Radio Frequency IDentification (RFID) Radio signal (contactless) Range: from 3-5 inches to 3 yards Database Match tag IDs to physical objects Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Reader (transceivers) Read data off tags without direct contact Range can be 100 meters Perfect working conditions for attackers! 2018/11/21
RFID Applications Most important usage: identifying valid users or entities eTicket Credit Cards Access Control Cheap Expensive Supply Chain ePass High computational and storage resources No computational and very low storage resources 2018/11/21
RFID Security Issues Tag Authentication: Only valid tags are accepted by a valid reader Reader Authentication: Only valid readers are accepted by valid tags Not always required but mandatory in some applications (e.g., e-tickets) Prevents unauthorized access to /or tampering with tag data Availability: Infeasible to manipulate honest tags such that honest readers do not accept them 2018/11/21
RFID Privacy Issues Unauthorized tracking © RSA Laboratories Unauthorized tracking Disclosure of the tag identity Linkability of the transactions of a tag Allows creation & misuse of user profiles 2018/11/21
Physical Privacy-Enhancing Methods (from Sadeghi et. al MINES2009) “Kill”-command [EPC05] Tag-specific password programmed at manufacturing that permanently deactivates the tag to prevent readout Used for electronic product labels (e.g., EPC-Tags) that are disabled when the labeled product is given to end user Passive jamming [DIFR09] Faraday cage (e.g., embedded into wallets) prevents readout of RFID tag User must manually authorize readout by removing Faraday cage Active jamming [LCTR06] Jamming device disturbs radio signals of tags and readers in the vicinity User must manually authorize readout by deactivating jammer Inefficient: Tags permanently disabled or user interaction required [EPC05] EPCglobal Inc.: Specification for RFID air interface—EPC radio-frequency protocols, Class-1 Generation-2 UHF RFID, protocol for communications at 860 MHz–960 MHz, version 1.1.0 (December 2005) [DIFR09] DIFRwear: Web site of difrwear. http://www.difrwear.com/products.shtml (January 2009) [LCTR06] Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: RFID systems: A survey on security threats and proposed solutions. In Cuenca, P., Orozco-Barbosa, L., eds.: IFIP TC6 11th International Conference, PWC 2006, Albacete, Spain, September 20–22, 2006, Proceedings. Volume 4217 of LNCS., Springer Verlag (2006) 159–170 New Directions in RFID Security and Privacy 6 2018/11/21 6
Cryptographic Protocols for RFID Privacy Numerous lightweight RFID protocols for low-cost tags have been proposed They use simple operations (XOR, bit inner product, CRC, etc) Many have been broken (T. van Deursen and S. Radomirovic: Attacks on RFID Protocols, ePrint Archive: Report 2008/310) 2018/11/21
RFID System Model T = {T1,…,Tn} - a fixed, polynomial-size tag set Read / Update T = {T1,…,Tn} - a fixed, polynomial-size tag set R/D - and a reader/database as the elements for an RFID system. The adversary A has complete control over communications between R and T, while the communications between R and D are over a secure channel. 2018/11/21
A Canonical RFID Protocol Tag T Reader R c C r R f F (optional) Shorthand notation: (c, r, f) ← (R, T) 2018/11/21
Query Types Available to Adversary Launch(): return a session id sid and the 1st message c. SendTag(sid, c, T): return r, the response of tag T. SendReader(sid, r): return f, the response of Reader. Corrupt(T): return the secret information of tag T. Let O1, O2, O3, O4 denote, Launch, SendTag, SendReader, Corrupt oracles, respectively. 2018/11/21
JW06 (Jules & Weis, ePrint 2006, PerCom 2007) Ind-privacy: indistinguishability of two tags. Experiment: {Ti, Tj} ← A1O1,O2,O3,O4(R, T); b∈{0, 1}; If b = 0 then Tc = Ti, else Tc= Tj; T’ = T - {Ti, Tj}; b’ ←A2O1,O2,O3,O4(R, T’, Tc). A1 not allowed to query O4 on Ti and Tj A2 not allowed to query O4 on Tc Adversary A wins the game if b’ = b The advantage of adversary A = |Pr[b'=b]-1/2| Drawback: Not easy to work with 2018/11/21
HMZH08 (Ha, Moon, Zhou & Ha, ESORICS 2008) Unp-privacy: unpredictability of protocol Experiment: Tc← A1O1,O2,O3,O4(R, T); b∈ {0, 1}; If b = 0 then (c, r, f) ← (R, Tc), else (c, r, f) ← random; b’ ← A2 (c, r, f). A1 not allowed to query O4 on Tc The advantage of adversary A = |Pr[b'=b]-1/2| Drawback – Incomplete: A2 is not allowed to query O2 (SendTag) oracle on Tc protocols meeting Unp-privacy but with known weakness in privacy (Deursen & Radomirovic, ePrint Archive: Report 2008/477) 2018/11/21
MLDL09 (Ma, Li, Deng & Li, CCS 2009) Unp’-privacy: unpredictability of protocol Experiment: {Tc, c}← A1O1,O2,O3,O4(R, T); b∈ {0, 1}; If b = 0 then (c, r, f) ← (R, Tc), else (c, r, f) ← random; T’ = T – {Tc} b’ ← A2O1,O2,O3,O4(R, T’, r, f). A1 not allowed to query O4 on Tc The advantage of adversary A = |Pr[b'=b]-1/2| Drawback: (c,r,f)←(R, Tc)??? A2 is not allowed to query O2 (SendTag) oracle on Tc 2018/11/21
Vau07, PV08 (Vaudenay AsiaCrypt07, Paise & Vaudenay AsiaCCS08) Adversary’s capabilities modeled by oracles Adversary A Tag Initialization Tag Communication Tag Corruption Reader Initialization Reader Communication Side channel Information (whether authentication was successful) 2018/11/21
Vau07 (Vaudenay AsiaCrypt07) b R {0,1} Adversary A1 Querying Phase Privacy Challenger Reader Initialization /Tag Initialization / Tag Corruption Blinder B simulates Tag Communication / Reader Communication / Side channel Information b = 1 Tag Communication / Reader Communication / Side channel Information b = 0 Adversary A2 Analysis Phase A wins privacy experiment if b’=b RFID system is private if every A has negligible advantage to detect blinder B: AdvA = |Pr[ b’=1 | b=0 ] - Pr[ b’=1 | b=1 ]| b’ 2018/11/21
PV Model (Paise & Vaudenay AsiaCCS08) Privacy and Security Framework for RFID Based on model of [Vau07] Additionally captures reader authentication Problem Privacy definition contradicts reader authentication for any privacy notion that allows tag corruption (except the weak privacy notions which do not alllow tag corruption) PV model cannot be used for evaluation of practical protocols where adversary can corrupt tags 2018/11/21
New Model – Definition Experiment: Unp’’-privacy: indistinguishability of a real tag and a virtual tag Experiment: Tc ← A1O1,O2,O3,O4(R, T); b∈ {0, 1}; When A2 makes queries to O1, O2, O3 on Tc If b = 0, return oracles’ responses Else (b = 1) return c R C if query O1 return r R R if query O2 Return f R F if query O3 b’ ← A3 A1 and A2 are not allowed to query O4 on Tc The advantage of adversary A = |Pr[b'=b]-1/2| 2018/11/21
Summary of the Privacy Models Ind-privacy model No flaws being found but not easy to work with Unp-privacy and Unp’-privacy models Incomplete PV model Contraction between reader authentication and their notions of privacy that allow tag corruption Unp”-privacy model Does not suffer from the above problems Relationship between Ind-privacy and Unp”-model? 2018/11/21
Relation Between Ind-privacy & Unp”-privacy Assume that (c, r, f) (R, T) is of Ind-privacy. Let (c, r|r, f) ’(R,T). ’(R,T) is of Ind-privacy, but it is not of Unp”-privacy. 2018/11/21
New Model –Relations (2) Ind-privacy Unp”-privacy. Ind-privacy Adversary A Unp”-privacy adversary B Unp”-privacy protocol 2018/11/21
Minimal Condition – Results Minimal requirement for RFID systems to achieve RFID system privacy Unp”-privacy PRF Theoretical foundation to explain why so many lightweight RFID protocols suffer from privacy vulnerabilities without implementing necessary cryptographic primitives 2018/11/21
Minimal Condition – Unp”-privacy ⇒ PRF Given a RFID system with Unp”-privacy, each tag’s computation function Fki,sti can be used to construct a PRF family, ki is tag’s secret key, and sti is tag’s internal state. Reader Tag c r f 2018/11/21
Minimal Condition – PRF ⇒ Unp”-privacy An efficient construction using PRF Reader {(I, k, ctr, ID)} Tag (k, ctr) c I = Fk(ctr|pad1) r1 = Fk(c|I)(ctr|pad2) ctr = ctr + 1 I | r1 Search: {If find (I, k, ctr, ID) then If ctr|pad2 = r1Fk(c|I) then Update & accept; Else reject Else if (*, k, *, *) s. t. ctr|pad2 = r1Fk(c|I) & I = Fk(ctr|pad1) then Update & accept; Else reject } Update: {ctr = ctr + 1 & I = Fk(ctr|pad1) } 2018/11/21
Conclusion Existing privacy models Ind-privacy, unp-privacy, unp’-privacy, Vau07 & PV08 A new model: Unp”-privacy Relations Unp”-privacy Ind-privacy PRF 2018/11/21
