RFID Privacy: Relation Between Two Notions, Minimal Condition, and Efficient Construction Changshe Ma, Yingjiu Li, Robert Deng, Tieyan Li Singapore Management University Institute for Infocomm Research 2018/11/12
Background – RFID Systems Radio signal (contactless) Range: from 3-5 inches to 3 yards Database Match tag IDs to physical objects Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Reader (transceivers) Read data off tags without direct contact Range can be 100 meters Perfect working conditions for attackers! 2018/11/12
Background – RFID Privacy Privacy issues Adversaries identify tags Adversaries track tags © RSA Laboratories 2018/11/12
Motivation – Research Effort Lightweight RFID protocols for low-cost tags Simple operations (XOR, bit inner product, PRNG, CRC) Privacy flaws (T. van Deursen and S. Radomirovic: Attacks on RFID Protocols, ePrint Archive: Report 2008/310) Formal privacy models for RFID systems Ind-privacy: indistinguishability of two tags [Juels & Weis 07] Unp-privacy: unpredictability of protocol output [Ha et al. 08] Our research Examine privacy notions Explain privacy flaws Construct efficient protocol with strong privacy http://eprint.iacr.org/2008/310 2018/11/12
Outline Model of RFID systems RFID privacy notions Relations Ind-privacy: indistinguishability-based privacy Unp-privacy: unpredictability-based privacy Relations Unp-privacy Ind-privacy Ind-privacy (not) Unp-privacy Minimal condition Unp-privacyPRF Efficient construction 2018/11/12
Model of RFID Systems RFID system (R, T, InitializeR, InitializeT, ) Canonical form of RFID protocols Adversary A (O_IR:InitReader, O_IT:InitTag, O_ST:SetTag, O_SR:SendRes) Completeness and soundness of RFID system Eavesdropping: InitReader, InitTag, SendRes Tag key compromise (tag corruption, physical or side-channel attack): SetTag Completeness: a legitimate tag will always be accepted by the legitimate reader Soundness: only legitimate tag will be accepted by the legitimate reader 2018/11/12
RFID Privacy – Ind-privacy Experiment ExpAind[k, l, q, s, u, v] 1. setup the reader R and a set of tags T with |T | = l; 2. (Ti, Tj, st)A1O_IR,O_IT, O_ST, O_SR (R; T ); //learning stage 3. b R {0, 1}; 4. if b = 0 then Tc = Ti, otherwise Tc = Tj; 5. T’=T-{Ti,Tj} 6. b’ A2O_IR,O_IT, O_ST, O_SR (R, T’, st, Tc); //guess stage 7. the experiment outputs 1 if b’ = b, 0 otherwise Advantage of A: |Pr[ExpAind=1]-1/2| 2018/11/12
RFID Privacy – Unp-privacy Experiment ExpAunp[k, l, q, s, u, v] 1. setup the reader R and a set of tags T with |T | = l; 2. (Tc, c0, st)A1O_IR,O_IT, O_ST, O_SR (R; T ); //learning stage 3. b R {0, 1}; 4. if b = 0 then set (r, f) as random pair, otherwise (c0, r0, f0)(R,Tc) and (r, f)=(r0, f0); 5. T’=T-{Tc} 6. b’A2 O_IR,O_IT, O_ST, O_SR (R, T’, st, r, f); //guess stage 7. the experiment outputs 1 if b’ = b, 0 otherwise Advantage of A: |Pr[ExpAunp=1]-1/2| 2018/11/12
Relations – Intuition Intuitively, Unp-privacyInd-privacy Ind-privacy d(Ti, Tj) d(Ti, r) + d(Tj, r) Ind-privacy Learning stage: AOracle queries Tc Guess stage: AOracle queries toTc Unp-privacy Learning stage: AOracle queries Tc Guess stage: ANo oracle queries to Tc How to simulate? 2018/11/12
Relations – Eunp-privacy Extended Unp-privacy (Eunp-privacy) Experiment ExpAeunp[k, l, q, s, u, v,w] 1. setup the reader R and a set of tags T with |T | = l; 2. (Tc, st)A1O_IR,O_IT, O_ST, O_SR (R; T ); //learning stage 3. T’=T-{Tc} 4. b R {0, 1}; 5. let st0=st and cs= for i=1 to w (ci, sti) A2 O_IR,O_IT, O_ST, O_SR (R; T, sti-1, cs); if b = 0 then set (ri*, fi*) as random pair, otherwise (ci, ri, fi)(R,Tc) and (ri*, fi*)=(ri, fi); cs=cs{ri*, fi*} 6. b’A2 O_IR,O_IT, O_ST, O_SR (R, T’, stw, cs); //guess stage 7. the experiment outputs 1 if b’ = b, 0 otherwise ST: state information CS: set of challenge messages given to A2 A2 may choose the w test messages adaptively: it may chose ci according to the state information, the previous challenge message set, and its own strategy. 2018/11/12
Relations – Eunp-privacyInd-privacy Learning stage: AOracle queries Tc Guess stage: Eunp-privacy Learning stage: AOracle queries Tc Guess stage: Aw test message queries + corrupt all other tags except Tc Be able to simulate 2018/11/12
Relations – Eunp-privacyUnp-privacy Hybrid argument approach or game playing technique (r1,f1) (r2,f2) . (rw,fw) (r’1,f’1) (r2,f2) . (rw,fw) (r’1,f’1) (r’2,f’2) . (rw,fw) (r’1,f’1) (r’2,f’2) . (r’w-1,f’w-1) (rw,fw) (r’1,f’1) (r’2,f’2) . (r’w,f’w) . . . 2018/11/12
Relations – Ind-privacy (not) unp-privacy Assume that (c,r,f)(R,Ti) is of ind-privacy Let (c,r||r,f)’(R,Ti). ’(R,Ti) is not of unp-privacy 2018/11/12
Minimal Condition Minimal requirement for RFID systems to achieve RFID system privacy Unp-privacy PRF Theoretical foundation to explain why so many lightweight RFID protocols suffer from privacy vulnerabilities without implementing necessary cryptographic primitives 2018/11/12
Minimal Condition – Unp-privacy PRF random c1 r1 p1 c2 tag r2 p2 rn cn pn ind c1 c2 . cn r1 r2 . rn Each tag’s computation function can be used to construct a PRF family Is this mapping a pseudorandom function? 2018/11/12
Minimal Condition – Tag Computation Function st1 st2 … stn FkT( ) Deterministic if we consider the tag key and internal state information 2018/11/12
Minimal condition – Unp-privacyPRF Let PCH=PCN=PS={0,1} and PFT={0,1}2 1. If the tag Ti is stateless, define J(x)= r1=FkTi(c,cn), where c||cn=x{0,1}2 2. If the tag Ti is stateful 2.1 If cn=empty string, define J(x)=LFkTi(c,st_0) RFkTi(c,st0), where x {0,1} 2.2 Else J(x)= r1 =FkTi(c,cn,st0), where c||cn=x{0,1}2 Now define G(x)=J(J()x), then G is a PRF family, where {0,1}2 except for the case 2.1 where {0,1}. The function family G(x) is a PRF family if RS is complete, sound and unp-private. 2018/11/12
Minimal condition – PRFUnp-privacy An efficient construction with PRF: Offline attack: long enough secret key Online attack: 0.01 sec/tag, 348 years for |ctr|=40 2018/11/12
Conclusion Eunp-privacy Ind-privacy Unp-privacy PRF 2018/11/12
Thanks! 2018/11/12