View
215
Download
0
Category
Tags:
Preview:
Citation preview
slide 1
Author: Ari JuelsPresenter: Yuliya Kopylova
CSCE 790
RFID Security and Privacy
slide 2
Roadmap
Background RFID Risks Privacy: Simple Solutions Privacy: More Involved Solutions Authentication: Some Solutions Conclusion
1 2 3 4 5
slide 3
What is RFID?
Radio-Frequency Identification Tag
Chip
Antenna
Sticker containing microchip and antenna
Gains power from wireless signal received from tag reader
Tag-reader communication with range of up to half a meter
Tag returns its unique number and static data
1 2 3 4 5
slide 4
How Does RFID System Work?
Tags (transponders)Attached to objects, “call out” identifying dataon a special radio frequency
02.3DFEX4.78AF51
EasyToll card #816
Reader (transceiver)Reads data off the tagswithout direct contact
Radio signal (contactless)Range: from 3-5 inches to 3 meters
DatabaseMatches tag IDs tophysical objects
Management system Communication
protocol Computer Networks
Tags consists of antenna and a microchip
Readers consists of a transmitter, receiver, 1+ antennas
1 2 3 4 5
slide 5
RFID Advantages
Barcode RFID
Line-of-sight reading• Reader must be looking at the barcode
Specifies object type• E.g., “I am a pack of Juicy Fruit”
Reading by radio contact• Reader can be anywhere within range
Specifies unique object id• E.g., “I am a pack of Juicy Fruit #86715-A”
Fast, automated scanning(object doesn’t have to leave
pocket, shelf or container)
Can look up this objectin the database (provides pointer)
1 2 3 4 5
slide 6
RFID Tag Power Sources
Passive • inactive until the reader’s
interrogation signal “wakes” them up
• Cheap, but short range only
Semi-passive• On-board battery, but cannot
initiate communication• More expensive, longer range
Active• On-board battery, can initiate
communication
1 2 3 4 5
slide 7
RFID Types
• Inductive Coupling • Backscatter (radiative) Coupling
1 2 3 4 5
slide 8
Closer look
1 2 3 4 5
slide 9
RFID examples
Pervasive Devices• Low memory, few gates• Low power, no clock, little
state• Low computational power
You may own a few. Billions on the way.
1 2 3 4 5
slide 10
Current Applications
Public Transport and Ticketing Access Control Logistics Animal identification Anti-theft system Real time measurements in
sports Inventory Control in
supermarkets Electronic payments Industry automation Medical Banknotes, casino chips
1 2 3 4 5
slide 11
Futuristic Applications
“Smart” appliances• Refrigerators that automatically create shopping lists• Closets that tell you what clothes you have available, and
search the Web for advice on current styles, etc. • Ovens that know how to cook pre-packaged food
“Smart” products• Clothing, appliances, CDs, etc. tagged for store returns
“Smart” paper• Airline tickets that indicate your location in the airport• Library books• Business cards
Recycling• Plastics that sort themselves
1 2 3 4 5
slide 12
RFID Risks
1 2 3 4 5
•Mr. Jones pays with a credit card; his RFID tags now linked to his identity
•Mr. Jones attends a political rally; law enforcement scans his RFID tags
•Mr. Jones wins Turing Award; physically tracked by paparazzi via RFID
slide 13
Why RFID Risks Arise
Three technical aspects of today’s RFID tags create potential problems:
They are promiscuous• they talk to any compatible reader.
They are remotely readable: • they can be read at a distance through materials like
cardboard, cloth, and plastic. They are stealthy
• not only are the tags inconspicuous, you don't know when they are transmitting information or to whom. In short, the personal information
1 2 3 4 5
slide 14
Risks: Privacy Personal privacy
• Clandestine inventory and tracking– Unsanctioned readers
• Customer profiling– Tracking personal activities (e.g., purchase habits, travel)
• Big brother– Illicit or inappropriate use of personal data
Data cross contamination• Inventory tags plus personal info
Corporate espionage• Track your competitor’s inventory
Military espionage• Harvesting RFID communication to make inferences
1 2 3 4 5
slide 15
Risks: Eavesdropping
Read ranges• nominal read range
– max distance at which a normally operating reader can reliably scan tags
• rogue scanning range– rogue reader can emit stronger signal and read
tags from a larger distance than the nominal range• tag-to-reader eavesdropping range
– read-range limitations result from the requirement that the reader powers the tag
– however, one reader can power the tag, while another one can monitor its emission (eavesdrop)
• reader-to-tag eavesdropping range– readers transmit at much higher power than tags– readers can be eavesdropped form much further – readers may reveal tag specific information
1 2 3 4 5
slide 16
Risks: Counterfeits Comes down to authentication How can be accomplished
• Replaying (RF “tape-recorder”)• Tag cloning• Back-engineering
A few examples from real life (easy to break)• Speed passes• Ignition keys• Physical coercion and attack
– In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric-enabled Mercedes
– What would happen if the VeriChip were used to access ATM machines and secure facilities?
• Perhaps it is better then if tags can be cloned and are not used for authentication—only for identification
1 2 3 4 5
slide 17
RFID capabilities
Little power• Receives power from reader• Range a few meters
Little memory• Static 64-to-128-bit identifier • Hundreds of bits soon
Little computational power• A few thousand gates• No cryptographic functions available• Static keys for read/write permission
In terms of computational power can be divided into
– BASIC tags– SYMMETRIC KEY tags
1 2 3 4 5
slide 18
Privacy protection approaches
standard tags• jamming• “kill” command• “sleep” command• Renaming• Blocking
crypto enabled tags• synchronization approach• hash chain based approach• tree-approach
1 2 3 4 5
slide 19
Easiest solution
Keep it close to your body• Liquids are not penetrable by microwave frequencies
Faraday cage• Container made of foil or metal mesh, impenetrable by
radio signals of certain frequencies• Shoplifters are already known to use foil-lined bags• Maybe works for a wallet, but huge hassle in general
Active jamming• Disables all RFID, including legitimate applications
All kinds of the above protections can be purchased now days• protective sleevers for passports, wallets, ids, etc.
1 2 3 4 5
slide 20
Dead tags tell no tales
Idea: permanently disable tags with a special “kill” command• part of the EPC specification
Advantages:• Simple and effective
Disadvantages:• eliminates all post-purchase benefits of RFID for the consumer
and for society• no return of items without receipt• no smart house-hold appliances• cannot be applied in some applications
– library, e-passports, banknotes
Similar approaches:• put RFID tags into price tags or packaging which are removed
and discarded
1 2 3 4 5
slide 21
Don’t kill the tag, put it to sleep
Idea: instead of killing the tag put it in sleep mode• tag can be re-activated if needed
Advantages:• Simple• effective
Disadvantages:• difficult to manage in practice• tag re-activation must be password protected• how the consumers will manage hundreds of passwords
for their tags?• passwords can be printed on tags, but then they need to
be scanned optically or typed in by the consumer
1 2 3 4 5
slide 22
Partial destruction Renaming
• In simplest case renaming to gibberish• No intrinsic meaning• Still can be tracked
– Backscatter from antennas– Hypothesize manufacturer type may be learnable– Do tags possess uniquely detectable RF fingerprints? (Device
signatures a staple of electronic warfare)
Relabelings• Retain only product ID for later use• Destroy unique ID at the time of purchase
Splitting identifiers across two tags• Peel off one at time of purchase
1 2 3 4 5
slide 23
Distance Measuring
Signal-to-noise ratio of the reader signal in an RFID system provides a rough metric of the distance between a reader and a tag.
With some additional, low-cost circuitry a tag might achieve rough measurement of the distance of an interrogating reader.
Distance can serve as a metric for trust. • Release general information (“I am attached to a
bottle of water”) when scanned at a distance• Release more specific information (ID), only at
close range.
1 2 3 4 5
slide 24
Proxying
Proxying• Consumers carry their own privacy-enforcing
devices (Higher-powered intermediaries like mobile phones)
• Watch dog – Observer observing the observer: monitor if someone
scans you– Selectively jams tag replies as needed
• RFID guardian– Talk to the guardian first– Communication is released through a fortified
intermediate
1 2 3 4 5
slide 25
Proxying
Problems• Change of ownership: how to release control• Impersonating the guardian itself• Cannot suppress tag replies entirely, only jam• Cannot suppress reader commands
Please show reader certificate and privileges
1 2 3 4 5
slide 26
Renaming Idea: avoid using real Ids, change Identifiers across the reads
• get rid of fixed names (identifiers). Pseudonyms stored on tag (limited storage, i.e. 10 or so), tag cycles through pseudonyms
• use random pseudonyms and change them frequently Requirements:
• only authorized readers should be able to determine the real identifier behind a pseudonym
• standard tags cannot perform computations -> next pseudonym to be used must be set by an authorized reader
A possible implementation• pseudonym = {R|ID}K
– R is a random number– K is a key shared by all authorized readers
• authorized readers can decrypt pseudonyms and determine real ID• authorized readers can generate new pseudonyms• for unauthorized readers, pseudonyms look like random bit strings
Potential problems• tracking is still possible between two renaming operations• if someone can eavesdrop during the renaming operation, then she may be able
to link the new pseudonym to the old one• no reader authentication -> rogue reader can overwrite pseudonyms in tags
(tags will be erroneously identified by authorized readers)
1 2 3 4 5
slide 27
Example of RNG
1 2 3 4 5
V
Random Bits
NoConnect
The voltage signal is amplified, disturbed, stretched, and sampled,resulting in random bits.
slide 28
Renaming (re-encryption)
A public key based implementation:• El Gamal scheme:
– Inputs are ciphertexts– Outputs are a re-encryption of the inputs.– Anyone can encrypt without the public key E– Those who know the secret key D can also decrypt
messages encrypted with different keys are indistinguishable
1 2 3 4 5
slide 29
Renaming (re-encryption) El Gamal Encryption Parameters
• Public parameters:
– q is a prime
– p = 2kq+1 is a prime
– g generator of Gp, i.e. efficient description
of a cyclic group of order q with generator g (I know only one
generator which is relatively prime)
• Secret key of RFID tag: x (where 0 < x < q)
• Public key of RFID tag : y = gx mod p
Encryption for message (plaintext) m1. Pick a number k randomly from [0…q-1]2. Compute a = yk .m mod p and b = gk mod p3. Output (a,b)
1 2 3 4 5
slide 30
Renaming (re-encryption)
Decryption• Compute m as a / bx (= yk. m/ (gk)x = gxk. m/ gkx = m)
One can re-encrypt a ciphertext (a, b) without decryption:Input: a ciphertext (a,b) and public key y
1. Pick a number randomly from [0…q-1]
2. Compute a’ = y . a mod p and b’ = g . b mod p
3. Output (a’, b’) Same decryption technique
• Compute m a’ / b’x (= yk. y. m/ (gk . g ) x = gx (k+). m/ gx (k+) = m)
Properties:• new tag pseudonyms can be computed by readers that know the
public key• real tag ID can be computed only by readers that know the private key• Semantic security: Cannot distinguish between C = EPK,r [Alice] and
C’ = EPK,r’ [Bob]– An attacker who intercepts C and C’ cannot tell if they come from
the same chip, that is the attacker cannot identify or track Alice1 2 3 4 5
slide 31
Blocking
When the reader sends a signal, more than one RFID tag may respond: this is a collision
• typical commercial application, such as scanning a bag of groceries, potentially hundreds of tags might be within range of the reader.
Reader must engage in a special singulation protocol to talk to each tag separately
• Singulation is used by an RFID reader only when necessary to identify a specific tag (and its ID) from a number of tags in the field
Tree-walking is a common singulation method
• Used by 915 Mhz tags, the most common type in the U.S.
• Slotted aloha is used for LF tags
1 2 3 4 5
slide 32
Anti-collision
"Tree Walking" Recursive depth-first
search Requirement: Reader is
able to detect bit position of a collision
Example: 1 Reader, 3 Transponder, 3-bit ID
Example: 1 Reader, 3 Transponder, 3-bit IDSynchronized by readerExample: 1 Reader, 5 Tags, 8-bit ID
1 2 3 4 5
slide 33
Tree Walking
000 001 010 011 100 101 110 111
Every tag has a k-bit identifier
prefix=0
prefix=00 prefix=01
prefix=10 prefix=11
prefix=1Reader broadcastscurrent prefix
Each tag with this prefixresponds with its next bit
If responses don’t collide,reader adds 1 bit to currentprefix, otherwise tries both possibilities
This takes O(k number of tags)1 2 3 4 5
slide 34
Tree-Walking
Tree-walking” protocol for identifying tags recursively asks question:• “What is your next bit?”• Something along the lines of: “Will all tags with 1
as their first digit raise their hand”. “Will all tags with 1 as their first digit, and 0 as their second....”
Blocker tag always says both ‘0’ and ‘1’! • Makes it seem like all possible tags are present
by making an RFID tag misbehave, and answers yes to every question.
1 2 3 4 5
slide 35
Blocker Tag
A form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader• Guarantees collision no matter what tags are present• To talk to a tag, reader must traverse every tree path
– With 128-bit IDs, reader must try 2128 values – infeasible! To prevent illegitimate blocking, make blocker tag
selective (block only certain ID ranges) Blocker tag can be selective:
1 2 3 4 5
slide 36
Blocker Tag
privacy zone• tree is divided into two zones• privacy zone: all IDs starting with 1• upon purchase of a product, its tag is transferred
into the privacy zone by setting the leading bit the blocker tag
• when the prefix in the reader’s query starts with 1, it simulates a collision
• when the blocker tag is not present, everything works normally
Alternative: polite blocking (notify the reader)
slide 37
Hash Locks Locked tag transmit only metaID Similar to the proximity approach Unlocked tag can do all operations Locking mechanism:
• Reader R selects a nonce and computes metaID = hash(key)• R writes metaID to tag T• T enters locked state• R stores the pair (metaID, key).
Unlocking• Reader R queries tag T for its metaID• R looks up (metaID, key)• R sends key to T• If (hash(key) == metaID), T unlocks itself
1 2 3 4 5
slide 38
Hash locks
Cheap to implement on tags:• A hash function and storage for metaID.
Security based on hardness of hash. Hash output has nice random properties. Low key look-up overhead.
Tags respond predictably; allows tracking.• Motivates randomization.
Requires reader to know all keys
1 2 3 4 5
slide 39
Randomized Hash Locks
Reader RFID tag
Stores its own IDk
Goal: authenticate reader to the RFID tag
“Who are you?”
R, hash(R,IDk)
“You must be IDk”
Compute hash(R,IDi) for every
known IDi and compare
Stores all IDs:ID1, … ,IDn
Generate random R
1 2 3 4 5
slide 40
Randomized Hash Locks
Tag must store hash implementation and pseudo-random number generator• Low-cost RNGs exist; can use physical randomness
Secure against tracking because tag response is different each time
Reader must perform brute-force ID search• Effectively, reader must stage a mini-dictionary attack
to unlock the tag
Alternative: better searching• Tree approach• Synchronization approach
1 2 3 4 5
slide 41
Avoiding brute force synch
operation of tag:• state is si
• when queried, the tag responds with the current pseudonym pi=G(si) and computes its new state si+1 = H(si)
operation of the reader:• reader must approximately
know the current counter value of each tag
• for each tag, it maintains a table with the most likely current counters and corresponding pseudonyms
Operation of the reader• when a tag responds
with a pseudonym p, it finds p in any of its tables, identifies the tag, and updates the table corresponding to the tag
• one-wayness of the hash ensures that current counter value cannot be computed from observed pseudonym
c is a counter, H and G are one-way hash functions reader maintainssynchronized state with tags
1 2 3 4 5
slide 42
Avoiding brute force (tree of secrets)
1 2 3 4 5
Tag == leaf of the tree. Each tag receives the keys on
path from leaf to the root. Tag ij generates pseudonyms
as (Key1(r), Key2(r), …, Fkij (r)).
Reader can decode pseudonym using a depth-first search.
In the worst case, the reader searches through db keys, where d is the depth of the tree, and b is the branching factor• compare this to bd, which is the
total number of tags
slide 43
Authentication Workarounds
No explicit counterfeiting measures whatsoever
Possible solutions:• Repurpose the kill function for limited counterfeit• Yoking
– cryptographic proof that two tags have been scanned simultaneously and evidence (although not proof) that the tags were scanned in physical proximity to one another.
– Usable only in certain circumstances (pharmacy, aircraft safety)
• Physical markers– Similar to explosive markers– Special dyes and packaging
1 2 3 4 5
slide 44
HB Protocol
Created by Nicholas Hopper and Manuel Blum as a tool for secure authentication and identification of unassisted humans to computers.
Juels and Weis realized that this protocol was actually a natural protocol for the authentication of RFID tags to readers.
The security of the HB Protocol is based on the underlining hardness of the Learning Parity with Noise (LPN) problem.
1 2 3 4 5
slide 45
HB ProtocolDefinitions The secret x is a k length binary string (tag ID).
• The tag needs to prove to the reader that it knows one of the S's on the reader's list of acceptable secrets.
• The tag only has one secret, but the reader generally has many.
A query q is also a k length binary string. • Produced by the reader. • One query is produced for each iteration of the protocol
Epsilon is a probability, ranging from 0 to Ѕ that the response calculated by the tag will be flipped • if the correct response was 1, the tag will send back 0, and
vice versa. Nu equals 1 with probability epsilon. Delta is an error factor,
• ranges from 0 to Ѕ• defines how close the tag's actual flipping of responses must
be to epsilon in order to be accepted. 1 2 3 4 5
slide 46
Crypto RFID: authentication (HB Protocol)
Reader RFID tag
Goal: authenticate RFID tag to the reader
k-bit random value a
(ax)v
Response correct ifit is equal to (ax)
Generate random v:1 with prob. , else 0
Knows secret x;parameter Knows secret x;
parameter
chance thatresponse is incorrect
repeat r timesRFID tag is authenticatedif fewer than r responsesare incorrect
1 2 3 4 5
slide 47
Crypto RFID: authentication (HB+ Protocol)
Reader RFID tag
Goal: authenticate RFID tag to the reader
k-bit random value a
(ax)(by)v
Generate random v:1 with prob. , else 0
Knows secrets x,y;parameterKnows secrets x,y;
parameter
repeat r timesRFID tag is authenticatedif fewer than r responsesare incorrect
Response correct ifit is equal to (ax)(by)
blinding value b
1 2 3 4 5
slide 48
Wrapping it up
Some basic trends are apparent:• Pressure to build a smaller, cheaper tags without cryptography
– reverse-engineering a cheap RFID tag unlikely to be hard…• Urgent need for cheaper hardware for primitives• “Security through obscurity” doesn’t work
Simple static identifiers are the most naïve• How about encrypting ID?• How about creating new static identifiers, i.e., “meta-ID”• How about a law-enforcement access key?
– Tag-specific keys require initial release of identity– Universal keys subject to interception
Special properties:• RFID tags are close and personal giving privacy a special dimension• RFID tags change ownership frequently• Key management will be a major problem
– Think for a moment after this talk about distribution of kill passwords…– Are there good hardware approaches to key distribution, e.g., proximity as measure of
trust Some privacy is clearly better than for naive approaches
slide 49
Future Work
Authentication algorithms with human protocols
New and emerging problems
Tag identification with delegation, ownership transfer
Efficient cloning-resistant identification algorithms
Find New and Improve Existing Algorithms
Recommended