![Page 1: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/1.jpg)
Faculty of Computer Science Chair of Privacy and Data Security
Protection of the User’s Privacy in
Ubiquitous E-ticketing Systems based on
RFID and NFC Technologies
Ivan Gudymenko
Status talk, 12 June 2013
![Page 2: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/2.jpg)
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 2
![Page 3: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/3.jpg)
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 3
![Page 4: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/4.jpg)
Target Area
• Ubiquitous Computing (UbiComp);
– Based on RFID/NFC;
• Focus on electronic ticketing (e-ticketing).
→ Privacy protection.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 4
![Page 5: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/5.jpg)
E-ticket Taxonomy and Dissertation Focus
public transport
event ticketing
fitness & leisure fitness studios
ski pass
concerts
sport eventsONLINE TICKET
E-ticket
Smart ticket
2.Smartticket1.Onlineticket
E-ticket
• Focus on public transport
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 5
![Page 6: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/6.jpg)
E-ticketing in Public Transport
[Courtesy of MunsterscheZeitung.de]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 6
![Page 7: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/7.jpg)
E-ticketing: A General Application Scenario
E-ticket
Distribution
TripBegin
E-ticketOn-boardReader(Terminal)
EventProcessingUnit(e.g.GPS-based)
E-ticketCheck-in
Back-endSystem
-EventStorage
-DistanceCalculation
-Billing
-CustomerAccounts
Management
-Statistics
TravelRecords
(1) (2a) (2b) (3)
Check-out
E-ticket
Smartcard
NFCE-tic
ket
Smartcard
NFC
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 7
![Page 8: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/8.jpg)
Fare Collection Approaches in E-ticketing
Farecollection
approaches
1.ElectronicPaperTicket(EPT)
2.Check-in/Check-outbased(CICO)
a)PureCICO b)SeamlessCICO
i.Walkin/Walkout(WIWO)
ii.Bein/Beout(BIBO)
• Focus on CICO-based systems
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 8
![Page 9: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/9.jpg)
E-ticketing: Technologies and Standards
• RFID-based stack (proximity cards);
• NFC stack (NFC-enabled devices);
• Recently, CIPURSE by OSPT (Open Standard forPublic Transport).
RFID-basedE-TicketingStack
Architecture
DataInterfaces
CommunicationInterface
ISOEN24014-1(conceptualframework)
EN15320(logicallevel,abstractinterface,security)
EN1545(dataelements)
ISO/IEC7816-4(commands,security)
ISO14443(parts1-3required)
TheNFCForum
Architecture
TheNFCForum
Specifications
E-ticket
Smartcard
NFC
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 9
![Page 10: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/10.jpg)
Target Area: Summary
• E-ticketing systems for public transport;
• ”Smart ticket” (as opposed to online ticket);
• CICO for automated fare collection;
• Underlying technologies: RFID/NFC.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 10
![Page 11: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/11.jpg)
E-ticketing: Concerns
• For transport companies
– High system development/deployment costs;– Lack of well-standardized solutions;– New infrastructure is a high risk investment;– Possibly low Return of Investment (ROI).
• For customers
– Reluctance to using a conventional system in a newway;
– Privacy concerns:• Ubiquitous customer identification;• Customer profiling (esp. unconsented);• Increased surveillance potential.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 11
![Page 12: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/12.jpg)
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 12
![Page 13: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/13.jpg)
Privacy Protection: Motivation
• Rising privacy concerns in public;
• Motivation to invest in privacy for transport companies;
• A privacy-preserving solution is of mutual benefit forboth parties:
– Higher acceptance among customers;– Transport companies retain competitiveness.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 13
![Page 14: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/14.jpg)
Generic Privacy Threats in E-ticketing Systems
1. Unintended customer identification:
a) Exposure of the customer ID:
i. Personal ID exposure (direct identification);
ii. Indirect identification through the relevant object’s ID.
b) Exposure of a non-encrypted identifier during theanti-collision session;
c) Physical layer identification (RFID fingerprinting).
2. Information linkage;
3. Illegal customer profiling.
→ A cross-layered set of countermeasures required.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 14
![Page 15: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/15.jpg)
Protecting User Privacy: Problems
• Customer privacy is not in primary focus ofstandardization effort;
• Several tailor-made solutions (in add-on fashion);
• No holistic approach treating privacy from an outset (inreal systems)
→ Privacy by Design is required.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 15
![Page 16: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/16.jpg)
A Privacy-preserving E-ticketing System: Reqs
(1) Privacy
(a) Against terminalsIdentification: no
Correlation: no
(b) Against back-endIdentification: no
Correlation: yes
(c) Against observers PII Derivation: no
(2) Billing
(a) Regular Billing Regular billing support
(b) Billing Correctness In accordance with fare policy
(3) Efficiency Check-in/out events handling
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 16
![Page 17: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/17.jpg)
A General System Architecture and Requirements:An Overview
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 17
![Page 18: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/18.jpg)
A General System Architecture and Requirements:An Overview (1)
(1) Privacy
(a) Against terminalsIdentification: no
Correlation: no
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 18
![Page 19: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/19.jpg)
A General System Architecture and Requirements:An Overview (2)
(1) Privacy
(b) Against back-endIdentification: no
Correlation: yes
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 19
![Page 20: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/20.jpg)
A General System Architecture and Requirements:An Overview (3)
(1) Privacy(c) Against observers PII Derivation: no
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
ExternalObserver
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 20
![Page 21: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/21.jpg)
A General System Architecture and Requirements:An Overview (4)
(2) Billing
(a) Regular Billing Regular billing support
(b) Billing Correctness In accordance with fare policy
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 21
![Page 22: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/22.jpg)
A General System Architecture and Requirements:An Overview (5)
(3) Efficiency Check-in/out events handling
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 22
![Page 23: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/23.jpg)
Main Goals/Research Questions
RQ: How to build a privacy-preserving e-ticketing systemwith the following properties?
(1) Loose-coupling between front-end and back-end(scaling);
(2) Offline e-ticket validation at the terminal side:
– Valid e-tickets remain anonymous to the terminal;– Invalid e-tickets must be rejected.
(3) Privacy-preserving travel records processing in back-end:
– With regular billing support for personalized tickets;– Preventing direct identification (pseudonymization).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 23
![Page 24: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/24.jpg)
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 24
![Page 25: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/25.jpg)
Important Evaluation Criteria
• Mutual authentication between terminals and e-ticket;
• E-ticket anonymity/untraceability against terminals;
• Trust assumptions (esp. concerning terminals);
• Back-end coupling (close/loose);
• Regular billing support.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 25
![Page 26: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/26.jpg)
Solutions Taxonomy: Outline
E-ticketingSystems
Close-coupled Loosely-coupled
AsymmetricCrypto
Linear
O(n)
Logarithmic
~O(logn)
Constanttime
O(1)
SymmetricCrypto
FullyOffline Semi-offline
Asymmetric
Crypto
Symmetric
Crypto
Asymmetric
Crypto
Symmetric
Crypto
E-cashbasedReader-specific
TagAccessLists
FullDBon
aterminalE-cashbased E-cashbased
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 26
![Page 27: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/27.jpg)
Solutions Taxonomy: Detailed
E-ticketingSystems
Close-coupled Loosely-coupled
AsymmetricCrypto
Linear
Ohnf
Logarithmic
~Ohlognf
Constanttime
OhYf
Precomputation
(T-MTrade-off)
Precomputed
Look-uptable
HCDF
[HvBenjaminetalv]
SymmetricCrypto
YptimePseudop
nyms[SWM]
LpTierDB
[Alomairetalv]
Treestructure
[MWW]
Matrixstructv
[Cheonetalv]
Bloomfilters
[Noharaetalv]
OSKImproved
[Avoineetalv]
OSK
[Okuboetalv]
SWMProtocol
[SongWMitchell]
Secrets
Ordering
FullyOffline Semi-offline
Asymmetric
Crypto
Symmetric
Crypto
Asymmetric
Crypto
Symmetric
Crypto
E-cash
based
Reader-specific
TagAccessLists
FullDBon
aterminal
PAYG
[Baldimtsietalv]
TanSL
[Tanetalv]ALM
[Avoineetalv]
GR
[GarciaWRossum]
E-cash
basedE-cashbased
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 27
![Page 28: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/28.jpg)
Solutions Taxonomy: Close-coupled Systems
E-ticketingSystems
AsymmetricCrypto
Linear
Ohnf
Logarithmic
~Ohlognf
Constanttime
OhYf
Precomputation
(T-MTrade-off)
Precomputed
Look-uptable
HCDF
[HvBenjaminetalv]
SymmetricCrypto
YptimePseudop
nyms[SWM]
LpTierDB
[Alomairetalv]
Treestructure
[MWW]
Matrixstructv
[Cheonetalv]
Bloomfilters
[Noharaetalv]
OSKImproved
[Avoineetalv]
OSK
[Okuboetalv]
SWMProtocol
[SongWMitchell]
Secrets
Ordering
E-cashbased
Close-coupled
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 28
![Page 29: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/29.jpg)
Okubo et al. (OSK Protocol)
E-ticketingSystems
Close-coupled
Linear
OcnW
SymmetricCrypto
OSK
[OkuboetalI]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 29
[Okubo et al., 2003]
![Page 30: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/30.jpg)
Okubo et al. (OSK Protocol)
• Hash chain-based; two hash functions:
– H(): used for secret refreshment;– G (): used for untraceability against eavesdroppers.
• Hash chain for the i th tag:F : (i , k) 7→ r k
i = G(Hk−1
(s init
i
)).
GG
HHH
ai ai+1
si si+1
��
���Tag (E-ticket)
Reader (Terminal)
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 30
[Okubo et al., 2003]
![Page 31: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/31.jpg)
OSK assessment
• Mutual authentication: no
• Untraceability against terminals: yes
• Terminals must be trusted: no
• Back-end coupling: tight
• Regular billing support: not considered
• Limited number of validations (by hash chain size k);
• Stateless by design;
• Serious scalability issues: O(kn).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 31
![Page 32: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/32.jpg)
Revised Song & Mitchel’s Protocol (RSM)
E-ticketingSystems
Close-coupled
Linear
Oxnf
SymmetricCrypto
SAMProtocol
[SongAMitchell]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 32
[Song and Mitchell, 2011]
![Page 33: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/33.jpg)
Revised Song & Mitchel’s Protocol (RSM)
• Each tag has a secret s and a pseudonym t : t = h(s);
• A keyed hash function serves for tag identification andauthentication (with tag pseudonym t as a key);
• The protocol is stateful;
• Refreshment of tag pseudonym and tag secret onsuccessful mutual authentication.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 33
[Song and Mitchell, 2011]
![Page 34: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/34.jpg)
RSM Assessment
• Mutual authentication: yes
• Untraceability against terminals: yes
• Terminals must be trusted: no
• Back-end coupling: tight
• Regular billing support: not considered
• Scalability issues remain: O(n).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 34
![Page 35: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/35.jpg)
RSM-based One-time Pseudonym Protocol
• Precomputed look-up table of one-time pseudonyms fortag identification:
– Tag identification complexity O(1);
• Tag authentication is performed similarly to RSM;
• Requires re-initialization when the pseudonyms pool isexhausted.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 35
[Song and Mitchell, 2011]
![Page 36: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/36.jpg)
Heydt-Benjamin et al. (HCDF)
E-ticketingSystems
Close-coupled
AsymmetricCrypto
E-cashbased
HCDF
[HvBenjaminetalv]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 36
[Heydt-Benjamin et al., 2006]
![Page 37: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/37.jpg)
Heydt-Benjamin et al. (HCDF)
• Based on e-cash, anonymous credentials, and proxyre-encryption.
• Explicitly considers public transport (a holisticframework);
• Two types of tickets:
(1) Temporally-bounded;(2) Stored-value.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 37
[Heydt-Benjamin et al., 2006]
![Page 38: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/38.jpg)
Heydt-Benjamin et al. (HCDF), continued
• On enter:
– For temporally-bounded tickets: one-show validitycredential;
– For stored value tickets: accept entrance cookie CE .
• On exit:
– For temporally-bounded. tickets: the same;– For stored value: reveal CE , calculate price (TA),
delete CE (T).
• On-the-fly price calculation on exit (for stored valueticket).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 38
[Heydt-Benjamin et al., 2006]
![Page 39: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/39.jpg)
HCDF Assessment
• Mutual authentication: no (not explicit)
• Untraceability against terminals: yes
• Terminals must be trusted: no
• Back-end coupling: tight
• Regular billing support: no
• Involves asymmetric crypto on tag (ZKP).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 39
![Page 40: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/40.jpg)
Close-coupled Systems: Summary
E-ticketingSystems
AsymmetricCrypto
Linear
Ohnf
Logarithmic
~Ohlognf
Constanttime
OhYf
Precomputation
(T-MTrade-off)
Precomputed
Look-uptable
HCDF
[HvBenjaminetalv]
SymmetricCrypto
YptimePseudop
nyms[SWM]
LpTierDB
[Alomairetalv]
Treestructure
[MWW]
Matrixstructv
[Cheonetalv]
Bloomfilters
[Noharaetalv]
OSKImproved
[Avoineetalv]
OSK
[Okuboetalv]
SWMProtocol
[SongWMitchell]
Secrets
Ordering
E-cashbased
Close-coupled
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 40
![Page 41: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/41.jpg)
Close-coupled Systems: Pros
• Terminal simplicity.
• Less trust in terminals.
• Simple infrastructure.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 41
![Page 42: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/42.jpg)
Close-coupled Systems: Contras
• Scaling issues.
• Back-end must be online 24/7.
• Synchronization (statefulness, possibility of DoSattacks).
• Back-end is a bottleneck and single point of failure.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 42
![Page 43: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/43.jpg)
Other Solutions Are Necessary
→ Some kind of decentralization is required.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 43
![Page 44: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/44.jpg)
Solutions taxonomy: Loosely-Coupled Systems
E-ticketingSystems
Loosely-coupled
FullyOffline Semi-offline
Asymmetric
Crypto
Symmetric
Crypto
Asymmetric
Crypto
Symmetric
Crypto
E-cash
based
Reader-specific
TagAccessLists
FullDBon
aterminal
PAYG
[Baldimtsietalf]
TanSL
[Tanetalf]ALM
[Avoineetalf]
GR
[GarciaFRossum]
E-cash
based
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 44
![Page 45: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/45.jpg)
Loosely-Coupled Systems: Semi-offline
E-ticketingSystems
Loosely-coupled
Semi-offline
Asymmetric
Crypto
Symmetric
Crypto
PAYG
[Baldimtsietalf]ALM
[Avoineetalf]
GR
[Garcia-Rossum]
E-cash
based
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 45
![Page 46: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/46.jpg)
Avoine et al. (ALM)
E-ticketingSystems
Loosely-coupled
Semi-offline
Symmetric
Crypto
ALM
[AvoineetalI]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 46
[Avoine et al., 2009]
![Page 47: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/47.jpg)
Avoine et al. (ALM)
• Offline tag validation using challenge response;
• Reader-specific tag identification/authentication tuplesets (TS);
• TS are precomputed by trusted back-end and uploadedto readers;
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 47
[Avoine et al., 2009]
![Page 48: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/48.jpg)
Avoine et al. (ALM): Keys
• Two key types:
– Long-term tag-specific key KT shared betweenback-end and a tag (is not known to readers);
– Session key kTR is computed on-the-fly by a tag;
• kTR = f (KT , IDR , cR)
• At the reader side, kTR resides in TS (precomputed);
• kTR is bounded to a specific (reader, tag) pair.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 48
[Avoine et al., 2009]
![Page 49: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/49.jpg)
ALM Assessment
• Mutual authentication: yes
• Untraceability against terminals: no
• Terminals must be trusted: yes
• Back-end coupling: semi-coupled (counter sync)
• Regular billing support: not considered
• Scalability issues are shifted to the reader side:
– O(n) complexity to locally identify/authenticate a tag.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 49
![Page 50: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/50.jpg)
Baldimtsi et al. (PAYG)
E-ticketingSystems
Loosely-coupled
Semi-offline
Asymmetric
Crypto
E-cash
based
PAYG
[BaldimtsietalI]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 50
[Baldimtsi et al., 2012]
![Page 51: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/51.jpg)
Baldimtsi et al. (PAYG)
• Based on e-cash and anonymous credentials;
• Explicitly considers public transport;
• Single trip tickets only;
• Unique ID is encoded into the Trip Authorization Token(TAT) against double spending.
– The knowledge of the encoded ID must be proved inZK on check-in.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 51
[Baldimtsi et al., 2012]
![Page 52: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/52.jpg)
Baldimtsi et al. (PAYG): System Architecture
• Online vending machines (TAT issuing, refundreimbursement)
• Offline check-in terminals:
– TAT validity check;– Issuance of a Refund Calculation Token (RCT).
• Offline check-out terminals:
– Terminal-side fare calculation;– Refund top-up.
• Variable pricing by attribute encoding;
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 52
[Baldimtsi et al., 2012]
![Page 53: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/53.jpg)
PAYG: Issues to Consider
• Refund-based system (refund aggregation into RefundToken);
• Nuisance for users (additional effort for refundreimbursement);
• All reimbursed refund tokens must be stored in back-endto prevent refund double spending (for each single trip);
• Actual fare calculation during check-out (no complexpricing schemes possible);
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 53
![Page 54: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/54.jpg)
PAYG: Assessment
• Mutual authentication: no
• Untraceability against terminals: yes
• Terminals must be trusted: no
• Back-end coupling: semi-coupled
• Regular billing support: no
• Involves asymmetric crypto on tag (ZKP).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 54
![Page 55: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/55.jpg)
Loosely-Coupled Systems: Fully-offline
E-ticketingSystems
Loosely-coupled
FullyOffline
Asymmetric
Crypto
Symmetric
Crypto
E-cash
based
Reader-specific
TagAccessLists
FullDBon
aterminal
TanSL
[Tanetalp]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 55
![Page 56: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/56.jpg)
Tan et al. (TanSL)
E-ticketingSystems
Loosely-coupled
FullyOffline
Symmetric
Crypto
Reader-specific
TagAccessLists
TanSL
[Tanetalp]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 56
[Tan et al., 2007]
![Page 57: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/57.jpg)
Tan et al. (TanSL)
• A basis for a more profound protocol
– ALM by Avoine et al.
• Reader-specific tag access list (as in ALM);
• Authentication is bound to a concrete (reader, tag) pair;
• Fully offline tag identification and authentication;
• No regular secret refreshment (unlike ALM);
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 57
[Tan et al., 2007]
![Page 58: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/58.jpg)
TanSL: Assessment
• Mutual authentication: yes
• Untraceability against terminals: no
• Terminals must be trusted: yes
• Back-end coupling: fully offline
• Regular billing support: not considered
• Scalability issues are shifted to the reader side:
– O(n) complexity to locally identify/authenticate a tag.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 58
![Page 59: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/59.jpg)
Loosely-coupled Systems: Summary
E-ticketingSystems
FullyOffline Semi-offline
Asymmetric
Crypto
Symmetric
Crypto
Asymmetric
Crypto
Symmetric
Crypto
E-cash
based
Reader-specific
TagAccessLists
FullDBon
aterminal
PAYG
[Baldimtsietalf]
TanSL
[Tanetalf]ALM
[Avoineetalf]
GR
[GarciaFRossum]
E-cash
based
Loosely-coupled
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 59
![Page 60: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/60.jpg)
Loosely-coupled Systems: Pros
• Loosely coupled system components
– Better scaling (compared to close-coupled systems);
• Terminal-side e-ticket validation (efficiency);
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 60
![Page 61: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/61.jpg)
Loosely-coupled Systems: Contras
• More intelligence at the terminal side is required;
• Contradicting requirements:
– Validate e-tickets;– Without identifying/tracking them.
• Terminals operate on the tag data containingidentifiable information;
→ Privacy – validation trade-off.
• Decentralized infrastructure is harder to manage(updates, uploads, etc.).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 61
![Page 62: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/62.jpg)
State-of-the-art: Final Overview
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 62
![Page 63: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/63.jpg)
CriteriaThe most relevant approaches Reviewed
PAYG[1] HCDF[2] SVW[3] GR[4] ALM[5] OSK[6] RSMP[7]
Explicitly cons. PT yes yes yes yes no no no
Anonym. against term. yes yes p no no yes yes
Untraceab. against term. yes yes p no no yes yes
Mutual authentication no no no no yes no yes
CryptoPrimitivesUsed
Symmetric no yes yes yes yes no yes
Hash yes yes no yes no yes yes
Asymmetric yes yes p no no no no
Back-endCoupling
Tight – yes – – – yes yes
Semi-coupl. yes – – yes yes – –
Loose – – yes – – – –
Tamp. resist. required ∅ ∅ p ∅ ∅ no no
Regular billing no no no ∅ ∅ ∅ ∅
Involves extern. device no no/p yes no no no no
BE is trusted no no yes yes yes yes yes
ATs are trusted no no yes yes yes no no
Revocation is possible yes yes yes yes yes yes yes
Dynamic extensibility yes yes yes no no yes no
![Page 64: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/64.jpg)
CriteriaThe most relevant approaches Reviewed
PAYG[1] HCDF[2] SVW[3] GR[4] ALM[5] OSK[6] RSMP[7]
Explicitly cons. PT yes yes yes yes no no no
Anonym. against term. yes yes p no no yes yes
Untraceab. against term. yes yes p no no yes yes
Mutual authentication no no no no yes no yes
CryptoPrimitivesUsed
Symmetric no yes yes yes yes no yes
Hash yes yes no yes no yes yes
Asymmetric yes yes p no no no no
Back-endCoupling
Tight – yes – – – yes yes
Semi-coupl. yes – – yes yes – –
Loose – – yes – – – –
Tamp. resist. required ∅ ∅ p ∅ ∅ no no
Regular billing no no no ∅ ∅ ∅ ∅
Involves extern. device no no/p yes no no no no
BE is trusted no no yes yes yes yes yes
ATs are trusted no no yes yes yes no no
Revocation is possible yes yes yes yes yes yes yes
Dynamic extensibility yes yes yes no no yes no
![Page 65: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/65.jpg)
State of the Art: Focused
CriteriaThe most relevant approaches Reviewed
PAYG[1] HCDF[2] SVW[3] GR[4] ALM[5] OSK[6] RSMP[7]
Anonymity terminals yes yes p no no yes yes
Untraceability terminals yes yes p no no yes yes
Mutual authentication no no no no yes no yes
Close-coupling no yes no no no yes yes
Regular billing no no no ∅ ∅ ∅ ∅
BE is trusted no no yes yes yes yes yes
ATs are trusted no no yes yes yes no no
Legend:∅ – not considered;p – partially provided;
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 65
![Page 66: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/66.jpg)
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 66
![Page 67: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/67.jpg)
Recall: System Requirements
(1) Privacy
(a) Against terminalsIdentification: no
Correlation: no
(b) Against back-endIdentification: no
Correlation: yes
(c) Against observers PII Derivation: no
(2) Billing
(a) Regular Billing Regular billing support
(b) Billing Correctness In accordance with fare policy
(3) Efficiency Check-in/out events handling
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 67
![Page 68: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/68.jpg)
A Privacy-preserving E-ticketing System withRegular Billing Support (PEB)
• Protect privacy while allowing various pricing schemes inback-end;
• Pricing schemes are fully independent of systemarchitecture;
• A reasonable trade-off is allowed:
– In front-end. Different sessions between an e-ticket andterminal/s are completely unlinkable;
– In back-end. Back-end may correlate different sessionsto an e-ticket pseudonym.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 68
![Page 69: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/69.jpg)
Attacker Model
(1) (Outsider) No PII derivation by external observers(front-end sessions).
(2) (Insider) No tracking and identification of valid e-ticketsby terminals.
(3) (Insider) No direct identification by back-end.
→ Insider/outsider with respect to the involvement intothe system flow.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 69
![Page 70: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/70.jpg)
PEB: System Architecture
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
2.MutualAuthent.
3.BLCheck
UpdateBL
Real-time Non-real-time
1.SCEstablishmentSendTRE-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:
-Singulation
-Billing
ExternalTTP
-UserIdentification-EndBilling
TransportAuthority(TA)
yBill,Pseudonym)
SendBill
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 70
![Page 71: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/71.jpg)
PEB: Pseudonymization
• For each e-ticket, TTP creates a static pseudonym PTi ;
– Mapping PTi 7→ ID is kept secret by TTP;
• PTi is sent to TA;
• TA includes it into its static pseudonym set: PTi ∈ PT ;
• TA, therefore, operates only on pseudonyms in PT ;
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 71
![Page 72: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/72.jpg)
PEB: Pseudonymization (continued)
• TA possesses an asymmetric key pair:(k+
ta, k−ta
);
• Front-end e-ticket pseudonyms: PAi = Ek+
ta
(PT
i
)– Required for terminal-side black list checking.
• E-tickets are parameterized with PAi ;
• E-ticket ↔ terminal: a session pseudonym on eachinteraction (anti-tracking): SPj = Ek+
ta
(PA
i · rj).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 72
![Page 73: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/73.jpg)
PEB: Pseudonymization (continued)
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
2.MutualAuthent.
3.BLCheck
UpdateBL
Real-time Non-real-time
1.SCEstablishmentSendTRE-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:
-Singulation
-Billing
ExternalTTP
-UserIdentification-EndBilling
TransportAuthority(TA)
)Bill,Pseud.D SendBill
SP1SP2
SPj
...
Decrypt PiT
(Bill,PiT)
Decrypt IDPiT
(Bill,ID)
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 73
![Page 74: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/74.jpg)
PEB: Privacy-preserving BL Checking
• Based on the inherent homomorphism of an encryptionscheme in use: PA
i = Ek+ta
(PT
i
);
• Malleability property: E (x · r) = E (x)r ;
• On validation, an e-ticket presents a tuple to a terminal:SPT ←
(E (x · r),E (r)
);
• Black list: {y : y ∈ BL};
• Check SPj against the BL:∀y ∈ BL,E (r) ∈ SPT : c ← E (r)y
c?= E (x · r) ∀c ∈ C .
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 74
![Page 75: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/75.jpg)
BL Checking: A Choice of a Suitable Encryption
• Based on the discrete exponentiation function
• E (x) = g x (mod p)
• Malleability property:
E (x · r) = g (x ·r)
=(g x
)r
= E (x)r .
(mod p)
• Other inherently homomorphic deterministic schemespossible.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 75
![Page 76: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/76.jpg)
PEB: Discussion
• Loosely-coupled system;
• Mutual identification due to group signatures;
• Revocation: black lists:
– Encrypted black lists possible;– Alternatively, dynamic accumulators can be used [8].
• To enhance performance, anonymity set can be reducedin a controllable way;
• Our system fully satisfies the requirements.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 76
![Page 77: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/77.jpg)
State-of-the-art Overview and PEB
CriteriaThe most relevant approaches Reviewed
PAYG[1] HCDF[2] SVW[3] GR[4] ALM[5] OSK[6] RSMP[7] PEB
Anonymity terminals yes yes p no no yes yes yes
Untraceability terminals yes yes p no no yes yes yes
Mutual authentication no no no no yes no yes yes
Close-coupling no yes no no no yes yes no
Regular billing no no no ∅ ∅ ∅ ∅ yes
BE is trusted no no yes yes yes yes yes no
ATs are trusted no no yes yes yes no no no
Legend:∅ – not considered;p – partially provided;
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 77
![Page 78: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/78.jpg)
Current Progress
• The first results were presented at PECCS-2013 inBarcelona (see [9]);
• The paper presenting the core architecture has beenaccepted to the IFIP-2013 Summer School.
• Contacts with industry: DVB are interested, Secunet;
• Supervision of two students helping to validate theconcept.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 78
![Page 79: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/79.jpg)
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 79
![Page 80: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/80.jpg)
References I
[1] F. Baldimtsi, G. Hinterwalder, A. Rupp, A. Lysyanskaya, C. Paar, and W. P. Burleson, “Pay as you go,”in Workshop on hot topics in privacy enhancing technologies, HotPETSs 2012,http://petsymposium.org/2012/papers/hotpets12-8-pay.pdf, 2012.
[2] T. S. Heydt-Benjamin, H.-J. Chae, B. Defend, and K. Fu, “Privacy for Public Transportation,” inProceedings of the 6th international conference on Privacy Enhancing Technologies, PET’06, (Berlin,Heidelberg), pp. 1–19, Springer-Verlag, 2006.
[3] A.-R. Sadeghi, I. Visconti, and C. Wachsmann, “User Privacy in Transport Systems Based on RFIDE-Tickets,” in Workshop on Privacy in Location-Based Applications (PILBA 2008), vol. 5283 of LectureNotes in Computer Sciences, Springer-Verlag, October 2008.Malaga, Spain.
[4] F. Garcia and P. Rossum, “Modeling Privacy for Off-Line RFID Systems,” in Smart Card Research andAdvanced Application (D. Gollmann, J.-L. Lanet, and J. Iguchi-Cartigny, eds.), vol. 6035 of Lecture Notesin Computer Science, pp. 194–208, Springer Berlin Heidelberg, 2010.
[5] G. Avoine, C. Lauradoux, and T. Martin, “When Compromised Readers Meet RFID,” in InformationSecurity Applications (H. Y. Youm and M. Yung, eds.), vol. 5932 of Lecture Notes in Computer Science,pp. 36–50, Springer Berlin Heidelberg, 2009.
[6] M. Ohkubo, K. Suzuki, and S. Kinoshita, “Cryptographic Approach to ”Privacy-Friendly” Tags,” in InRFID Privacy Workshop, 2003.
[7] B. Song and C. J. Mitchell, “Scalable RFID security protocols supporting tag ownership transfer,”Comput. Commun., vol. 34, pp. 556–566, apr 2011.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 80
![Page 81: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/81.jpg)
References II
[8] J. Camenisch and A. Lysyanskaya, “Dynamic Accumulators and Application to Efficient Revocation ofAnonymous Credentials,” in Proceedings of the 22nd Annual International Cryptology Conference onAdvances in Cryptology, CRYPTO ’02, (London, UK, UK), pp. 61–76, Springer-Verlag, 2002.
[9] I. Gudymenko, “On Protection of the Users Privacy in Ubiquitous E-ticketing Systems Based on RFID
and NFC Technologies,” in 3d International Conference on Pervasive and Embedded Computing andCommunication Systems, PECCS-2013, pp. 86–91, feb 2013.
[10] A. Juels and R. Pappu, “Squealing Euros: Privacy Protection in RFID-Enabled Banknotes,” in FinancialCryptography 03, pp. 103–121, Springer-Verlag, 2002.
[11] T.-L. Lim, T. Li, and S.-L. Yeo, “Randomized Bit Encoding for Stronger Backward Channel Protection inRFID Systems,” in Proceedings of the 2008 Sixth Annual IEEE International Conference on PervasiveComputing and Communications, PERCOM ’08, (Washington, DC, USA), pp. 40–49, IEEE ComputerSociety, 2008.
[12] W. Choi and B.-h. Roh, “Backward Channel Protection Method for RFID Security Schemes Based onTree-Walking Algorithms,” in Computational Science and Its Applications - ICCSA 2006 (M. Gavrilova,O. Gervasi, V. Kumar, C. Tan, D. Taniar, A. Lagan, Y. Mun, and H. Choo, eds.), vol. 3983 of LectureNotes in Computer Science, pp. 279–287, Springer Berlin / Heidelberg, 2006.
[13] T.-L. Lim, T. Li, and S.-L. Yeo, “A Cross-layer Framework for Privacy Enhancement in RFID systems,”Pervasive and Mobile Computing, vol. 4, no. 6, pp. 889 – 905, 2008.
[14] I. Gudymenko, “Protection of the Users Privacy in Ubiquitous RFID Systems,” Master’s thesis,Technische Universitt Dresden, Faculty of Computer Science, December 2011.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 81
![Page 82: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/82.jpg)
Thank you for your attention!Questions? Comments?
Suggestions?
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 82
![Page 83: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/83.jpg)
Backup Slides
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 83
![Page 84: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/84.jpg)
E-ticketing: Main Advantages
• For transport companies
– decrease in system maintenance costs;– significant reduction of payment handling costs;– fare dodgers rate improvement;– better support of flexible pricing schemes;– support of multiapplication/nontransit scenarios;– a high interoperability potential.
• For customers
– faster verification of an e-ticket;– ”pay as you go”;– flexible pricing schemes;– increased usability.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 84
![Page 85: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/85.jpg)
Generic Countermeasures
Threats Countermeasures
1. Unintended customer identification:
a) Exposure of the customer ID:
i. Personal ID exposure (direct) Privacy-respecting authentication; ID encryp-tion/randomization; access-control functions [10]
ii. Indirect identification ID encryption
b) Unencrypted ID during anti-collision Randomized bit encoding [11]; bit collision mask-ing [12, 13] (protocol dependent)
c) PHY-layer identification Shielding; switchable antennas [14]
2. Information linkage Anonymization (in front-end and back-end): threat 1countermeasures; privacy-respecting data processing
3. Illegal customer profiling Privacy-respecting data storage (back-end); the sameas in threat 1
• Difficult to apply in a joint fashion.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 85
![Page 86: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/86.jpg)
Revised Song & Mitchel’s Protocol (RSM) [7]
S T[T : s, t, s, t] [t]Generate r1
r1−−− →Generate r2M1 = t⊕ r2M2 = ft(r1‖r2)
r1,M1,M2← −−−Find t in the DBs.t. M2 = ft(r1‖(M1 ⊕ t))
r2 = M1 ⊕ tM3 = s⊕ ft(r2‖r1)
r1,M3−−− →s← s s = M3 ⊕ ft(r2‖r1)t← t If h(s) = t,s← (s� l/4)⊕ (t� l/4)⊕ r1 ⊕ r2 t← h((s� l/4)⊕ (t� l/4)⊕ r1 ⊕ r2)t← h(s)
Figure 1: The revised SM protocol
• The look-up table contains a number of entries for each tag, one for eachelement of a tag-specific hash-chain. Elements from this hash-chain areused as tag identifiers (and as database keys to identify tags). A keyedhash function is used to generate each hash-chain, using a secret key sharedby the tag and server. The hash-chain length, m, determines the numberof tag identifiers that can be produced using any one key.
• The operation of the protocol (described in detail in section 5.3) can bedivided into three cases, as follows (see also Table 1):
1. Case 1: for each of the first m− 1 queries of a tag, the protocol pro-cess only involves tag authentication and requires just two messages.To authenticate a tag, the server searches a look-up table, takingconstant time.
2. Case 2: on the mth query of a tag, the protocol updates the secretsshared by the server and tag, as well as providing tag authentication.This process requires an additional message. The server takes O(1)work to authenticate a tag, as in case 1.
3. Case 3: if a tag is queried more than m times, which should not nor-mally happen, then a revised version of the SM protocol is performed;this requires the server to perform a linear search with complexityO(n).
• For server authentication (in cases 2 and 3), for each tag the server holdsa secret s that only it knows, as in the schemes presented in [12, 8].
11
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 86
![Page 87: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/87.jpg)
HCDF: Session Description
Authorized Reader (F ) Ticket (TX)
t //
r ∈R {0, 1}lnS ← t||r
C ← EK+
TA(S)
Coo
C′ ← RE(C)S ← D
K−F(C′)
oo ES(transaction) //
Fig. 2. Authentication of reader to ticket using re-encryption (RE) allows F to trans-late ciphertext encrypted with K+
TA to ciphertext which can be decrypted with K−F .
Thus the private key of TA remains offline. This re-encryption can only happen if Fpossesses an appropriate non-expired delegation key. Proof of possession of this delega-tion key is the mechanism by which F demonstrates that it is authorized. This protocolprovides a secure channel while matching the resource constraints of the different de-vices.
demonstrates that it is authorized by using its delegation key to transform Cinto a form which it can then decrypt with its own private key. The fact that F isthen able to reply to TX with a well-formed message encrypted with session-keyS demonstrates that F is authorized (possesses a non-expired delegation key).
Once TX is satisfied that it is talking to an authorized reader it updates itslogical clock to value t. If it ever receives a communication with a timestamp lessthan t, the communication will be assumed to be adversarial, and the protocolwill be aborted. TX also uses t to refuse to divulge any information about cookiesit holds which have expired.
Since t increases monotonically (which can be monitored by HPDs, and dis-crepancies will also be eventually caught by passive transponders) and r is chosenby TX, neither F nor TX can cheat at this protocol in such a way as to make are-play attack possible. S can only be decrypted by a reader with an unexpireddelegation key (up to the strength of the underlying public-key and re-signaturecryptosystems). This suffices for the security (up to underlying primitives) ofthe challenge-response.
6.2 createT icket(TV, TX,U) → TX
Once the session key S is negotiated as discussed above, a stored-value ticket canbe created by calling CreateTokens(TV, TX, ν) resulting in a new wallet whichis then stored on TX. The protocol for creation of a temporally bounded ticketis similar, except that in place of CreateTokens, FormNym and GrantCredmust be executed with respect to some time interval λ which the user has chosen
• Session key generation: S ← t||r ;
• Exchange S using non-expired delegation key(re-encryption);
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 87
![Page 88: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/88.jpg)
Avoine et al. (ALM)
Reader R Tag TIdR, cR IdT ,KT , cT
IdT , kTR = EKT (IdR, cR)
(1) IdR, cR, nR−−−−−−−−−−−−→EkTR
(nR,nT )←−−−−−−−−−−−− (2)
(3) nT−−−−−−−−−−−−→ (4)
Fig. 6. Authentication protocol.
Back-End B Reader RIdR, IdT ,KT , cB IdR, cR
IdT , kTR = EKT (IdR, cR)
(1)IdT , cup, kTRup−−−−−−−−−−−→ (2)
Fig. 7. Key update protocol.
Initialization. When the system is set up, each tag T is assigned with the followingvalues:
– a unique identifier IdT ,
– a long-term key KT ,
– three counters cB , cR and cT , initially synchronized and all equal to zero.
And during this set up, each reader R is assigned with the following values:
– a unique identifier IdR,
– for every tag T , its identifier and an encryption of its secret: IdT , kTR = EKT(IdR, cR).
B stores IdR, IdT , KT and cB .
R stores IdR, cR, IdT and kTR = EKT(IdR, cR).
T stores IdT , KT , cT .
Authentication. The authentication protocol consists of four steps (see Fig. 6):
(1) The reader sends to the tag its identifier IdR, the counter cR and a nonce nR.
(2) The tag checks the value cR it receives:
– If cR ≥ cT , it computes the key kTR = EKT(IdR, cR). Then, it picks a nonce
nT and answers the encryption EkTR(nR, nT ) to the reader.
– If cR < cT , the protocol aborts.
(3) The reader decrypts the received message with the symmetric key kTR, andverifies the value nR. Then, it sends to the tag the recovered value nT .
(4) T checks the validity of nT : if so and cR > cT , it updates cT to the value cR(cT ← cR).
• TS ← {(IDT , kTR)} ∀T
• kTR ← EKT(IDR , cR)
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 88
![Page 89: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/89.jpg)
Tan et al. (TanSL)
(5) For every entry T in L, the reader computes H ′ = h(h(IdR||tT )||nR||nT ) withH ′ = Hb′||He′, and checks if Hb matches with Hb′:– If so and k ≤ �−b
2 , it sends to T the answer ansR to the question quesR.Thus, ansR represents the actual bits in positions ques1R, ques
2R, . . . , ques
kR
of He′.– Else it sends ansR = rand where rand is a random bit string of length k.
In turn, it sends a question quesT = (ques1T , ques2T , . . . , ques
kT ), built like quesR.
(6) The tag T checks if ansR is correct:– If so and {∀x, y, quesxR �= quesyT }, it sends to R the answer ansT to the
question quesT .– Else it sends ansT = rand.
(7) The reader R verifies the answer ansT .
Reader R Tag TIdR, L = [IdT : h(IdR||tT )] IdT , tT
(1) request−−−−−−−−−−−→nT←−−−−−−−−−− (2)
(3) IdR, nR−−−−−−−−−−→Hb, quesR←−−−−−−−−−− (4)
(5) ansR, quesT−−−−−−−−−−−→(7)
ansT←−−−−−−−−−−− (6)
Fig. 5. TanSL protocol.
4 Security Analysis
We now study the security of all the previous protocols in the different scenariosdefined in Section 2.
4.1 Tag Impersonation
As authentication protocols are designed by nature to be secure in the context ofScenario 1, we only focus in Section 4.1 on Scenario 2.
Scenario 2. For SK-based challenge/response protocols, once the adversary com-promised a reader, she knows all the secrets stored by the reader. She is so able toimpersonate any tag.
For signature schemes and zero-knowledge protocols (including GPS), the privatekey used to answer to the challenges is only known by the tag. Thus even if theadversary compromises a reader, she does not know the tags’ private keys. Shecannot impersonate them.
Regarding WIPR, an adversary who compromised a reader R knows its publicand private keys (n and (p, q)) and the tags’ identifiers. The result is that she willbe able to impersonate any tag to every reader.
For the TanSL protocol, an adversary can obtain from a compromised reader Rits identifier IdR and the list L containing all (IdT : h(IdR||tT )), for every tag T .The adversary will not be able to impersonate a tag T in front of any other non-compromised reader R′. Indeed, she does not know the tag’s secret tT , thus she isnot able to compute the symmetric key h(IdR′ ||tT ) shared between R′ and T .
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 89
![Page 90: Protection of the User’s Privacy in Ubiquitous E-ticketing ...s0278016/talks/[handout]-I.Gudymenko... · E-ticketing: Technologies and Standards RFID-based stack (proximity cards);](https://reader031.vdocument.in/reader031/viewer/2022011809/5d4d472988c993d3728b968d/html5/thumbnails/90.jpg)
Client-Side Fare Calculation: Toll Pricing
• Decentralized approach to fare calculation;
• Privacy preservation by client-side fare calculation;
• Enforcement through spot checks, ZKP of the validityof the committed values, etc.;
• The price calculation flow may be fairly complex(involves several noncolluding parties);
• Substantial computational and operational overhead forusers;
→ Does not suit well for a target e-ticketing system.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 90