security and privacy in rfidprai175/isgstudentsem07/rfid... · 2007-11-17 · security and privacy...

Security and privacy in RFID

Jihoon Cho

ISG PhD Student Seminar

8 November 2007

RFID Primer Passive RFID tags Issues on Security and Privacy Basic Tags Symmetric-key Tags Conclusion

Outline

1 RFID Primer

2 Passive RFID tags

3 Issues on Security and Privacy

4 Basic Tags

5 Symmetric-key Tags

6 Conclusion


Radio Frequency Identification

RFID is a family of emerging technologies for automated identification of objects andpeople, and the system components are

1 RFID tag

attached/embedded to/into items to be identifiedtransmits data over the air in response to interrogation by an RFID readerconsists of coupling element for communications (and also possibly powersupply) and microchip

2 RFID reader

forms the radio interface to tagsprovides high-level interface to a host computer system to transmit thecaptured tag data

3 Back-end Server

maintains relevant information for identification process


RFID tags


Active vs. Passive

Active tags Passive tags

Power Source battery powered powered by radio waves

Life limited by battery unlimited

Range up to hundreds of meters up to 3-5m

Cost $ 10-100 $ 0.10-1


Current RFID applications

1 Supply-chain/inventory managementElectronic Product Code (EPC) tags (under development)containers and crates/pallets tracking

2 Asset-tracking systemhealth-care information system (partly currently used)(drug/medicine identification and staff/patient tracking)e-passport (under development)children and animal (pet) trackinglibrarybaggage handling in airport

3 Access controlproximity cardcar immobiliser

4 Contactless payment systemSpeedPassTM, American Express ExpressPayTM, Mastercard PayPassTM


RFID becomes ubiquitous

Advantages of RFID

RFID has been originally suggested as a successor to the optical barcode1 Automation

- no line-of-sight contact with readers and no human intervention2 Unique identification

- not only a generic product identifier but an individual serial number

What’s behind RFID

1 Efforts of large organisations such as WalMart, US DoD, and etc2 Tag cost dropping and RFID standardisation3 Development of EPC technologies


Electronic Product Code & EPCglobal

1 EPC tag is a Barcode-type RFID device

2 EPCgolbal : an organization set up to achieve world-wide adoption andstandardization of EPC technology

3 EPCglobal is currently working onreader and tag communication protocolsmiddleware between reader and enterprise systemsObject Name Service (ONS) with VeriSignEPC Information Service (EPC-IS) and EPC Discovery Service (EPC-DS)


RFID Standards

1 Standards for logistic applicationsISO/IEC 18000ISO/IEC 15961-15963ISO/IEC 15418

2 Standards for automatic livestock identificationISO 11784-11785ISO14223

3 Standards for vicinity coupling cardsISO/IEC 10373ISO/IEC 10536ISO/IEC 14443ISO/IEC 15693

4 Supply-chain managementEPC (under development)


Outline

1 RFID Primer

2 Passive RFID tags


4 Basic Tags


6 Conclusion


Issues on passive tags

1 Passive tags with very limited memory and logical gates will be mostly deployedin mass market

2 Most of current privacy concerns focus on applications using passive tags, andthose include

smart check-out in supermarketRFID-enabled banknotemedical drugs and luxury goodshuman identification through tag injection under skin

3 Active tags are assumed to provide strong security and privacy protection withstrong cryptographic primitives


Coupling and Frequencies

1 Frequency bandsLF (Low Frequency): 124-135 kHzHF (High Frequency): 13.56 MHzUHF (Ultra High Frequency): 868/915 MHzMW (Microwave): 2.45 and 5.8 GHz

2 Due to process known couplingInductive coupling within the near field regionElectromagnetic coupling in the far field


Outline

1 RFID Primer

2 Passive RFID tags


4 Basic Tags


6 Conclusion


Read range issues

1 Nominal read rangemaximum distance at which a normally operating reader (with ordinaryantenna and ordinary power output) can reliably scan tag dataex. ISO 14443 : 10cm

2 Rogue read rangea determined attacker might still achieve longer distances using largerantenna and/or higher signal transmission powerex. ISO 14443 : 50cm

3 Tag-to-reader eavesdropping read rangeonce a tag is powered, a second reader can monitor resulting tag emissionswithout itself outputting signalmight be longer than rogue read range

4 Reader-to-tag eavesdropping read rangethis signal can be received hundreds of meters away


Privacy


Privacy (I)

Tags respond to reader interrogation without alerting their owners or bears, andmost tags emit unique identifiers

1 Location privacy

pooled several clandestine scans reveals a tag bearer’s whereabout along atag reading infrastructure

2 Data privacy

certain tags such as EPC tags carry information about itemsEPC tag bearers are subject to clandestine inventorying

Privacy, however, is not just consumer concerns - ex. military or company supply-chainmanagement


Privacy (II)

1 Euro banknotein 2001, European Central Bank planed to embed RFID tags into banknoteas anti-counterfeiting measureit seems increasingly implausible due to technical difficulties

2 Human-implantable chipsVeriChipTM for health-care information systemflamed the passion of privacy advocates

3 E-passportICAO (International Civil Aviation Organisation) promulgated the guidelinefor RFID-enabled passportthe US has mandated the adoption of these standards by ‘VISA-waiver’countriesdelayed due to technical challenges


Authentication

1 Privacy concerns that bad readers harvest information from good tags, butauthentication concerns that good readers detect bad tags

2 EPC tags are vulnerable to simple counterfeiting attacks

3 Detect cloning by consistent and centralised data collection, but not alwayspossible

4 Various countermeasures but permit limited solutions


Adversary Model

1 RFID system is secure and private for what?

formal model that characterises the capabilities of potential adversaries - asform of a game in cryptography

2 We need formulation of weakened security models that accurately reflectsreal-world threat and real-world tag capabilities

3 Multiple communication layers in RFID systems

cryptographic security models captures top-layer communication protocolsbetween tags and readersneed to consider low layer and physical levels of communications

4 Security models in literatures

Okubo, Szuki, and Kinoshita (’03) (symmetric-tags)Juels (’04) - Minimalist security model (basic tags)Juels and Weis (’06) - Strong privacy model (symmetric-key tags)Avoine (’05)Zhang and King (’08)


Outline

1 RFID Primer

2 Passive RFID tags


4 Basic Tags


6 Conclusion


Killing

1 “Dead tags cannot talk” - Kill the TAG

2 Currently in EPC Class-1 Gen-2 tags

3 When an EPC tag receives a kill command from a reader, it renders itselfpermanently inoperative

4 Kill command is PIN-protected

5 It eliminates all of the post-purchase benefits of RFID


Re-naming approaches : Minimalist

1 Tags contain small collection of pseudonyms and release a different one uponeach reader inquiry

2 Throttle tag repliesto prevent rogue readers rapidly reading out all available pseudonyms oftags in a single sweep, it slows down response for quick interrogations


Re-naming approaches : re-encryption (I)

1 Juels and Pappu (’03) proposed public key re-encryption scheme to enhanceconsumer privacy for RFID-enabled banknote

2 Schemelaw enforcement holds private/public key pair (x , y) of ElGamal encryptionschemebanknote serial number s encrypted to c = Ey (s)to prevent malicious tracing, c is periodically re-encrypted to c′

to prevent malicious writing, keyed writing by optical-scanning the banknote

3 They introduced the principle that cryptography can enhance tag privacy, evenwhen tags themselves cannot perform cryptographic operations


Re-naming approaches : re-encryption (II)

1 What about if we have multiple key pairs?

2 Including a public key in tags, however, permits certain degree of malicioustracking and profiling

3 Universal re-encryption permits re-encryption without knowledge of thecorresponding public key in public-key encryption schemes

4 Golle et al. (’04) proposed ElGamal-based universal re-encryption

5 It suffers from serious attacks, since it does not preserve integrity


Re-naming approaches: re-encryption (III)

1 Ateniese, Camenisch, and de Medeiros (’05)

2 Insubvertible encryption scheme which also permits universal re-encrpytion

3 Ciphertext is digitally singed by a CA and permits anyone to verify the authenticityof the ciphertext

4 To prevent malicious tracing, the ciphertext as well as signature can berandomisable by any entity


Proxy approach

Consumers carry their own privacy-enforcing devices (proxies)

1 Watchdog tags

audit system for RFID privacymonitor ambient scanning of tags and collect information form readers

2 RFID Guardian or RFID Enhancer Proxy (REP)

batter-powered personal RFID firewallintermediates reader request to tags and selectively simulates tags underits controlcan implement sophisticated privacy policiesfurther research includes how a Guardian or REP should acquire andrelease control of tags and associated PINs and keys


Distant measurement

1 The distance between tags and readers serve as a metric for trust

2 Fishkin, Roy, and Jiang (’04)signal-to-noise ratio of reader signal provides rough metric of distancewhen scanned in a distance, expose little informationrelease its unique identifier only at close range


Blocking tags

1 It jams tree-based anti-collision protocols, thus making impossible to read outtags nearby

2 As cheap to manufacture, it could be integrated into paper bags3 To prevent jamming of legitimate readers, a privacy bit is set during check-out


Outline

1 RFID Primer

2 Passive RFID tags


4 Basic Tags


6 Conclusion


Assumptions

1 Tags are assumed to perform keyed hash function or hardware efficientsymmetric encryption scheme (and also often assumed to have a pseudorandom number generator)

2 We assume a centralised system, where readers have constant access to theirback-end server

3 Notationswe have n tagseach tag Ti contains in memory a shared secret key ki with the server


Authentication

1 Simple challenge-response protocol prevents cloningTi → R : IDTiTi ← R : PTi → R : h(ki , P) or eki

(P)

In practice, resource constraints in commercial tags sometimes leads todeployment of weak cryptographic primitives

2 Digital Signature Transponder (DST)currently a theft-deterrent in automobiles and SpeedPassTM

use the protocol described abovebroken since they expect security through obscurity to overcome shortkey-length


Reverse-engineering & Side channels

1 Reverse engineeringphysical invasive attacks possibletags are too inexpensive to include temper-resistance mechanism

2 Side channels - potentially serious threat in RFIDTiming attacks- extract information based on variations in the rate of computation of targetdevices

- over-the-air timing attacks against tags : open research topicPower analysis attacks- measure electromagnetic emanation- exploit measurable variations in power consumption


Relay attacks

1 Relay attack is always possible no matter how well designed cryptographicprotocols in RFID systems and no matter how strong cryptographic primitives areused

2 Often security based on assumption - limited read range of tags3 Attack allows proximity cards to open a door or RFID-based credit cards to effect

payment from a kilometer away

RFID TAG ! Leech L9999K Ghost ! RFID Reader

Figure of Relay attack in RFID systems


Privacy

1 Paradoxif a tag emits identifier in challenge-response protocol, no privacyif a reader does not know which tag it is interrogating, it cannot determinewhich key to use

2 Key search: straightforward but heavy solutiontag emits E = fki

(P)reader searches from the space of all keys K = {kj}j for a key k ∈ K suchthat fk (P) = E

3 Weis, Sarma, Rivest, and Engel (’03)

4 The computational cost of key-search for the reader is linear in the number oftags, thus key search is prohibitively costly in large systems

5 More efficient solutions?


Tree approach

1 Molnar and Wagner (’04)each node (or edge) is associated with a keyeach tag is assigned to a unique leaftag contains the keys defined from a root to the leafif we have a depth d and branching factor b, each tag contains d keys andthe scheme accommodates db tags in total

2 Efficiencyreader can identify a tag by means of a depth-first search of the treesearch through at most db keys rather than db keys

3 Securitycompromise of the secrets in one tag compromise of secrets in other tags


Synchronisation approach

1 Suppose that every tag Ti maintains a counter ci and the tag outputs E = fki(ci )

on interrogation

2 Provided that a reader knows the approximate value of ci , it can store asearchable table of tag output values, i.e., reader maintains the output values

fki(c′

i ), fki(c′

i + 1), · · · , fki(c′

i + d), for ci ∈ [c′i , c′

i + d ]

3 Literatures with stronger security (such as forward security) and more efficiency


Outline

1 RFID Primer

2 Passive RFID tags


4 Basic Tags


6 Conclusion


RFID becomes ubiquitous

security and privacy in rfidprai175/isgstudentsem07/rfid... · 2007-11-17 · security and privacy...

Documents