Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
RFID Privacy Without Killing
Ravi PappuCo-Founder ThingMagic Inc.
Joint work with Ari Juels (RSA, CUSP) and Bryan Parno (CMU)
1© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
1Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Key messages• Tiny Secret Sharing (TSS) enables consumer privacy now
‣ No heroic measures required
‣ No dependence on any particular standard ⇒ fully standards compliant
• Consumer privacy is achieved by exploiting the natural movement of tagged products through the supply chain
‣ Privacy through dispersion and history erasure
2
2Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Summary • Tiny Secret Sharing (TSS) enables RFID privacy without killing
• Encryption key length is a free-variable - security can be tailored.
• TSS is protocol-independent, and completely local - no network required.
• It scales to item-level tagging
• The only resources needed are tag memory and some computing power at reader
• TSS allows use of standard cryptographic mechanisms for encryption, hashing
• TSS fits naturally in many supply-chain scenarios where we have less than 100% reads and where stray tags or counterfeits are present.
• TSS solves key-management problem - enables privacy and write/lock PIN distribution.
3
3Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending 4
Threat Contexts
4Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Object Hierarchies
5
1. Factory 2. Distribution
Center3. De- & Re-Palletization
and transportation
4. Backroom of
retail store
5. Store
shelf6. Individual
consumers
Physically secured areas Open areas
90 cases with
72 items each
90 cases with
72 items each
10 cases with
72 items each
Between 72 and
144 items
Typically less than
10 items
TIME
5Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Object Hierarchies
5
1. Factory 2. Distribution
Center3. De- & Re-Palletization
and transportation
4. Backroom of
retail store
5. Store
shelf6. Individual
consumers
Physically secured areas Open areas
90 cases with
72 items each
90 cases with
72 items each
10 cases with
72 items each
Between 72 and
144 items
Typically less than
10 items
TIME
Razor blades 6571 730 144 5
DVDs 5040 2520 400 24
Pharma. 7200 1920 150 6
Source: EPCGlobal Item Level JRG
5Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Object Hierarchies
6
1. Factory 2. Distribution
Center3. De- & Re-Palletization
and transportation
4. Backroom of
retail store
5. Store
shelf6. Individual
consumers
Physically secured areas Open areas
90 cases with
72 items each
90 cases with
72 items each
10 cases with
72 items each
Between 72 and
144 items
Typically less than
10 items
TIME
6Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Object Hierarchies
6
1. Factory 2. Distribution
Center3. De- & Re-Palletization
and transportation
4. Backroom of
retail store
5. Store
shelf6. Individual
consumers
Physically secured areas Open areas
90 cases with
72 items each
90 cases with
72 items each
10 cases with
72 items each
Between 72 and
144 items
Typically less than
10 items
TIME
Tags start out in large collections which become smaller over time.
6Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Object Hierarchies
6
1. Factory 2. Distribution
Center3. De- & Re-Palletization
and transportation
4. Backroom of
retail store
5. Store
shelf6. Individual
consumers
Physically secured areas Open areas
90 cases with
72 items each
90 cases with
72 items each
10 cases with
72 items each
Between 72 and
144 items
Typically less than
10 items
TIME
Tags start out in large collections which become smaller over time.
Larger collections of tags are typically located in secure areas.
6Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Object Hierarchies
6
1. Factory 2. Distribution
Center3. De- & Re-Palletization
and transportation
4. Backroom of
retail store
5. Store
shelf6. Individual
consumers
Physically secured areas Open areas
90 cases with
72 items each
90 cases with
72 items each
10 cases with
72 items each
Between 72 and
144 items
Typically less than
10 items
TIME
Tags start out in large collections which become smaller over time.
Larger collections of tags are typically located in secure areas.
Shared context from earlier times is not available at later times to adversary.
6Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Key question• Can we exploit the three observations to provide strong privacy in RFID-enables supply
chains?
• Yes! In order to do so, we turn to a cryptographic method called secret sharing.
7
7Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Secret Sharing
8
8Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Secret
Secret Sharing
8
8Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Secret
Secret Sharing
8
Shares
8Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Secret
Secret Sharing
8
Shares
In practice, secrets are shared by evaluating polynomials over finite fields.
8Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
(n, n) secret sharing
9
Secret
Shares
All n shares required to recover secretNo information revealed if fewer than n shares availableDeveloped independently by shamir and Blakely in 1974.
9Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
(n, n) secret sharing
9
Secret
All n shares required to recover secretNo information revealed if fewer than n shares availableDeveloped independently by shamir and Blakely in 1974.
9Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
(k, n) secret sharing
10
Secret
Shares
Any k out of n shares are sufficient to recover secret.No information revealed if fewer than k shares are available.
10Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
(k, n) secret sharing
10
Secret
Any k out of n shares are sufficient to recover secret.No information revealed if fewer than k shares are available.
10Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
(k, n) secret sharing
11
Secret
Shares
Any k out of n shares are sufficient to recover secret.No information revealed if fewer than k shares are available.
11Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
(k, n) secret sharing
11
Secret
Any k out of n shares are sufficient to recover secret.No information revealed if fewer than k shares are available.
11Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Our approach
12
12Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Our approach
12
t1
t2
t3
t4
tn-3
tn-2
tn-1
tn
.
.
Pallet of n
12Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Our approach
12
t1
t2
t3
t4
tn-3
tn-2
tn-1
tn
.
.
Pallet of n Pallet of n E(K, t1)
E(K, t2)
E(K, t3)
E(K, t4)
E(K, tn-3)
E(K, tn-2)
E(K, tn-1)
E(K, tn)
s1
s2
s3
s4
sn-3
sn-2
sn-1
sn
.
.
Encrypt all tags using a pallet-specific secret key K.Append a share of the secret to each tag.
12Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
System level challenges
13
Need to decide encryption method, key size, sharing/recovery algorithm, share size
13Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
System level challenges
13
K
s1
s2
s3
s4
sn-3
sn-2
sn-1
sn
(k, n) sharing
key length
Need to decide encryption method, key size, sharing/recovery algorithm, share size
13Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
System level challenges
13
K
s1
s2
s3
s4
sn-3
sn-2
sn-1
sn
(k, n) sharing
key length
Need to decide encryption method, key size, sharing/recovery algorithm, share size
13Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
E(K, tn) sn
encryption method share size
System level challenges
13
K
s1
s2
s3
s4
sn-3
sn-2
sn-1
sn
(k, n) sharing
key length
Need to decide encryption method, key size, sharing/recovery algorithm, share size
13Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Practical requirements• Share size has to be tiny, because tag memory is at a premium
‣ Krawczyk (1994) focused on short shares, but even these are 128 bits long.
‣ Current memory capacity on EPC Gen2 tags is 96 bits ⇒Tiny Secret Sharing
• Sharing and recovery algorithms have to be computationally efficient.
• System should be robust against
‣ changes in the order of tag reading i.e. permutation invariance
‣ sub-100% read rates
‣ stray reads (or counterfeits)
14
14Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
■ Peanut Butter (70 Tag Pallet) ■ Cooking Oil (40 Tag Pallet)
15
Mercury5 read performance
Improved read performance ⇒ stray reads from
adjacent dock door
These are errorssub-100% readsThese are erasures
15Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Reed-Solomon Codes
16
• codes over
• Total number of symbols = number of tags =
• Symbols required to recover message = threshold number of tags =
• Code can detect and correct upto errors = stray tags or counterfeits
• Code can detect and correct upto erasures = missed tags
• With stray tags and missed tags, code can correct as long as
• This formulation is identical to secret sharing
• Encoding and decoding are efficient on low-powered machines
n
k
s = (d/2)
r = (d! 1)
2s + r < ds r
(k, n)
(n, k, d) GF (2m)
16Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Permutation invariance• RS codes originally invented to solve digital communication problems
• Order of code symbols is usually preserved
• In RFID, code symbols are always permuted, because order of tag reading is based on randomization at the MAC layer.
• In order to use RS codes, we also need to make the symbol index available at destination.
17
(s1, s2, s3.....sn!2, sn!1, sn)! (s1, s2, s3.....sn!2, sn!1, sn)
(s1, s2, s3.....sn!2, sn!1, sn)! (s6, s1, sn!4.....sn, s7, s3)
({s6, 6}, {s1, 1}, {sn!4, (n! 4)}.....{sn, n}, {s7, 7}, {s3, 3})
17Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Permutation invariance 2
18
18Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Permutation invariance 2
18
E(K, t1) s1
.
.
1
E(K, t2) s2 2
E(K, tn-1) sn-1 n-1
E(K, tn) sn n
18Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Permutation invariance 2
18
E(K, t1) s1
.
.
1
E(K, t2) s2 2
E(K, tn-1) sn-1 n-1
E(K, tn) sn n
18Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Permutation invariance 2
18
E(K, t1) s1
.
.
1
E(K, t2) s2 2
E(K, tn-1) sn-1 n-1
E(K, tn) sn n
Instead of adding separate index, use uniqueness of the EPC to generate symbol index on the fly via hashing
E(K, t1) sH(E(K, t1
))
.
.
E(K, t2)
E(K, tn-1)
E(K, tn)
sH(E(K, t2
))
sH(E(K, tn-1))
sH(E(K, tn
))
18Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Field size• Field size needs to be chosen to avoid index collisions.
• If we have tags, then or
19
GF (2m)
n
# of tags n # of bits in shares m
50 12
256 16
1000 20
10000 27
2m ! n2 m ! log2(n2)
E(K, t1) sH(E(K, t1
))
E(K, t2) sH(E(K, t2
))
Need to avoid collisions
19Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
(15, 20) TSS scheme over GF(216)
20
!"#"$%"#!&'(#%)"$(*
++*,!'),-..%!/&,$,#
&+,-,*%0(,"!&-,+.)!
'.'*-#%)"#0#,(-.'#!
%&//(,()#*0#$$%$0'.
$%(+#.!0",(/*+#/!#)
%.+"#,$,$$)0"--+*!.
$/0/,!$"-/&$*'.("'&
#),+)000).'!'/$($+.
+,0/%#,$0(#&")#.'++
.(.++0(""'+-",,!,(#
,,-1231422512314225
'--1231422512314225
!--1231422512314225
,)-1231422512314225
,%-1231422512314225
,#-1231422512314225
,'-1231422512314225
,*-1231422512314225
,--1231422512314225
,+-1231422512314225
*--1231422512314225
!"#$
%&'(&&")&*+,-'(./012 1(*+,-'(./012
20Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
RFID privacy without killing
21
1. Factory 2. Distribution
Center3. De- & Re-Palletization
and transportation
4. Backroom of
retail store
5. Store
shelf6. Individual
consumers
Physically secured areas Open areas
90 cases with
72 items each
90 cases with
72 items each
10 cases with
72 items each
Between 72 and
144 items
Typically less than
10 items
TIME
5D6DB3D6542E639DBE7
887152910AA35F41B16
4810173CE1D54018A95
2A270639D6C61E0A265
34FFE1E967C6BB3BC2A
B3E86A5CD1EF786F569
3A8D61B1BB9CD00875A
BFCF15BD0F4B72AED24
69189CCC9A252FBEB8A
81CF361BCE64D96A288
AEA88CEDD280D1151E6
110deadbeefdeadbeef
200deadbeefdeadbeef
500deadbeefdeadbeef
190deadbeefdeadbeef
130deadbeefdeadbeef
160deadbeefdeadbeef
120deadbeefdeadbeef
170deadbeefdeadbeef
100deadbeefdeadbeef
180deadbeefdeadbeef
700deadbeefdeadbeef
4810173CE1D54018A95
BFCF15BD0F4B72AED24
69189CCC9A252FBEB8A
2A270639D6C61E0A265
AEA88CEDD280D1151E6
5D6DB3D6542E639DBE7
?
21Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Summary • Tiny Secret Sharing (TSS) enables RFID privacy without killing
• Encryption key length is a free-variable - security can be tailored.
• TSS is protocol-independent, and completely local - no network required.
• It scales to item-level tagging
• The only resources needed are tag memory and some computing power at reader
• TSS allows use of standard cryptographic mechanisms for encryption, hashing
• TSS fits naturally in many supply-chain scenarios where we have less than 100% reads and where stray tags or counterfeits are present.
• TSS solves key-management problem - enables privacy and write/lock PIN distribution.
22
22Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
Key messages• Tiny Secret Sharing (TSS) enables consumer privacy now
‣ No heroic measures required
‣ No dependence on any particular standard ⇒ fully standards compliant
• Consumer privacy is achieved by exploiting the natural movement of tagged products through the supply chain
‣ Privacy through dispersion and history erasure
23
23Tuesday, February 12, 2008
© 2008 Ravi Pappu / RFID CUSP Workshop / Johns Hopkins University / January 2008 / US and International Patents Pending
What’s next? • Real implementation on ThingMagic Mercury5 reader in progress
• Discussion about implementation in real-world needs to happen
‣ Pharmaceutical supply chain appears to be ideal
• Secret sharing across time or Sliding Window Information Secret Sharing (SWISS) also detailed in paper below
• Preprint available at http://eprint.iacr.org/2008/044
• Questions: [email protected]
24
24Tuesday, February 12, 2008