RFID Privacy Without Killing

2,631 views

Published on

Presentation by Ravi Pappu on RFID Privacy Without Killing (ravi.pappu@thingmagic.com)

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,631
On SlideShare
0
From Embeds
0
Number of Embeds
55
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

RFID Privacy Without Killing

  1. 1. RFID Privacy Without Killing Ravi Pappu Co-Founder ThingMagic Inc. Joint work with Ari Juels (RSA, CUSP) and Bryan Parno (CMU) 1 © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
  2. 2. Key messages • Tiny Secret Sharing (TSS) enables consumer privacy now ‣ No heroic measures required ‣ No dependence on any particular standard fully standards compliant • Consumer privacy is achieved by exploiting the natural movement of tagged products through the supply chain ‣ Privacy through dispersion and history erasure © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 2
  3. 3. Summary • Tiny Secret Sharing (TSS) enables RFID privacy without killing • Encryption key length is a free-variable - security can be tailored. • TSS is protocol-independent, and completely local - no network required. • It scales to item-level tagging • The only resources needed are tag memory and some computing power at reader • TSS allows use of standard cryptographic mechanisms for encryption, hashing • TSS fits naturally in many supply-chain scenarios where we have less than 100% reads and where stray tags or counterfeits are present. • TSS solves key-management problem - enables privacy and write/lock PIN distribution. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 3
  4. 4. Threat Contexts © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 4
  5. 5. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 5
  6. 6. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME Razor blades 6571 730 144 5 DVDs 5040 2520 400 24 Pharma. 7200 1920 150 6 Source: EPCGlobal Item Level JRG © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 5
  7. 7. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 6
  8. 8. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME Tags start out in large collections which become smaller over time. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 6
  9. 9. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME Tags start out in large collections which become smaller over time. Larger collections of tags are typically located in secure areas. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 6
  10. 10. Object Hierarchies Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME Tags start out in large collections which become smaller over time. Larger collections of tags are typically located in secure areas. Shared context from earlier times is not available at later times to adversary. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 6
  11. 11. Key question • Can we exploit the three observations to provide strong privacy in RFID-enabled supply chains? • Yes! In order to do so, we turn to a cryptographic method called secret sharing. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 7
  12. 12. Secret Sharing © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 8
  13. 13. Secret Sharing Secret © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 8
  14. 14. Secret Sharing Shares Secret © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 8
  15. 15. Secret Sharing Shares Secret In practice, secrets are shared by evaluating polynomials over finite fields. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 8
  16. 16. (n, n) secret sharing Shares Secret All n shares required to recover secret No information revealed if fewer than n shares available Developed independently by shamir and Blakely in 1974. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 9
  17. 17. (n, n) secret sharing Secret All n shares required to recover secret No information revealed if fewer than n shares available Developed independently by shamir and Blakely in 1974. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 9
  18. 18. (k, n) secret sharing Shares Secret Any k out of n shares are sufficient to recover secret. No information revealed if fewer than k shares are available. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 10
  19. 19. (k, n) secret sharing Secret Any k out of n shares are sufficient to recover secret. No information revealed if fewer than k shares are available. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 10
  20. 20. (k, n) secret sharing Shares Secret Any k out of n shares are sufficient to recover secret. No information revealed if fewer than k shares are available. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 11
  21. 21. (k, n) secret sharing Secret Any k out of n shares are sufficient to recover secret. No information revealed if fewer than k shares are available. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 11
  22. 22. Our approach © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 12
  23. 23. Our approach Pallet of n t1 t2 t3 t4 . . tn-3 tn-2 tn-1 tn © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 12
  24. 24. Our approach Pallet of n Pallet of n t1 E(K, t1) s1 t2 E(K, t2) s2 t3 E(K, t3) s3 t4 E(K, t4) s4 . . . . tn-3 E(K, tn-3) sn-3 tn-2 E(K, tn-2) sn-2 tn-1 E(K, tn-1) sn-1 tn E(K, tn) sn Encrypt all tags using a pallet-specific secret key K. Append a share of the secret to each tag. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 12
  25. 25. System level challenges Need to decide encryption method, key size, sharing/recovery algorithm, share size © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 13
  26. 26. System level challenges s1 s2 s3 s4 K (k, n) sharing key length sn-3 sn-2 sn-1 sn Need to decide encryption method, key size, sharing/recovery algorithm, share size © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 13
  27. 27. System level challenges s1 s2 s3 s4 K (k, n) sharing key length sn-3 sn-2 sn-1 sn Need to decide encryption method, key size, sharing/recovery algorithm, share size © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 13
  28. 28. System level challenges s1 s2 s3 s4 K (k, n) sharing key length sn-3 sn-2 sn-1 sn E(K, tn) sn encryption method share size Need to decide encryption method, key size, sharing/recovery algorithm, share size © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 13
  29. 29. Practical requirements • Share size has to be tiny, because tag memory is at a premium ‣ Krawczyk (1994) focused on short shares, but even these are 128 bits long. ‣ Current memory capacity on EPC Gen2 tags is 96 bits Tiny Secret Sharing • Sharing and recovery algorithms have to be computationally efficient. • System should be robust against ‣ changes in the order of tag reading i.e. permutation invariance ‣ sub-100% read rates ‣ stray reads (or counterfeits) © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 14
  30. 30. Mercury5 read performance Improved read performance stray reads from adjacent dock door These are errors sub-100% reads These are erasures ■ Peanut Butter (70 Tag Pallet) ■ Cooking Oil (40 Tag Pallet) © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
  31. 31. Reed-Solomon Codes • (n, k, d) codes over GF (2m ) • Total number of symbols = number of tags = n • Symbols required to recover message = threshold number of tags = k • Code can detect and correct upto s = (d/2) errors = stray tags or counterfeits • Code can detect and correct upto r = (d − 1) erasures = missed tags • With s stray tags and r missed tags, code can correct as long as 2s + r < d • This formulation is identical to (k, n) secret sharing • Encoding and decoding are efficient on low-powered machines © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 16
  32. 32. Permutation invariance • RS codes originally invented to solve digital communication problems • Order of code symbols is usually preserved (s1 , s2 , s3 .....sn−2 , sn−1 , sn ) → (s1 , s2 , s3 .....sn−2 , sn−1 , sn ) • In RFID, code symbols are always permuted, because order of tag reading is based on randomization at the MAC layer. (s1 , s2 , s3 .....sn−2 , sn−1 , sn ) → (s6 , s1 , sn−4 .....sn , s7 , s3 ) • In order to use RS codes, we also need to make the symbol index available at destination. ({s6 , 6}, {s1 , 1}, {sn−4 , (n − 4)}.....{sn , n}, {s7 , 7}, {s3 , 3}) © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 17
  33. 33. Permutation invariance 2 © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 18
  34. 34. Permutation invariance 2 E(K, t1) s1 1 E(K, t2) s2 2 . . E(K, tn-1) sn-1 n-1 E(K, tn) sn n © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 18
  35. 35. Permutation invariance 2 E(K, t1) E(K, t2) s1 s2 1 2 . . E(K, tn-1) sn-1 n-1 E(K, tn) sn n © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 18
  36. 36. Permutation invariance 2 E(K, t1) E(K, t2) s1 s2 1 2 . . E(K, tn-1) sn-1 E(K, t1) sH(E(K, t )) n-1 1 E(K, tn) sn n E(K, t2) sH(E(K, t )) 2 . Instead of adding separate index, use uniqueness of the . EPC to generate symbol index on the fly via hashing E(K, tn-1) sH(E(K, t )) n-1 E(K, tn) sH(E(K, t )) n © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 18
  37. 37. Field size • Field size GF (2m ) needs to be chosen to avoid index collisions. • If we have n tags, then 2m ≥ n2 or m ≥ log2 (n2 ) # of tags n # of bits in shares m E(K, t1) sH(E(K, t )) 1 50 12 E(K, t2) sH(E(K, t )) 2 256 16 1000 20 Need to avoid collisions 10000 27 © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 19
  38. 38. (15, 20) TSS scheme over GF(216) !quot;#quot;$%quot;#!&'(#%)quot;$(* ,,-1231422512314225 ++*,!'),-..%!/&,$,# '--1231422512314225 &+,-,*%0(,quot;!&-,+.)! !--1231422512314225 '.'*-#%)quot;#0#,(-.'#! ,)-1231422512314225 %&//(,()#*0#$$%$0'. ,%-1231422512314225 )&*+,-'(./012 $%(+#.!0quot;,(/*+#/!#) ,#-1231422512314225 1(*+,-'(./012 %&'(&&quot; %.+quot;#,$,$$)0quot;--+*!. ,'-1231422512314225 $/0/,!$quot;-/&$*'.(quot;'& ,*-1231422512314225 #),+)000).'!'/$($+. ,--1231422512314225 +,0/%#,$0(#&quot;)#.'++ ,+-1231422512314225 .(.++0(quot;quot;'+-quot;,,!,(# *--1231422512314225 !quot;#$ © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 20
  39. 39. RFID privacy without killing Physically secured areas Open areas 90 cases with 90 cases with 10 cases with Between 72 and Typically less than 72 items each 72 items each 72 items each 144 items 10 items 1. Factory 2. Distribution 3. De- & Re-Palletization 4. Backroom of 5. Store 6. Individual Center and transportation retail store shelf consumers TIME 5D6DB3D6542E639DBE7 110deadbeefdeadbeef 887152910AA35F41B16 200deadbeefdeadbeef 4810173CE1D54018A95 500deadbeefdeadbeef 4810173CE1D54018A95 2A270639D6C61E0A265 190deadbeefdeadbeef BFCF15BD0F4B72AED24 ? 34FFE1E967C6BB3BC2A 130deadbeefdeadbeef 69189CCC9A252FBEB8A B3E86A5CD1EF786F569 160deadbeefdeadbeef 2A270639D6C61E0A265 3A8D61B1BB9CD00875A 120deadbeefdeadbeef AEA88CEDD280D1151E6 BFCF15BD0F4B72AED24 170deadbeefdeadbeef 5D6DB3D6542E639DBE7 69189CCC9A252FBEB8A 100deadbeefdeadbeef 81CF361BCE64D96A288 180deadbeefdeadbeef AEA88CEDD280D1151E6 700deadbeefdeadbeef © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 21
  40. 40. Summary • Tiny Secret Sharing (TSS) enables RFID privacy without killing • Encryption key length is a free-variable - security can be tailored. • TSS is protocol-independent, and completely local - no network required. • It scales to item-level tagging • The only resources needed are tag memory and some computing power at reader • TSS allows use of standard cryptographic mechanisms for encryption, hashing • TSS fits naturally in many supply-chain scenarios where we have less than 100% reads and where stray tags or counterfeits are present. • TSS solves key-management problem - enables privacy and write/lock PIN distribution. © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 22
  41. 41. Key messages • Tiny Secret Sharing (TSS) enables consumer privacy now ‣ No heroic measures required ‣ No dependence on any particular standard fully standards compliant • Consumer privacy is achieved by exploiting the natural movement of tagged products through the supply chain ‣ Privacy through dispersion and history erasure © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 23
  42. 42. What’s next? • Real implementation on ThingMagic Mercury5 reader in progress • Discussion about implementation in real-world needs to happen ‣ Pharmaceutical supply chain appears to be ideal • Secret sharing across time or Sliding Window Information Secret Sharing (SWISS) also detailed in paper below • Preprint available at http://eprint.iacr.org/2008/044 • Questions: ravi.pappu@thingmagic.com © 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 24

×