slide 1 Author: Ari Juels


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

slide 1 Author: Ari Juels

  1. 1. Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790 RFID Security and Privacy
  2. 2. Roadmap <ul><li>Background </li></ul><ul><li>RFID Risks </li></ul><ul><li>Privacy: Simple Solutions </li></ul><ul><li>Privacy: More Involved Solutions </li></ul><ul><li>Authentication: Some Solutions </li></ul><ul><li>Conclusion </li></ul>1 2 3 4 5
  3. 3. What is RFID? <ul><li>R adio- F requency Id entification Tag </li></ul>Chip Antenna <ul><li>Sticker containing microchip and antenna </li></ul><ul><li>Gains power from wireless signal received from tag reader </li></ul><ul><li>Tag-reader communication with range of up to half a meter </li></ul><ul><li>Tag returns its unique number and static data </li></ul>1 2 3 4 5
  4. 4. How Does RFID System Work? <ul><li>Management system </li></ul><ul><li>Communication protocol </li></ul><ul><li>Computer Networks </li></ul>Tags (transponders) Attached to objects, “ call out” identifying data on a special radio frequency 02.3DFEX4.78AF51 EasyToll card #816 Reader (transceiver) Reads data off the tags without direct contact Radio signal (contactless) Range: from 3-5 inches to 3 meters Database Matches tag IDs to physical objects <ul><li>Tags consists of antenna and a microchip </li></ul><ul><li>Readers consists of a transmitter, receiver, 1+ antennas </li></ul>1 2 3 4 5
  5. 5. RFID Advantages Barcode RFID <ul><li>Line-of-sight reading </li></ul><ul><li>Reader must be looking at the barcode </li></ul><ul><li>Specifies object type </li></ul><ul><li>E.g., “I am a pack of Juicy Fruit” </li></ul><ul><li>Reading by radio contact </li></ul><ul><li>Reader can be anywhere within range </li></ul><ul><li>Specifies unique object id </li></ul><ul><li>E.g., “I am a pack of Juicy Fruit #86715-A” </li></ul>Fast, automated scanning (object doesn’t have to leave pocket, shelf or container) Can look up this object in the database (provides pointer) 1 2 3 4 5
  6. 6. RFID Tag Power Sources <ul><li>Passive </li></ul><ul><ul><li>inactive until the reader’s interrogation signal “wakes” them up </li></ul></ul><ul><ul><li>Cheap, but short range only </li></ul></ul><ul><li>Semi-passive </li></ul><ul><ul><li>On-board battery, but cannot initiate communication </li></ul></ul><ul><ul><li>More expensive, longer range </li></ul></ul><ul><li>Active </li></ul><ul><ul><li>On-board battery, can initiate communication </li></ul></ul>1 2 3 4 5
  7. 7. RFID Types <ul><li>Inductive Coupling </li></ul><ul><li>Backscatter (radiative) Coupling </li></ul>1 2 3 4 5
  8. 8. Closer look 1 2 3 4 5
  9. 9. RFID examples <ul><li>Pervasive Devices </li></ul><ul><ul><li>Low memory, few gates </li></ul></ul><ul><ul><li>Low power, no clock, little state </li></ul></ul><ul><ul><li>Low computational power </li></ul></ul><ul><li>You may own a few. </li></ul><ul><li>Billions on the way. </li></ul>1 2 3 4 5
  10. 10. Current Applications <ul><li>Public Transport and Ticketing </li></ul><ul><li>Access Control </li></ul><ul><li>Logistics </li></ul><ul><li>Animal identification </li></ul><ul><li>Anti-theft system </li></ul><ul><li>Real time measurements in sports </li></ul><ul><li>Inventory Control in supermarkets </li></ul><ul><li>Electronic payments </li></ul><ul><li>Industry automation </li></ul><ul><li>Medical </li></ul><ul><li>Banknotes, casino chips </li></ul>1 2 3 4 5
  11. 11. Futuristic Applications <ul><li>“ Smart” appliances </li></ul><ul><ul><li>Refrigerators that automatically create shopping lists </li></ul></ul><ul><ul><li>Closets that tell you what clothes you have available, and search the Web for advice on current styles, etc. </li></ul></ul><ul><ul><li>Ovens that know how to cook pre-packaged food </li></ul></ul><ul><li>“ Smart” products </li></ul><ul><ul><li>Clothing, appliances, CDs, etc. tagged for store returns </li></ul></ul><ul><li>“ Smart” paper </li></ul><ul><ul><li>Airline tickets that indicate your location in the airport </li></ul></ul><ul><ul><li>Library books </li></ul></ul><ul><ul><li>Business cards </li></ul></ul><ul><li>Recycling </li></ul><ul><ul><li>Plastics that sort themselves </li></ul></ul>1 2 3 4 5
  12. 12. RFID Risks <ul><li>Mr. Jones pays with a credit card; his RFID tags now linked to his identity </li></ul><ul><li>Mr. Jones attends a political rally; law enforcement scans his RFID tags </li></ul><ul><li>Mr. Jones wins Turing Award; physically tracked by paparazzi via RFID </li></ul>1 2 3 4 5
  13. 13. Why RFID Risks Arise <ul><li>Three technical aspects of today’s RFID tags create potential problems: </li></ul><ul><li>They are promiscuous </li></ul><ul><ul><li>they talk to any compatible reader. </li></ul></ul><ul><li>They are remotely readable : </li></ul><ul><ul><li>they can be read at a distance through materials like cardboard, cloth, and plastic. </li></ul></ul><ul><li>They are stealthy </li></ul><ul><ul><li>not only are the tags inconspicuous, you don't know when they are transmitting information or to whom. In short, the personal information </li></ul></ul>1 2 3 4 5
  14. 14. Risks: Privacy <ul><li>Personal privacy </li></ul><ul><ul><li>Clandestine inventory and tracking </li></ul></ul><ul><ul><ul><li>Unsanctioned readers </li></ul></ul></ul><ul><ul><li>Customer profiling </li></ul></ul><ul><ul><ul><li>Tracking personal activities (e.g., purchase habits, travel) </li></ul></ul></ul><ul><ul><li>Big brother </li></ul></ul><ul><ul><ul><li>Illicit or inappropriate use of personal data </li></ul></ul></ul><ul><li>Data cross contamination </li></ul><ul><ul><li>Inventory tags plus personal info </li></ul></ul><ul><li>Corporate espionage </li></ul><ul><ul><li>Track your competitor’s inventory </li></ul></ul><ul><li>Military espionage </li></ul><ul><ul><li>Harvesting RFID communication to make inferences </li></ul></ul>1 2 3 4 5
  15. 15. Risks: Eavesdropping <ul><li>Read ranges </li></ul><ul><ul><li>nominal read range </li></ul></ul><ul><ul><ul><li>max distance at which a normally operating reader can reliably scan tags </li></ul></ul></ul><ul><ul><li>rogue scanning range </li></ul></ul><ul><ul><ul><li>rogue reader can emit stronger signal and read tags from a larger distance than the nominal range </li></ul></ul></ul><ul><ul><li>tag-to-reader eavesdropping range </li></ul></ul><ul><ul><ul><li>read-range limitations result from the requirement that the reader powers the tag </li></ul></ul></ul><ul><ul><ul><li>however, one reader can power the tag, while another one can monitor its emission (eavesdrop) </li></ul></ul></ul><ul><ul><li>reader-to-tag eavesdropping range </li></ul></ul><ul><ul><ul><li>readers transmit at much higher power than tags </li></ul></ul></ul><ul><ul><ul><li>readers can be eavesdropped form much further </li></ul></ul></ul><ul><ul><ul><li>readers may reveal tag specific information </li></ul></ul></ul>1 2 3 4 5
  16. 16. Risks: Counterfeits <ul><li>Comes down to authentication </li></ul><ul><li>How can be accomplished </li></ul><ul><ul><li>Replaying (RF “tape-recorder”) </li></ul></ul><ul><ul><li>Tag cloning </li></ul></ul><ul><ul><li>Back-engineering </li></ul></ul><ul><li>A few examples from real life (easy to break) </li></ul><ul><ul><li>Speed passes </li></ul></ul><ul><ul><li>Ignition keys </li></ul></ul><ul><ul><li>Physical coercion and attack </li></ul></ul><ul><ul><ul><li>In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric-enabled Mercedes </li></ul></ul></ul><ul><ul><ul><li>What would happen if the VeriChip were used to access ATM machines and secure facilities? </li></ul></ul></ul><ul><ul><li>Perhaps it is better then if tags can be cloned and are not used for authentication— only for identification </li></ul></ul>1 2 3 4 5
  17. 17. RFID capabilities <ul><li>Little power </li></ul><ul><ul><li>Receives power from reader </li></ul></ul><ul><ul><li>Range a few meters </li></ul></ul><ul><li>Little memory </li></ul><ul><ul><li>Static 64-to-128-bit identifier </li></ul></ul><ul><ul><li>Hundreds of bits soon </li></ul></ul><ul><li>Little computational power </li></ul><ul><ul><li>A few thousand gates </li></ul></ul><ul><ul><li>No cryptographic functions available </li></ul></ul><ul><ul><li>Static keys for read/write permission </li></ul></ul><ul><li>In terms of computational power can be divided into </li></ul><ul><ul><ul><li>BASIC tags </li></ul></ul></ul><ul><ul><ul><li>SYMMETRIC KEY tags </li></ul></ul></ul>1 2 3 4 5
  18. 18. Privacy protection approaches <ul><li>standard tags </li></ul><ul><ul><li>jamming </li></ul></ul><ul><ul><li>“kill” command </li></ul></ul><ul><ul><li>“sleep” command </li></ul></ul><ul><ul><li>Renaming </li></ul></ul><ul><ul><li>Blocking </li></ul></ul><ul><li>crypto enabled tags </li></ul><ul><ul><li>synchronization approach </li></ul></ul><ul><ul><li>hash chain based approach </li></ul></ul><ul><ul><li>tree-approach </li></ul></ul>1 2 3 4 5
  19. 19. Easiest solution <ul><li>Keep it close to your body </li></ul><ul><ul><li>Liquids are not penetrable by microwave frequencies </li></ul></ul><ul><li>Faraday cage </li></ul><ul><ul><li>Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies </li></ul></ul><ul><ul><li>Shoplifters are already known to use foil-lined bags </li></ul></ul><ul><ul><li>Maybe works for a wallet, but huge hassle in general </li></ul></ul><ul><li>Active jamming </li></ul><ul><ul><li>Disables all RFID, including legitimate applications </li></ul></ul><ul><li>All kinds of the above protections can be purchased now days </li></ul><ul><ul><li>protective sleevers for passports, wallets, ids, etc. </li></ul></ul>1 2 3 4 5
  20. 20. Dead tags tell no tales <ul><li>I dea: permanently disable tags with a special “kill” command </li></ul><ul><ul><li>part of the EPC specification </li></ul></ul><ul><li>Advantages: </li></ul><ul><ul><li>Simple and effective </li></ul></ul><ul><li>Disadvantages: </li></ul><ul><ul><li>eliminates all post-purchase benefits of RFID for the consumer and for society </li></ul></ul><ul><ul><li>no return of items without receipt </li></ul></ul><ul><ul><li>no smart house-hold appliances </li></ul></ul><ul><ul><li>cannot be applied in some applications </li></ul></ul><ul><ul><ul><li>library, e-passports, banknotes </li></ul></ul></ul><ul><li>Similar approaches: </li></ul><ul><ul><li>put RFID tags into price tags or packaging which are removed and discarded </li></ul></ul>1 2 3 4 5
  21. 21. Don’t kill the tag, put it to sleep <ul><li>Idea: instead of killing the tag put it in sleep mode </li></ul><ul><ul><li>tag can be re-activated if needed </li></ul></ul><ul><li>Advantages: </li></ul><ul><ul><li>Simple </li></ul></ul><ul><ul><li>effective </li></ul></ul><ul><li>Disadvantages: </li></ul><ul><ul><li>difficult to manage in practice </li></ul></ul><ul><ul><li>tag re-activation must be password protected </li></ul></ul><ul><ul><li>how the consumers will manage hundreds of passwords for their tags? </li></ul></ul><ul><ul><li>passwords can be printed on tags, but then they need to be scanned optically or typed in by the consumer </li></ul></ul>1 2 3 4 5
  22. 22. Partial destruction <ul><li>Renaming </li></ul><ul><ul><li>In simplest case renaming to gibberish </li></ul></ul><ul><ul><li>No intrinsic meaning </li></ul></ul><ul><ul><li>Still can be tracked </li></ul></ul><ul><ul><ul><li>Backscatter from antennas </li></ul></ul></ul><ul><ul><ul><li>Hypothesize manufacturer type may be learnable </li></ul></ul></ul><ul><ul><ul><li>Do tags possess uniquely detectable RF fingerprints? (Device signatures a staple of electronic warfare) </li></ul></ul></ul><ul><li>Relabelings </li></ul><ul><ul><li>Retain only product ID for later use </li></ul></ul><ul><ul><li>Destroy unique ID at the time of purchase </li></ul></ul><ul><li>Splitting identifiers across two tags </li></ul><ul><ul><li>Peel off one at time of purchase </li></ul></ul>1 2 3 4 5
  23. 23. Distance Measuring <ul><li>Signal-to-noise ratio of the reader signal in an RFID system provides a rough metric of the distance between a reader and a tag. </li></ul><ul><li>With some additional, low-cost circuitry a tag might achieve rough measurement of the distance of an interrogating reader. </li></ul><ul><li>Distance can serve as a metric for trust. </li></ul><ul><ul><li>Release general information (“I am attached to a bottle of water”) when scanned at a distance </li></ul></ul><ul><ul><li>Release more specific information (ID), only at close range. </li></ul></ul>1 2 3 4 5
  24. 24. Proxying <ul><li>Proxying </li></ul><ul><ul><li>Consumers carry their own privacy-enforcing devices (Higher-powered intermediaries like mobile phones) </li></ul></ul><ul><ul><li>Watch dog </li></ul></ul><ul><ul><ul><li>Observer observing the observer: monitor if someone scans you </li></ul></ul></ul><ul><ul><ul><li>Selectively jams tag replies as needed </li></ul></ul></ul><ul><ul><li>RFID guardian </li></ul></ul><ul><ul><ul><li>Talk to the guardian first </li></ul></ul></ul><ul><ul><ul><li>Communication is released through a fortified intermediate </li></ul></ul></ul>1 2 3 4 5
  25. 25. Proxying <ul><li>Problems </li></ul><ul><ul><li>Change of ownership: how to release control </li></ul></ul><ul><ul><li>Impersonating the guardian itself </li></ul></ul><ul><ul><li>Cannot suppress tag replies entirely, only jam </li></ul></ul><ul><ul><li>Cannot suppress reader commands </li></ul></ul>Please show reader certificate and privileges 1 2 3 4 5
  26. 26. Renaming <ul><li>Idea: avoid using real Ids, change Identifiers across the reads </li></ul><ul><ul><li>get rid of fixed names (identifiers). Pseudonyms stored on tag (limited storage, i.e. 10 or so), tag cycles through pseudonyms </li></ul></ul><ul><ul><li>use random pseudonyms and change them frequently </li></ul></ul><ul><li>Requirements: </li></ul><ul><ul><li>only authorized readers should be able to determine the real identifier behind a pseudonym </li></ul></ul><ul><ul><li>standard tags cannot perform computations -> next pseudonym to be used must be set by an authorized reader </li></ul></ul><ul><li>A possible implementation </li></ul><ul><ul><li>pseudonym = {R|ID} K </li></ul></ul><ul><ul><ul><li>R is a random number </li></ul></ul></ul><ul><ul><ul><li>K is a key shared by all authorized readers </li></ul></ul></ul><ul><ul><li>authorized readers can decrypt pseudonyms and determine real ID </li></ul></ul><ul><ul><li>authorized readers can generate new pseudonyms </li></ul></ul><ul><ul><li>for unauthorized readers, pseudonyms look like random bit strings </li></ul></ul><ul><li>Potential problems </li></ul><ul><ul><li>tracking is still possible between two renaming operations </li></ul></ul><ul><ul><li>if someone can eavesdrop during the renaming operation, then she may be able to link the new pseudonym to the old one </li></ul></ul><ul><ul><li>no reader authentication -> rogue reader can overwrite pseudonyms in tags (tags will be erroneously identified by authorized readers) </li></ul></ul>1 2 3 4 5
  27. 27. Example of RNG The voltage signal is amplified, disturbed, stretched, and sampled, resulting in random bits. 1 2 3 4 5 V Random Bits No Connect
  28. 28. Renaming (re-encryption) <ul><li>A public key based implementation: </li></ul><ul><ul><li>El Gamal scheme: </li></ul></ul><ul><ul><ul><li>Inputs are ciphertexts </li></ul></ul></ul><ul><ul><ul><li>Outputs are a re-encryption of the inputs. </li></ul></ul></ul><ul><ul><ul><li>Anyone can encrypt without the public key E </li></ul></ul></ul><ul><ul><ul><li>Those who know the secret key D can also decrypt messages encrypted with different keys are indistinguishable </li></ul></ul></ul>1 2 3 4 5
  29. 29. Renaming (re-encryption) <ul><li>El Gamal Encryption Parameters </li></ul><ul><ul><li>Public parameters: </li></ul></ul><ul><ul><ul><li>q is a prime </li></ul></ul></ul><ul><ul><ul><li>p = 2 k q+1 is a prime </li></ul></ul></ul><ul><ul><ul><li>g generator of G p, i.e. efficient description of a cyclic group of order q with generator g (I know only one generator which is relatively prime ) </li></ul></ul></ul><ul><ul><li>Secret key of RFID tag: x (where 0 < x < q) </li></ul></ul><ul><ul><li>Public key of RFID tag : y = g x mod p </li></ul></ul><ul><li>Encryption for m essage (plaintext) m </li></ul><ul><ul><li>Pick a number k randomly from [0…q-1] </li></ul></ul><ul><ul><li>Compute a = y k .m mod p and b = g k mod p </li></ul></ul><ul><ul><li>Output (a,b) </li></ul></ul>1 2 3 4 5
  30. 30. Renaming (re-encryption) <ul><li>Decryption </li></ul><ul><ul><li>Compute m as a / b x (= y k . m/ (g k ) x = g xk . m/ g kx = m) </li></ul></ul><ul><li>One can re-encrypt a ciphertext (a, b) without decryption:Input: a ciphertext (a,b) and public key y </li></ul><ul><ul><ul><li>Pick a number  randomly from [0…q-1] </li></ul></ul></ul><ul><ul><ul><li>Compute a’ = y  . a mod p and b’ = g  . b mod p </li></ul></ul></ul><ul><ul><ul><li>Output (a’, b’) </li></ul></ul></ul><ul><li>Same decryption technique </li></ul><ul><ul><li>Compute m a’ / b’ x (= y k . y  . m/ (g k . g  ) x = g x ( k+  ). m/ g x ( k+  ) = m) </li></ul></ul><ul><li>Properties: </li></ul><ul><ul><li>new tag pseudonyms can be computed by readers that know the public key </li></ul></ul><ul><ul><li>real tag ID can be computed only by readers that know the private key </li></ul></ul><ul><ul><li>Semantic security : Cannot distinguish between C = E PK , r [ Alice ] and C’ = E PK , r’ [ Bob ] </li></ul></ul><ul><ul><ul><li>An attacker who intercepts C and C’ cannot tell if they come from the same chip, that is the attacker cannot identify or track Alice </li></ul></ul></ul>1 2 3 4 5
  31. 31. Blocking <ul><li>When the reader sends a signal, more than one RFID tag may respond: this is a collision </li></ul><ul><ul><li>typical commercial application, such as scanning a bag of groceries, potentially hundreds of tags might be within range of the reader. </li></ul></ul><ul><li>Reader must engage in a special singulation protocol to talk to each tag separately </li></ul><ul><ul><li>Singulation is used by an RFID reader only when necessary to identify a specific tag (and its ID) from a number of tags in the field </li></ul></ul><ul><li>Tree-walking is a common singulation method </li></ul><ul><ul><li>Used by 915 Mhz tags, the most common type in the U.S. </li></ul></ul><ul><ul><li>Slotted aloha is used for LF tags </li></ul></ul>1 2 3 4 5
  32. 32. Anti-collision <ul><li>&quot;Tree Walking&quot; </li></ul><ul><li>Recursive depth-first search </li></ul><ul><li>Requirement: Reader is able to detect bit position of a collision </li></ul><ul><li>Example: 1 Reader, 3 Transponder, 3-bit ID </li></ul><ul><li>Example: 1 Reader, 3 Transponder, 3-bit ID </li></ul><ul><li>Synchronized by reader </li></ul><ul><li>Example: 1 Reader, 5 Tags, 8-bit ID </li></ul>1 2 3 4 5
  33. 33. Tree Walking 000 001 010 011 100 101 110 111 Every tag has a k-bit identifier prefix=0 prefix=00 prefix=01 prefix=10 prefix=11 prefix=1 Reader broadcasts current prefix Each tag with this prefix responds with its next bit If responses don’t collide, reader adds 1 bit to current prefix, otherwise tries both possibilities This takes O(k  number of tags) 1 2 3 4 5
  34. 34. Tree-Walking <ul><li>Tree-walking” protocol for identifying tags recursively asks question: </li></ul><ul><ul><li>“What is your next bit?” </li></ul></ul><ul><ul><li>Something along the lines of: “Will all tags with 1 as their first digit raise their hand”. “Will all tags with 1 as their first digit, and 0 as their second....” </li></ul></ul><ul><li>Blocker tag always says both ‘0’ and ‘1’ ! </li></ul><ul><ul><li>Makes it seem like all possible tags are present by making an RFID tag misbehave, and answers yes to every question. </li></ul></ul>1 2 3 4 5
  35. 35. Blocker Tag <ul><li>A form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader </li></ul><ul><ul><li>Guarantees collision no matter what tags are present </li></ul></ul><ul><ul><li>To talk to a tag, reader must traverse every tree path </li></ul></ul><ul><ul><ul><li>With 128-bit IDs, reader must try 2 128 values – infeasible! </li></ul></ul></ul><ul><li>To prevent illegitimate blocking, make blocker tag selective (block only certain ID ranges) </li></ul><ul><li>Blocker tag can be selective: </li></ul>1 2 3 4 5
  36. 36. Blocker Tag <ul><li>privacy zone </li></ul><ul><ul><li>tree is divided into two zones </li></ul></ul><ul><ul><li>privacy zone: all IDs starting with 1 </li></ul></ul><ul><ul><li>upon purchase of a product, its tag is transferred into the privacy zone by setting the leading bit </li></ul></ul><ul><li>the blocker tag </li></ul><ul><ul><li>when the prefix in the reader’s query starts with 1, it simulates a collision </li></ul></ul><ul><ul><li>when the blocker tag is not present, everything works normally </li></ul></ul><ul><li>Alternative: polite blocking (notify the reader) </li></ul>
  37. 37. Hash Locks <ul><li>Locked tag transmit only metaID </li></ul><ul><li>Similar to the proximity approach </li></ul><ul><li>Unlocked tag can do all operations </li></ul><ul><li>Locking mechanism: </li></ul><ul><ul><li>Reader R selects a nonce and computes metaID = hash(key) </li></ul></ul><ul><ul><li>R writes metaID to tag T </li></ul></ul><ul><ul><li>T enters locked state </li></ul></ul><ul><ul><li>R stores the pair (metaID, key). </li></ul></ul><ul><li>Unlocking </li></ul><ul><ul><li>Reader R queries tag T for its metaID </li></ul></ul><ul><ul><li>R looks up (metaID, key) </li></ul></ul><ul><ul><li>R sends key to T </li></ul></ul><ul><ul><li>If (hash(key) == metaID), T unlocks itself </li></ul></ul>1 2 3 4 5
  38. 38. Hash locks <ul><li>Cheap to implement on tags: </li></ul><ul><ul><li>A hash function and storage for metaID . </li></ul></ul><ul><li>Security based on hardness of hash. </li></ul><ul><li>Hash output has nice random properties. </li></ul><ul><li>Low key look-up overhead. </li></ul><ul><li>Tags respond predictably; allows tracking. </li></ul><ul><ul><li>Motivates randomization. </li></ul></ul><ul><li>Requires reader to know all keys </li></ul>1 2 3 4 5
  39. 39. Randomized Hash Locks Reader RFID tag Stores its own ID k Goal : authenticate reader to the RFID tag Compute hash(R,ID i ) for every known ID i and compare Stores all IDs: ID 1 , … ,ID n Generate random R “ Who are you?” R, hash(R,ID k ) “ You must be ID k ” 1 2 3 4 5
  40. 40. Randomized Hash Locks <ul><li>Tag must store hash implementation and pseudo-random number generator </li></ul><ul><ul><li>Low-cost RNGs exist; can use physical randomness </li></ul></ul><ul><li>Secure against tracking because tag response is different each time </li></ul><ul><li>Reader must perform brute-force ID search </li></ul><ul><ul><li>Effectively, reader must stage a mini-dictionary attack to unlock the tag </li></ul></ul><ul><li>Alternative: better searching </li></ul><ul><ul><li>Tree approach </li></ul></ul><ul><ul><li>Synchronization approach </li></ul></ul>1 2 3 4 5
  41. 41. Avoiding brute force synch <ul><li>operation of tag: </li></ul><ul><ul><li>state is s i </li></ul></ul><ul><ul><li>when queried, the tag responds with the current pseudonym p i =G(s i ) and computes its new state s i +1 = H(s i ) </li></ul></ul><ul><li>operation of the reader: </li></ul><ul><ul><li>reader must approximately know the current counter value of each tag </li></ul></ul><ul><ul><li>for each tag, it maintains a table with the most likely current counters and corresponding pseudonyms </li></ul></ul><ul><li>Operation of the reader </li></ul><ul><ul><li>when a tag responds with a pseudonym p, it finds p in any of its tables, identifies the tag, and updates the table corresponding to the tag </li></ul></ul><ul><ul><li>one-wayness of the hash ensures that current counter value cannot be computed from observed pseudonym </li></ul></ul><ul><li>c is a counter, H and G are one-way hash functions </li></ul><ul><li>reader maintains </li></ul><ul><li>synchronized state with tags </li></ul>1 2 3 4 5
  42. 42. Avoiding brute force (tree of secrets) <ul><li>Tag == leaf of the tree. </li></ul><ul><li>Each tag receives the keys on path from leaf to the root. </li></ul><ul><li>Tag ij generates pseudonyms as (Key 1 (r), Key 2 (r), …, Fk ij (r)). </li></ul><ul><li>Reader can decode pseudonym using a depth-first search. </li></ul><ul><li>In the worst case, the reader searches through db keys, where d is the depth of the tree, and b is the branching factor </li></ul><ul><ul><li>compare this to b d , which is the total number of tags </li></ul></ul>1 2 3 4 5
  43. 43. Authentication Workarounds <ul><li>No explicit counterfeiting measures whatsoever </li></ul><ul><li>Possible solutions: </li></ul><ul><ul><li>Repurpose the kill function for limited counterfeit </li></ul></ul><ul><ul><li>Yoking </li></ul></ul><ul><ul><ul><li>cryptographic proof that two tags have been scanned simultaneously and evidence (although not proof) that the tags were scanned in physical proximity to one another. </li></ul></ul></ul><ul><ul><ul><li>Usable only in certain circumstances (pharmacy, aircraft safety) </li></ul></ul></ul><ul><ul><li>Physical markers </li></ul></ul><ul><ul><ul><li>Similar to explosive markers </li></ul></ul></ul><ul><ul><ul><li>Special dyes and packaging </li></ul></ul></ul>1 2 3 4 5
  44. 44. HB Protocol <ul><li>Created by Nicholas Hopper and Manuel Blum as a tool for secure authentication and identification of unassisted humans to computers. </li></ul><ul><li>Juels and Weis realized that this protocol was actually a natural protocol for the authentication of RFID tags to readers. </li></ul><ul><li>The security of the HB Protocol is based on the underlining hardness of the Learning Parity with Noise (LPN) problem. </li></ul>1 2 3 4 5
  45. 45. HB Protocol <ul><li>Definitions </li></ul><ul><li>The secret x is a k length binary string (tag ID). </li></ul><ul><ul><li>The tag needs to prove to the reader that it knows one of the S's on the reader's list of acceptable secrets. </li></ul></ul><ul><ul><li>The tag only has one secret, but the reader generally has many. </li></ul></ul><ul><li>A query q is also a k length binary string. </li></ul><ul><ul><li>Produced by the reader. </li></ul></ul><ul><ul><li>One query is produced for each iteration of the protocol </li></ul></ul><ul><li>Epsilon is a probability, ranging from 0 to Ѕ that the response calculated by the tag will be flipped </li></ul><ul><ul><li>if the correct response was 1, the tag will send back 0, and vice versa. </li></ul></ul><ul><li>Nu equals 1 with probability epsilon. </li></ul><ul><li>Delta is an error factor, </li></ul><ul><ul><li>ranges from 0 to Ѕ </li></ul></ul><ul><ul><li>defines how close the tag's actual flipping of responses must be to epsilon in order to be accepted. </li></ul></ul>1 2 3 4 5
  46. 46. Crypto RFID: authentication (HB Protocol) Reader RFID tag Goal : authenticate RFID tag to the reader Response correct if it is equal to (a  x) Generate random v: 1 with prob.  , else 0 Knows secret x; parameter  Knows secret x; parameter   chance that response is incorrect repeat r times RFID tag is authenticated if fewer than  r responses are incorrect k-bit random value a (a  x)  v 1 2 3 4 5
  47. 47. Crypto RFID: authentication (HB+ Protocol) Reader RFID tag Goal : authenticate RFID tag to the reader Generate random v: 1 with prob.  , else 0 Knows secrets x, y ; parameter  Knows secrets x, y ; parameter  repeat r times RFID tag is authenticated if fewer than  r responses are incorrect Response correct if it is equal to (a  x)  (b  y) k-bit random value a (a  x)  (b  y)  v blinding value b 1 2 3 4 5
  48. 48. Wrapping it up <ul><li>Some basic trends are apparent: </li></ul><ul><ul><li>Pressure to build a smaller, cheaper tags without cryptography </li></ul></ul><ul><ul><ul><li>reverse-engineering a cheap RFID tag unlikely to be hard… </li></ul></ul></ul><ul><ul><li>Urgent need for cheaper hardware for primitives </li></ul></ul><ul><ul><li>“ Security through obscurity” doesn’t work </li></ul></ul><ul><li>Simple static identifiers are the most naïve </li></ul><ul><ul><li>How about encrypting ID? </li></ul></ul><ul><ul><li>How about creating new static identifiers, i.e., “meta-ID” </li></ul></ul><ul><ul><li>How about a law-enforcement access key? </li></ul></ul><ul><ul><ul><li>Tag-specific keys require initial release of identity </li></ul></ul></ul><ul><ul><ul><li>Universal keys subject to interception </li></ul></ul></ul><ul><li>Special properties: </li></ul><ul><ul><li>RFID tags are close and personal giving privacy a special dimension </li></ul></ul><ul><ul><li>RFID tags change ownership frequently </li></ul></ul><ul><ul><li>Key management will be a major problem </li></ul></ul><ul><ul><ul><li>Think for a moment after this talk about distribution of kill passwords… </li></ul></ul></ul><ul><ul><ul><li>Are there good hardware approaches to key distribution, e.g., proximity as measure of trust </li></ul></ul></ul><ul><li>Some privacy is clearly better than for naive approaches </li></ul>
  49. 49. Future Work Authentication algorithms with human protocols New and emerging problems Tag identification with delegation, ownership transfer Efficient cloning-resistant identification algorithms Find New and Improve Existing Algorithms