), F k ij (r) k i , k ij If readers are online, Trusted Center can do decoding for th...
Reducing trust: Delegation r, F k i (r), F k ij (r) k i , k ij For offline or partially disconnected readers, can delegate...
Time-limited delegation pseudonym ctr, k i , k ij Trusted Center ID ij , L, R {keys} Only good for decoding L-th through R...
k 0000 Enabling time-limited delegation Use GGM at lower levels: (k s0 , k s1 ) = G(k s ) Tag uses leaves sequentially Rea...
<ul><li>Identification systems: an exciting research area </li></ul><ul><ul><li>Privacy is central </li></ul></ul><ul><ul>...
Upcoming SlideShare
Loading in …5
×

RFID Security

1,132 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,132
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
189
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • `
  • RFID Adhesive Labels
  • Asymmetry result of passive tag vs. battery tag.
  • RFID Security

    1. 1. RFID Security and Privacy
    2. 2. References <ul><li>6.857: RFID Security and Privacy, Massachusetts Institute of Technology, Computer Science and Artificial Intelligence Laboratory, 6.857 Lecture, November 2 nd , 2004 </li></ul><ul><li>Privacy in pervasive computing What can technologists do?, David Wagner, U.C. Berkeley, In collaboration with David Molnar, Andrea Soppera, Ari Juels </li></ul>
    3. 3. Abstract and Outline <ul><li>Abstract: What is RFID, how does it affect security and privacy, and what can we do about it? </li></ul><ul><li>Outline </li></ul><ul><ul><li>RFID Introduction, History, and Applications </li></ul></ul><ul><ul><li>Security Threats and Adversarial Model </li></ul></ul><ul><ul><li>Countermeasures </li></ul></ul><ul><ul><li>Protocols for private identification </li></ul></ul><ul><ul><li>The challenge of scalability; trees of secrets </li></ul></ul>
    4. 4. The tide is turning... Pervasive computing is coming... It’s time to get serious about privacy.
    5. 5. What is RFID? <ul><li>R adio F requency Id entification: Identify physical objects through a radio interface. </li></ul><ul><li>Many different technologies called “RFID”. </li></ul><ul><li>Others types of auto-ID systems include: </li></ul><ul><ul><li>Optical barcodes </li></ul></ul><ul><ul><li>Radiological tracers </li></ul></ul><ul><ul><li>Chemical taggants </li></ul></ul>
    6. 6. RFID System Primer <ul><li>Three Main Components: </li></ul><ul><li>Tags, or transponders, affixed to objects and carry identifying data. </li></ul><ul><li>Readers , or transceivers , read or write tag data and interface with back-end databases. </li></ul><ul><li>Back-end databases correlate data stored on tags with physical objects. </li></ul>
    7. 7. RFID Adhesive Labels 4 cm
    8. 8. An RFID “Smart Shelf” Reader Any Shelf becomes a Smart Shelf by means of the    Flexible Panasonic Antenna System.
    9. 9. System Interface Reader 01.203D2A.916E8B.8719BAE03C Tag Database Reader Network Data Processing
    10. 10. RFID Advantages <ul><li>Non-line-of-sight nature </li></ul><ul><li>Dynamic memory : real-time addition of data without removing, changing or replacing tag </li></ul><ul><li>Tags can be read through substances </li></ul><ul><ul><li>Snow -Paint </li></ul></ul><ul><ul><li>Fog -Crusted grime </li></ul></ul><ul><ul><li>Ice </li></ul></ul>
    11. 11. RFID History <ul><li>Earliest Patent: John Logie Baird (1926) </li></ul><ul><li>“ Identify Friend or Foe” (IFF) systems developed by the British RAF to identify friendly aircraft. </li></ul><ul><li>Both sides secretly tracked their enemy’s IFF. </li></ul><ul><li>How do you identify yourself only to your friends? </li></ul>Don’t shoot! We’re British! Oh. We’re British too!
    12. 12. Digression #1: Related Military Applications <ul><li>IFF still used today for aircraft and missiles. Obviously classified. </li></ul><ul><li>Could envision an IFF system for soldiers. </li></ul><ul><li>Lots of military interest in pervasive networks of cheap, RFID-like sensors. </li></ul><ul><li>Monitoring pipelines, detecting biological agents, tracking munitions, etc. </li></ul>
    13. 13. Commercial Applications <ul><li>Early Applications: </li></ul><ul><ul><li>Tracking boxcars and shipping containers. </li></ul></ul><ul><ul><li>Cows: RFID ear tags. </li></ul></ul><ul><ul><li>Bulky, rugged, and expensive devices. </li></ul></ul><ul><li>The RFID Killer Application? </li></ul>
    14. 14. Supply-Chain Management (Not Gum) <ul><li>First Universal Product Code scanned was on a pack of Juicy Fruit gum in 1976. </li></ul><ul><li>Every day, over five billion barcodes are scanned around the world. </li></ul><ul><li>But barcodes are slow, need line of sight, physical alignment, and take up packaging “real estate”. </li></ul><ul><li>Over one billion RFID tags on the market. </li></ul><ul><li>Example: Gillette’s “shrinkage” problem. </li></ul>
    15. 15. <ul><li>Example applications: </li></ul><ul><li>Electronic passports </li></ul><ul><li>ID cards and badges </li></ul><ul><li>Proximity cards, building access control </li></ul><ul><li>Automatic payment systems (Fastrak, EZPass) </li></ul><ul><li>Item tagging & tracking, inventory management </li></ul><ul><li>Key technologies: </li></ul><ul><li>RFID </li></ul><ul><li>Contactless smart card </li></ul>Identification systems Challenge: privacy (and security) for ID systems
    16. 16. Modern RFID Applications <ul><li>Supply-Chain Management </li></ul><ul><ul><li>Inventory Control </li></ul></ul><ul><ul><li>Logistics </li></ul></ul><ul><ul><li>Retail Check-Out </li></ul></ul><ul><li>Access Control: MIT Proximity Cards. </li></ul><ul><li>Payment Systems: Mobil SpeedPass. </li></ul><ul><li>Medical Records: Pet tracking chips. </li></ul>
    17. 17. Prada's RFID Closet MIT Prox Card
    18. 19. Tag Power Source <ul><li>Passive: </li></ul><ul><ul><li>All power comes from a reader’s interrogation signal. </li></ul></ul><ul><ul><li>Tag’s are inactive unless a reader activates them. </li></ul></ul><ul><ul><li>Passive powering is the cheapest, but shortest range. </li></ul></ul><ul><li>Semi-Passive: </li></ul><ul><ul><li>Tags have an on-board power source (battery). </li></ul></ul><ul><ul><li>Cannot initiate communications, but can be sensors. </li></ul></ul><ul><ul><li>Longer read range, more cost for battery. </li></ul></ul><ul><li>Active: </li></ul><ul><ul><li>On-board power and can initiate communications. </li></ul></ul>
    19. 20. RFID tags are passive, powered by reader, carry identity Privacy issues: Unwanted tracking of people and items Introduction to RFID Power Identity Reader Tag
    20. 21. <ul><li>Tags might lack writable non-volatile memory </li></ul><ul><ul><li>Takes more energy to permanently write bits </li></ul></ul><ul><ul><li>Thus, state might only last as long as tag is powered </li></ul></ul><ul><li>Cryptography is expensive </li></ul><ul><ul><li>Public-key out of reach for all but priciest tags </li></ul></ul><ul><ul><li>AES within reach for mid-class tags? [Feldhofer] </li></ul></ul><ul><ul><li>Can’t take random number generation for granted </li></ul></ul><ul><li>Readers might not be network-connected </li></ul>RFID systems are resource-limited
    21. 22. Functionality Classes Ad Hoc Networking Active Read/Write Smart Dust 4 Environmental Sensors Semi-Passive Read/Write Sensor Tags 3 Data Logging Passive Read/Write Electronic Product Code 2 Identification Only Passive Read-Only Electronic Product Code 1 Article Surveillance Passive None Anti-Shoplift Tags 0 Features Power Source Memory Nickname Class
    22. 23. Operating Frequencies 3 meters 10-20 centimeters 10-20 centimeters Typical Range 10 meters 3 meters 3 meters Maximum Range? 868-956 MHz 13.56 MHz 120-140 KHz Frequency Range UHF HF LF Range Class
    23. 24. RFID Established Standards <ul><li>13.56 MHz </li></ul><ul><ul><li>ISO 15693 </li></ul></ul><ul><ul><li>ISO 14443 </li></ul></ul><ul><ul><li>e-commerce; lower power; shorter ranges </li></ul></ul><ul><li>120-140 kHz </li></ul><ul><ul><li>ISO 7810 </li></ul></ul>
    24. 25. RFID Technical Standards <ul><li>ISO 18000-1-Generic Parameters for Air Interface for Global Interface </li></ul><ul><li>ISO 18000-2-Parameters for Air Interface <135 kHz </li></ul><ul><li>ISO 18000-3-Parameters for Air Interface at 13.56 MHz </li></ul><ul><li>ISO 18000-4 -Parameters for Air Interface at 2.45 GHz </li></ul><ul><li>ISO 18000-5 -Parameters for Air Interface at 5.8 GHz </li></ul><ul><li>ISO 18000-6 -Parameters for Air Interface at 860-930 MHz* </li></ul><ul><li>ISO 18000-7 -Parameters for Air Interface at 433.92 MHz ** </li></ul><ul><ul><li>*Proposed Name Change-UHF </li></ul></ul><ul><ul><li>**In Development </li></ul></ul>ISO/IEC JTC 1/SC 31/WG 4/SG 3 RFID for Item Management Air Interface
    25. 26. Intended read range  Computation  ISO 14443 E-passports, ID cards US$5 ISO 15693 Library books US$0.50 EPC WalMart US$0.20 10cm 3DES, RSA sym.-key crypto no crypto 1m 3m RFID technologies vary widely
    26. 27. Frequencies RAILROAD CAR MONITORING TOLL COLLECTION SYSTEMS VEHICLE IDENTIFICATION LONG READ RANGE HIGH READING SPEED LINE OF SIGHT REQUIRED EXPENSIVE ULTRA-HIGH 2.4-5.8 GHZ ACCESS CONTROL SMART CARDS SHORT TO MEDIUM READ RANGE POTENTIALLY INEXPENSIVE MEDIUM READING SPEED HIGH 10-15MHz 850-950MHZ ACCESS CONTROL ANIMAL IDENTIFICATION INVENTORY CONTROL SHORT TO MEDIUM READ RANGE INEXPENSIVE LOW READ SPEED LOW 100-500 KHz TYPICAL APPLICATIONS CHARACTERISTICS FREQUENCY BAND
    27. 28. normal reader (10cm / 3m) malicious reader (50cm / 15m) eavesdrop on tag (???) Read range? eavesdrop on reader (50m / ???)
    28. 29. Asymmetric Channels Reader Tag Eavesdropper Forward Channel Range (~100m) Backward Channel Range (~5m)
    29. 30. Security Risks: Espionage <ul><li>Corporate Espionage: </li></ul><ul><ul><li>Identify Valuable Items to Steal </li></ul></ul><ul><ul><li>Monitor Changes in Inventory </li></ul></ul><ul><li>Personal Privacy </li></ul><ul><ul><li>Leaking of personal information (prescriptions, brand of underwear, etc.). </li></ul></ul><ul><ul><li>Location privacy: Tracking the physical location of individuals by their RFID tags. </li></ul></ul>
    30. 31. Espionage Case Study <ul><li>The US Food and Drug Administration (FDA) recently recommended tagging prescription drugs with RFID “pedigrees”. </li></ul><ul><li>Problems: </li></ul><ul><ul><li>“ I’m Oxycontin. Steal me.” </li></ul></ul><ul><ul><li>“ Bob’s Viagra sales are really up this month.” </li></ul></ul><ul><ul><li>“ Hi. I’m Alice’s anti-fungal cream.” </li></ul></ul>
    31. 32. Security Risks: Forgery <ul><li>RFID casino chips, Mobil SpeedPass, EZ-Pass, FasTrak, prox cards, €500 banknotes, designer clothing. </li></ul><ul><li>Skimming: Read your tag, make my own. </li></ul><ul><li>Swapping: Replace real tags with decoys. </li></ul><ul><li>Producing a basic RFID device is simple. </li></ul><ul><li>A hobbyist could probably spoof most RFID devices in a weekend for under $50. </li></ul>
    32. 33. Security Risks: Forgery <ul><li>Mandel, Roach, and Winstein @ MIT </li></ul><ul><li>Took a “couple weeks” and $30 to figure out how produce a proximity card emulator. </li></ul><ul><li>Can produce fake cards for a few dollars. </li></ul><ul><li>Can copy arbitrary data, including TechCash. </li></ul><ul><li>Could read cards from several feet . </li></ul><ul><li>(My card won’t open the door past a few inches.) </li></ul><ul><li>Broke Indala's FlexSecur “data encryption”. </li></ul><ul><li>(Just addition and bit shuffling. Doh.) </li></ul>
    33. 35. Security Risks: Sabotage <ul><li>If we can’t eavesdrop or forge valid tags, can simply attack the RFID infrastructure. </li></ul><ul><li>Wiping out inventory data. </li></ul><ul><li>Vandalization. </li></ul><ul><li>Interrupting supply chains. </li></ul><ul><li>Seeding fake tags – difficult to remove. </li></ul>
    34. 36. Adversarial Model <ul><li>Can classify adversaries by their access. </li></ul><ul><li>Three levels of read or write access: </li></ul><ul><ul><li>Physical: Direct access to physical bits. </li></ul></ul><ul><ul><li>Logical: Send or receive coherent messages. </li></ul></ul><ul><ul><li>Signal: Detect traffic or broadcast noise. </li></ul></ul><ul><li>Can further break down into Forward-only or Backward-only access. </li></ul>
    35. 37. Adversarial Model: Attacks <ul><li>Long-Range Passive Eavesdropper: </li></ul><ul><ul><li>Forward-Only Logical Read Access. </li></ul></ul><ul><ul><li>No Write Access. </li></ul></ul><ul><li>Tag Manufacture/Cloning: </li></ul><ul><ul><li>No Read Access/Physical Read Access. </li></ul></ul><ul><ul><li>Physical Write Access. </li></ul></ul><ul><li>Traffic Analysis: Signal Read Access. </li></ul><ul><li>Jamming: Signal Write Access. </li></ul>
    36. 38. Adversarial Model: Countermeasures <ul><li>Countermeasures will degrade an adversary’s access. For example: </li></ul><ul><li>Encryption degrades logical read access to signal read access. </li></ul><ul><li>Authentication degrades logical write to signal write access. </li></ul><ul><li>Tamper resistance can degrade physical read to logical read access. </li></ul>
    37. 39. Is it really that bad? <ul><li>Maybe Not. </li></ul><ul><li>Tags can only be read from a few meters.* </li></ul><ul><li>Will mostly be used in closed systems like warehouses or shipping terminals. </li></ul><ul><li>Can already track many consumer purchases through credit cards. </li></ul><ul><li>Difficult to read some tags near liquids or metals. </li></ul><ul><li>Can already track people by cell phones, wireless MAC addresses, CCTV cameras, etc. </li></ul>
    38. 40. But…the customer is always right. <ul><li>The public perception of a security risk, whether valid or not, could limit adoption and success. </li></ul><ul><li>Similar to Pentium III’s unique ID numbers. </li></ul><ul><li>Successful boycott of Benetton. </li></ul><ul><li>Privacy advocates have latched on: </li></ul><ul><ul><li>“… e-mails sent to the RFID Journal…hint at some of the concerns. ‘I'll grow a beard and f--k Gillette,’ wrote one reader”, Economist Magazine, June 2003. </li></ul></ul><ul><ul><li>“ Auto-ID: The worst thing that ever happened to consumer privacy”, CASPIAN website. </li></ul></ul>
    39. 41. Digression #2: RFID Public Relations <ul><li>The industry never misses a chance to shoot itself in the foot. </li></ul><ul><li>“ Track anything, anywhere”. </li></ul><ul><li>“ Wal-Mart Caught Conducting Secret Human Trials Using Alien Technology!” </li></ul><ul><li>Lesson: If you don’t want people to negatively spin your technology, don’t make their jobs easier. </li></ul>
    40. 42. Security Challenge <ul><li>Resources, resources, resources. </li></ul><ul><li>EPC tags ~ 5 cents. 1000 gates ~ 1 cent. </li></ul><ul><li>Main security challenges come from resource constraints. </li></ul><ul><li>Gate count, memory, storage, power, time, bandwidth, performance, die space, and physical size are all tightly constrained. </li></ul><ul><li>Pervasiveness also makes security hard. </li></ul>
    41. 43. Example Tag Specification Anti-Collision Support Random Number Generator Features 10 μWatts Power Consumption per Read Passively powered via RF signal. Tag Power Source 10,000 clock cycles. Cycles per Read 100 read operations per second. Read Performance 3 meters. Backward Range 100 meters. Forward Range UHF 868-956 MHz. Operating Frequency 200-2000 gate equivalents. Security Gate Budget 1000-10000 gates equivalents. Gate Count 32-128 bits of volatile read-write memory. Memory 128-512 bits of read-only storage. Storage
    42. 44. Resource Constraints <ul><li>With these constraints, modular math based public-key algorithms like RSA or ElGamal are much too expensive. </li></ul><ul><li>Alternative public-key cryptosystems like ECC, NTRU, or XTR are too expensive. </li></ul><ul><li>Symmetric encryption is also too costly. We can’t fit DES, AES, or SHA-1 in 2000 gates. </li></ul><ul><li>(Recent progress made with AES.) </li></ul>
    43. 45. Hash Locks <ul><li>Rivest, Weis, Sarma, Engels (2003). </li></ul><ul><li>Access control mechanism: </li></ul><ul><ul><li>Authenticates readers to tags. </li></ul></ul><ul><li>“ Only” requires OW hash function on tag. </li></ul><ul><li>Lock tags with a one-way hash output. </li></ul><ul><li>Unlock tags with the hash pre-image. </li></ul><ul><li>Old idea, new application. </li></ul>
    44. 46. Hash Lock Access Control Reader Tag metaID ← hash(key) Store ( key,metaID) metaID Store metaID Locking a tag( metaID) Querying a locked tag Unlocking a tag( Who are you?) key metaID = hash(key)? “ Hi, my name is..”
    45. 47. Hash Lock Analysis <ul><li>+ Cheap to implement on tags: </li></ul><ul><li>A hash function and storage for metaID . </li></ul><ul><li>+ Security based on hardness of hash. </li></ul><ul><li>+ Hash output has nice random properties. </li></ul><ul><li>+ Low key look-up overhead. </li></ul><ul><li>- Tags respond predictably; allows tracking. </li></ul><ul><li>Motivates randomization. </li></ul>
    46. 48. Randomized Hash Lock Reader Tag: ID k Knows tag ID 1 ,…, ID n R,hash(R, ID k ) Query? Select random R Unlocking a tag ID k Search hash(R, ID i )
    47. 49. Randomized Hash Lock Analysis <ul><li>+ Implementation requires hash and random number generator </li></ul><ul><ul><ul><li>Low-cost PRNG. </li></ul></ul></ul><ul><ul><ul><li>Physical randomness. </li></ul></ul></ul><ul><li>+ Randomized response prevents tracking. </li></ul><ul><li>- Inefficient brute force key look-up. </li></ul><ul><li>Hash is only guaranteed to be one-way. Might leak information about the ID. </li></ul><ul><li>(Essentially end up with a block cipher?) </li></ul>
    48. 50. Blocker Tags <ul><li>Juels, Rivest, Szydlo (2003). </li></ul><ul><li>Consumer Privacy Protecting Device: </li></ul><ul><ul><li>Hides your tag data from strangers. </li></ul></ul><ul><li>Users carry a “blocker tag” device. </li></ul><ul><li>Blocker tag injects itself into the tag’s anti-collision protocol. </li></ul><ul><li>Effectively spoofs non-existent tags. </li></ul><ul><li>(Only exists on paper.) </li></ul>
    49. 51. Other Work <ul><li>Efficient Implementations for RFID: </li></ul><ul><ul><li>Feldhofer, Dominikus, and Wolkerstorfer. </li></ul></ul><ul><ul><li>Gaubatz, Kaps, and Yüksel. </li></ul></ul><ul><li>Secure Protocols: </li></ul><ul><ul><li>Ari Juels. </li></ul></ul><ul><ul><li>Inoue and Yasuura </li></ul></ul><ul><ul><li>Gildas Avoine. </li></ul></ul><ul><li>Privacy Issues: </li></ul><ul><ul><li>Molnar and Wagner. </li></ul></ul><ul><ul><li>Henrici and Müller. </li></ul></ul>Limited Bibliography: crypto.csail.mit.edu/~sweis/rfid/
    50. 52. RFID Policy <ul><li>Policy can address a lot of privacy issues. </li></ul><ul><li>RSA Security is proposing a “privacy bit”: </li></ul><ul><ul><li>Sort of like a “do not disturb” sign. </li></ul></ul><ul><ul><li>Doesn’t stop someone from reading a tag. </li></ul></ul><ul><ul><li>More bits could encode various access policies </li></ul></ul><ul><li>Garfinkel has proposed an RFID Bill of Rights. </li></ul><ul><li>Other fair information practices proposed by EPIC, EFF, CASPIAN, etc. </li></ul>
    51. 53. Simson’s Bill of Rights <ul><li>The RFID Bill of Rights: </li></ul><ul><ul><li>The right to know whether products contain RFID tags. </li></ul></ul><ul><ul><li>The right to have RFID tags removed or deactivated when they purchase products. </li></ul></ul><ul><ul><li>The right to use RFID-enabled services without RFID tags. </li></ul></ul><ul><ul><li>The right to access an RFID tag’s stored data. </li></ul></ul><ul><ul><li>The right to know when, where and why the tags are being read. </li></ul></ul>
    52. 54. A New Idea: Humans and Tags <ul><li>Tags are dumb. But so are people. </li></ul><ul><li>Hopper and Blum have human-oriented identification protocols that you can do in your head. Linked off www.captcha.net. </li></ul><ul><li>Now adopting their protocol to RFID and securing it against stronger adversaries. </li></ul><ul><li>(Papers in progress.) </li></ul>
    53. 55. Simple trick: Defeating eavesdropping on forward link r m  r “ go ahead” wants to send m picks random r Appears in EPC Gen II standards.
    54. 56. A first attempt at defeating eavesdropping and unauthorized tag-reading E k (r, ID) k k “ pseudonym” <ul><li>Problem: All tags and readers share the same key k </li></ul><ul><li>If any tag is compromised, all security is lost </li></ul><ul><li>If any reader is compromised, all security is lost </li></ul><ul><li>Risk: Massive data spills. </li></ul>
    55. 57. Take #2: Independently keyed tags r, F ki (r) Scans through all keys to decode k i “ pseudonym” <ul><li>Problem: Doesn’t scale. </li></ul><ul><li>Takes O(N) work to decode each pseudonym </li></ul>(k 1 , ID 1 ) : (k N , ID N )
    56. 58. Private identification protocols <ul><li>Goal: a tag <-> reader protocol, providing: </li></ul><ul><li>Identification: Authorized reader learns tag’s identity </li></ul><ul><li>Privacy: Unauthorized readers learn nothing </li></ul><ul><ul><li>Attacker cannot even link two sightings of same tag </li></ul></ul><ul><li>Authentication: Tag identity cannot be spoofed </li></ul><ul><li>Scalability: Can be used with many tags </li></ul>A non-trivial technical challenge, with many possible applications.
    57. 59. A beautiful method for private identification r, F k i (r), F k ij (r) k i , k ij pseudonym <ul><li>More scalable: O(√N) work to decode each pseudonym </li></ul><ul><li>First, scan all k i to learn i </li></ul><ul><li>Then, scan all k ij to learn j and thus tag identity </li></ul>: (k i , i) : (i, k ij , ID ij ) : Decodes i, then j
    58. 60. The tree of secrets Tag  leaf of the tree. Each tag receives the keys on path from leaf to the root. Tag ij generates pseudonyms as (r, F k i (r), F k ij (r)). Reader can decode pseudonym using a depth-first search. k 0 k 00 k 01 k 1 k 10 k 11 k 0 k 00 k 01
    59. 61. Analysis: tree of secrets <ul><li>Generalizations: </li></ul><ul><li>Use any depth tree (e.g., lg N) </li></ul><ul><li>Use any branching factor (e.g., 2 10 ) </li></ul><ul><li>Use any other identification scheme (e.g., mutual auth) </li></ul><ul><li>Theory A concrete example </li></ul><ul><li>Number of tags: N 2 20 tags </li></ul><ul><li>Tag storage: O(lg N) 128 bits </li></ul><ul><li>Tag work: O(lg N) 2 PRF invocations </li></ul><ul><li>Communications: O(lg N) 138 bits </li></ul><ul><li>Reader work: O(lg N) 2  2 10 PRF invocations </li></ul><ul><li>Privacy degrades gracefully if tags are compromised </li></ul>
    60. 62. Reducing trust in readers r, F k i (r), F k ij (r) k i , k ij If readers are online, Trusted Center can do decoding for them, and enforce a privacy policy for each tag. No keys stored at reader => less chance of privacy spills. Trusted Center r, F k i (r), F k ij (r) ID ij Reader  (k ij , Policy ij ) 
    61. 63. Reducing trust: Delegation r, F k i (r), F k ij (r) k i , k ij For offline or partially disconnected readers, can delegate power to decode pseudonyms for a single tag to designated readers. Reader workload: O(D) per pseudonym, where D = # of tags delegated to this reader. Trusted Center ID ij k ij  (k ij , Policy ij )  k ij
    62. 64. Time-limited delegation pseudonym ctr, k i , k ij Trusted Center ID ij , L, R {keys} Only good for decoding L-th through R-th pseudonyms from tag ID ij Even less trust: Reader gets access to the next 100 pseudonyms from this tag (say), and nothing more.
    63. 65. k 0000 Enabling time-limited delegation Use GGM at lower levels: (k s0 , k s1 ) = G(k s ) Tag uses leaves sequentially Reader gets keys for a subset k 0 k 00 k 01 k 0 k 00 k 01 k 1 k 10 k 11 k 000 k 0001 k 0010 k 0011 k 001
    64. 66. <ul><li>Identification systems: an exciting research area </li></ul><ul><ul><li>Privacy is central </li></ul></ul><ul><ul><li>Many non-trivial technical challenges, many opportunities for clever solutions </li></ul></ul><ul><ul><li>There’s still time to have an impact on deployments </li></ul></ul><ul><li>Research question: Private identification protocols </li></ul><ul><ul><li>Tree schemes have useful properties </li></ul></ul><ul><ul><li>Can we do better? Can do without persistent state? </li></ul></ul><ul><li>Recent work: Controlling readers with Trusted Computing (to appear at WPES’05) </li></ul>Conclusions

    ×