RFID Privacy Without Killing · • Tiny Secret Sharing (TSS) enables RFID privacy without killing • Encryption key length is a free-variable - security can be tailored. • TSS

RFID Privacy Without Killing

Ravi PappuCo-Founder ThingMagic Inc.

Joint work with Ari Juels (RSA, CUSP) and Bryan Parno (CMU)

1© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending

1Tuesday, February 12, 2008

© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending

Key messages• Tiny Secret Sharing (TSS) enables consumer privacy now

‣ No heroic measures required

‣ No dependence on any particular standard ⇒ fully standards compliant

• Consumer privacy is achieved by exploiting the natural movement of tagged products through the supply chain

‣ Privacy through dispersion and history erasure

2



Summary • Tiny Secret Sharing (TSS) enables RFID privacy without killing

• Encryption key length is a free-variable - security can be tailored.

• TSS is protocol-independent, and completely local - no network required.

• It scales to item-level tagging

• The only resources needed are tag memory and some computing power at reader

• TSS allows use of standard cryptographic mechanisms for encryption, hashing

• TSS fits naturally in many supply-chain scenarios where we have less than 100% reads and where stray tags or counterfeits are present.

• TSS solves key-management problem - enables privacy and write/lock PIN distribution.

3


© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 4

Threat Contexts



Object Hierarchies

5

1. Factory 2. Distribution

Center3. De- & Re-Palletization

and transportation

4. Backroom of

retail store

5. Store

shelf6. Individual

consumers

Physically secured areas Open areas

90 cases with

72 items each

90 cases with

72 items each

10 cases with

72 items each

Between 72 and

144 items

Typically less than

10 items

TIME



Object Hierarchies

5



and transportation

4. Backroom of

retail store

5. Store

shelf6. Individual

consumers


90 cases with

72 items each

90 cases with

72 items each

10 cases with

72 items each

Between 72 and

144 items

Typically less than

10 items

TIME

Razor blades 6571 730 144 5

DVDs 5040 2520 400 24

Pharma. 7200 1920 150 6

Source: EPCGlobal Item Level JRG



Object Hierarchies

6



and transportation

4. Backroom of

retail store

5. Store

shelf6. Individual

consumers


90 cases with

72 items each

90 cases with

72 items each

10 cases with

72 items each

Between 72 and

144 items

Typically less than

10 items

TIME



Object Hierarchies

6



and transportation

4. Backroom of

retail store

5. Store

shelf6. Individual

consumers


90 cases with

72 items each

90 cases with

72 items each

10 cases with

72 items each

Between 72 and

144 items

Typically less than

10 items

TIME

Tags start out in large collections which become smaller over time.



Object Hierarchies

6



and transportation

4. Backroom of

retail store

5. Store

shelf6. Individual

consumers


90 cases with

72 items each

90 cases with

72 items each

10 cases with

72 items each

Between 72 and

144 items

Typically less than

10 items

TIME


Larger collections of tags are typically located in secure areas.



Object Hierarchies

6



and transportation

4. Backroom of

retail store

5. Store

shelf6. Individual

consumers


90 cases with

72 items each

90 cases with

72 items each

10 cases with

72 items each

Between 72 and

144 items

Typically less than

10 items

TIME


Larger collections of tags are typically located in secure areas.

Shared context from earlier times is not available at later times to adversary.



Key question• Can we exploit the three observations to provide strong privacy in RFID-enables supply

chains?

• Yes! In order to do so, we turn to a cryptographic method called secret sharing.

7



Secret Sharing

8



Secret

Secret Sharing

8



Secret

Secret Sharing

8

Shares



Secret

Secret Sharing

8

Shares

In practice, secrets are shared by evaluating polynomials over finite fields.



(n, n) secret sharing

9

Secret

Shares

All n shares required to recover secretNo information revealed if fewer than n shares availableDeveloped independently by shamir and Blakely in 1974.



(n, n) secret sharing

9

Secret

All n shares required to recover secretNo information revealed if fewer than n shares availableDeveloped independently by shamir and Blakely in 1974.



(k, n) secret sharing

10

Secret

Shares

Any k out of n shares are sufficient to recover secret.No information revealed if fewer than k shares are available.




10

Secret





11

Secret

Shares





11

Secret




Our approach

12



Our approach

12

t1

t2

t3

t4

tn-3

tn-2

tn-1

tn

.

.

Pallet of n



Our approach

12

t1

t2

t3

t4

tn-3

tn-2

tn-1

tn

.

.

Pallet of n Pallet of n E(K, t1)

E(K, t2)

E(K, t3)

E(K, t4)

E(K, tn-3)

E(K, tn-2)

E(K, tn-1)

E(K, tn)

s1

s2

s3

s4

sn-3

sn-2

sn-1

sn

.

.

Encrypt all tags using a pallet-specific secret key K.Append a share of the secret to each tag.



System level challenges

13

Need to decide encryption method, key size, sharing/recovery algorithm, share size




13

K

s1

s2

s3

s4

sn-3

sn-2

sn-1

sn

(k, n) sharing

key length





13

K

s1

s2

s3

s4

sn-3

sn-2

sn-1

sn

(k, n) sharing

key length




E(K, tn) sn

encryption method share size


13

K

s1

s2

s3

s4

sn-3

sn-2

sn-1

sn

(k, n) sharing

key length




Practical requirements• Share size has to be tiny, because tag memory is at a premium

‣ Krawczyk (1994) focused on short shares, but even these are 128 bits long.

‣ Current memory capacity on EPC Gen2 tags is 96 bits ⇒Tiny Secret Sharing

• Sharing and recovery algorithms have to be computationally efficient.

• System should be robust against

‣ changes in the order of tag reading i.e. permutation invariance

‣ sub-100% read rates

‣ stray reads (or counterfeits)

14



￭ Peanut Butter (70 Tag Pallet) ￭ Cooking Oil (40 Tag Pallet)

15

Mercury5 read performance

Improved read performance ⇒ stray reads from

adjacent dock door

These are errorssub-100% readsThese are erasures



Reed-Solomon Codes

16

• codes over

• Total number of symbols = number of tags =

• Symbols required to recover message = threshold number of tags =

• Code can detect and correct upto errors = stray tags or counterfeits

• Code can detect and correct upto erasures = missed tags

• With stray tags and missed tags, code can correct as long as

• This formulation is identical to secret sharing

• Encoding and decoding are efficient on low-powered machines

n

k

s = (d/2)

r = (d! 1)

2s + r < ds r

(k, n)

(n, k, d) GF (2m)



Permutation invariance• RS codes originally invented to solve digital communication problems

• Order of code symbols is usually preserved

• In RFID, code symbols are always permuted, because order of tag reading is based on randomization at the MAC layer.

• In order to use RS codes, we also need to make the symbol index available at destination.

17

(s1, s2, s3.....sn!2, sn!1, sn)! (s1, s2, s3.....sn!2, sn!1, sn)

(s1, s2, s3.....sn!2, sn!1, sn)! (s6, s1, sn!4.....sn, s7, s3)

({s6, 6}, {s1, 1}, {sn!4, (n! 4)}.....{sn, n}, {s7, 7}, {s3, 3})



Permutation invariance 2

18




18

E(K, t1) s1

.

.

1

E(K, t2) s2 2

E(K, tn-1) sn-1 n-1

E(K, tn) sn n




18

E(K, t1) s1

.

.

1

E(K, t2) s2 2

E(K, tn-1) sn-1 n-1

E(K, tn) sn n




18

E(K, t1) s1

.

.

1

E(K, t2) s2 2

E(K, tn-1) sn-1 n-1

E(K, tn) sn n

Instead of adding separate index, use uniqueness of the EPC to generate symbol index on the fly via hashing

E(K, t1) sH(E(K, t1

))

.

.

E(K, t2)

E(K, tn-1)

E(K, tn)

sH(E(K, t2

))

sH(E(K, tn-1))

sH(E(K, tn

))



Field size• Field size needs to be chosen to avoid index collisions.

• If we have tags, then or

19

GF (2m)

n

# of tags n # of bits in shares m

50 12

256 16

1000 20

10000 27

2m ! n2 m ! log2(n2)

E(K, t1) sH(E(K, t1

))

E(K, t2) sH(E(K, t2

))

Need to avoid collisions



(15, 20) TSS scheme over GF(216)

20

!"#"$%"#!&'(#%)"$(*

++*,!'),-..%!/&,$,#

&+,-,*%0(,"!&-,+.)!

'.'*-#%)"#0#,(-.'#!

%&//(,()#*0#$$%$0'.

$%(+#.!0",(/*+#/!#)

%.+"#,$,$$)0"--+*!.

$/0/,!$"-/&$*'.("'&

#),+)000).'!'/$($+.

+,0/%#,$0(#&")#.'++

.(.++0(""'+-",,!,(#

,,-1231422512314225

'--1231422512314225

!--1231422512314225

,)-1231422512314225

,%-1231422512314225

,#-1231422512314225

,'-1231422512314225

,*-1231422512314225

,--1231422512314225

,+-1231422512314225

*--1231422512314225

!"#$

%&'(&&")&*+,-'(./012 1(*+,-'(./012



RFID privacy without killing

21



and transportation

4. Backroom of

retail store

5. Store

shelf6. Individual

consumers


90 cases with

72 items each

90 cases with

72 items each

10 cases with

72 items each

Between 72 and

144 items

Typically less than

10 items

TIME

5D6DB3D6542E639DBE7

887152910AA35F41B16

4810173CE1D54018A95

2A270639D6C61E0A265

34FFE1E967C6BB3BC2A

B3E86A5CD1EF786F569

3A8D61B1BB9CD00875A

BFCF15BD0F4B72AED24

69189CCC9A252FBEB8A

81CF361BCE64D96A288

AEA88CEDD280D1151E6

110deadbeefdeadbeef

200deadbeefdeadbeef

500deadbeefdeadbeef

190deadbeefdeadbeef

130deadbeefdeadbeef

160deadbeefdeadbeef

120deadbeefdeadbeef

170deadbeefdeadbeef

100deadbeefdeadbeef

180deadbeefdeadbeef

700deadbeefdeadbeef

4810173CE1D54018A95

BFCF15BD0F4B72AED24

69189CCC9A252FBEB8A

2A270639D6C61E0A265

AEA88CEDD280D1151E6

5D6DB3D6542E639DBE7

?



Summary • Tiny Secret Sharing (TSS) enables RFID privacy without killing

• Encryption key length is a free-variable - security can be tailored.

• TSS is protocol-independent, and completely local - no network required.

• It scales to item-level tagging

• The only resources needed are tag memory and some computing power at reader

• TSS allows use of standard cryptographic mechanisms for encryption, hashing

• TSS fits naturally in many supply-chain scenarios where we have less than 100% reads and where stray tags or counterfeits are present.

• TSS solves key-management problem - enables privacy and write/lock PIN distribution.

22



Key messages• Tiny Secret Sharing (TSS) enables consumer privacy now

‣ No heroic measures required

‣ No dependence on any particular standard ⇒ fully standards compliant

• Consumer privacy is achieved by exploiting the natural movement of tagged products through the supply chain

‣ Privacy through dispersion and history erasure

23



What’s next? • Real implementation on ThingMagic Mercury5 reader in progress

• Discussion about implementation in real-world needs to happen

‣ Pharmaceutical supply chain appears to be ideal

• Secret sharing across time or Sliding Window Information Secret Sharing (SWISS) also detailed in paper below

• Preprint available at http://eprint.iacr.org/2008/044

• Questions: [email protected]

24


http://eprint.iacr.org/2008/044

http://eprint.iacr.org/2008/044

Documents

RFID Privacy Without Killing · • Tiny Secret Sharing (TSS) enables RFID privacy without killing • Encryption key length is a free-variable - security can be tailored. • TSS