slide 1 Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790 RFID Security and Privacy

slide 2 Roadmap uBackground uRFID Risks uPrivacy: Simple Solutions uPrivacy: More Involved Solutions uAuthentication: Some Solutions uConclusion 12345

slide 3 What is RFID? uRadio-Frequency Identification Tag Chip Antenna uSticker containing microchip and antenna uGains power from wireless signal received from tag reader uTag-reader communication with range of up to half a meter uTag returns its unique number and static data 12345

slide 4 How Does RFID System Work? Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency 02.3DFEX4.78AF51 EasyToll card #816 Reader (transceiver) Reads data off the tags without direct contact Radio signal (contactless) Range: from 3-5 inches to 3 meters Database Matches tag IDs to physical objects uManagement system uCommunication protocol uComputer Networks uTags consists of antenna and a microchip uReaders consists of a transmitter, receiver, 1+ antennas 12345

slide 5 RFID Advantages BarcodeRFID Line-of-sight reading Reader must be looking at the barcode Specifies object type E.g., “I am a pack of Juicy Fruit” Reading by radio contact Reader can be anywhere within range Specifies unique object id E.g., “I am a pack of Juicy Fruit #86715-A” Fast, automated scanning (object doesn’t have to leave pocket, shelf or container) Can look up this object in the database (provides pointer) 12345

slide 6 RFID Tag Power Sources uPassive inactive until the reader’s interrogation signal “wakes” them up Cheap, but short range only uSemi-passive On-board battery, but cannot initiate communication More expensive, longer range uActive On-board battery, can initiate communication 12345

slide 7 RFID Types Inductive Coupling Backscatter (radiative) Coupling 12345

slide 8 Closer look 12345

slide 9 RFID examples uPervasive Devices Low memory, few gates Low power, no clock, little state Low computational power uYou may own a few. uBillions on the way

slide 10 Current Applications uPublic Transport and Ticketing uAccess Control uLogistics uAnimal identification uAnti-theft system uReal time measurements in sports uInventory Control in supermarkets uElectronic payments uIndustry automation uMedical uBanknotes, casino chips 12345

slide 11 Futuristic Applications u“Smart” appliances Refrigerators that automatically create shopping lists Closets that tell you what clothes you have available, and search the Web for advice on current styles, etc. Ovens that know how to cook pre-packaged food u“Smart” products Clothing, appliances, CDs, etc. tagged for store returns u“Smart” paper Airline tickets that indicate your location in the airport Library books Business cards uRecycling Plastics that sort themselves 12345

slide 12 RFID Risks Mr. Jones pays with a credit card; his RFID tags now linked to his identity Mr. Jones attends a political rally; law enforcement scans his RFID tags Mr. Jones wins Turing Award; physically tracked by paparazzi via RFID

slide 13 Why RFID Risks Arise Three technical aspects of today’s RFID tags create potential problems: uThey are promiscuous they talk to any compatible reader. uThey are remotely readable: they can be read at a distance through materials like cardboard, cloth, and plastic. uThey are stealthy not only are the tags inconspicuous, you don't know when they are transmitting information or to whom. In short, the personal information 12345

slide 14 Risks: Privacy uPersonal privacy Clandestine inventory and tracking –Unsanctioned readers Customer profiling –Tracking personal activities (e.g., purchase habits, travel) Big brother –Illicit or inappropriate use of personal data uData cross contamination Inventory tags plus personal info uCorporate espionage Track your competitor’s inventory uMilitary espionage Harvesting RFID communication to make inferences 12345

slide 15 Risks: Eavesdropping uRead ranges nominal read range –max distance at which a normally operating reader can reliably scan tags rogue scanning range –rogue reader can emit stronger signal and read tags from a larger distance than the nominal range tag-to-reader eavesdropping range –read-range limitations result from the requirement that the reader powers the tag –however, one reader can power the tag, while another one can monitor its emission (eavesdrop) reader-to-tag eavesdropping range –readers transmit at much higher power than tags –readers can be eavesdropped form much further –readers may reveal tag specific information 12345

slide 16 Risks: Counterfeits uComes down to authentication uHow can be accomplished Replaying (RF “tape-recorder”) Tag cloning Back-engineering uA few examples from real life (easy to break) Speed passes Ignition keys Physical coercion and attack –In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric-enabled Mercedes –What would happen if the VeriChip were used to access ATM machines and secure facilities? Perhaps it is better then if tags can be cloned and are not used for authentication—only for identification 12345

slide 17 RFID capabilities uLittle power Receives power from reader Range a few meters uLittle memory Static 64-to-128-bit identifier Hundreds of bits soon uLittle computational power A few thousand gates No cryptographic functions available Static keys for read/write permission uIn terms of computational power can be divided into –BASIC tags –SYMMETRIC KEY tags 12345

slide 18 Privacy protection approaches ustandard tags jamming “kill” command “sleep” command Renaming Blocking ucrypto enabled tags synchronization approach hash chain based approach tree-approach 12345

slide 19 Easiest solution uKeep it close to your body Liquids are not penetrable by microwave frequencies uFaraday cage Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies Shoplifters are already known to use foil-lined bags Maybe works for a wallet, but huge hassle in general uActive jamming Disables all RFID, including legitimate applications uAll kinds of the above protections can be purchased now days protective sleevers for passports, wallets, ids, etc

slide 20 Dead tags tell no tales u I dea: permanently disable tags with a special “kill” command part of the EPC specification uAdvantages: Simple and effective uDisadvantages: eliminates all post-purchase benefits of RFID for the consumer and for society no return of items without receipt no smart house-hold appliances cannot be applied in some applications –library, e-passports, banknotes uSimilar approaches: put RFID tags into price tags or packaging which are removed and discarded 12345

slide 21 Don’t kill the tag, put it to sleep uIdea: instead of killing the tag put it in sleep mode tag can be re-activated if needed uAdvantages: Simple effective uDisadvantages: difficult to manage in practice tag re-activation must be password protected how the consumers will manage hundreds of passwords for their tags? passwords can be printed on tags, but then they need to be scanned optically or typed in by the consumer 12345

slide 22 Partial destruction uRenaming In simplest case renaming to gibberish No intrinsic meaning Still can be tracked –Backscatter from antennas –Hypothesize manufacturer type may be learnable –Do tags possess uniquely detectable RF fingerprints? (Device signatures a staple of electronic warfare) uRelabelings Retain only product ID for later use Destroy unique ID at the time of purchase uSplitting identifiers across two tags Peel off one at time of purchase 12345

slide 23 Distance Measuring uSignal-to-noise ratio of the reader signal in an RFID system provides a rough metric of the distance between a reader and a tag. uWith some additional, low-cost circuitry a tag might achieve rough measurement of the distance of an interrogating reader. uDistance can serve as a metric for trust. Release general information (“I am attached to a bottle of water”) when scanned at a distance Release more specific information (ID), only at close range

slide 24 Proxying uProxying Consumers carry their own privacy-enforcing devices (Higher-powered intermediaries like mobile phones) Watch dog –Observer observing the observer: monitor if someone scans you –Selectively jams tag replies as needed RFID guardian –Talk to the guardian first –Communication is released through a fortified intermediate 12345

slide 25 Proxying uProblems Change of ownership: how to release control Impersonating the guardian itself Cannot suppress tag replies entirely, only jam Cannot suppress reader commands Please show reader certificate and privileges 12345

slide 26 Renaming uIdea: avoid using real Ids, change Identifiers across the reads get rid of fixed names (identifiers). Pseudonyms stored on tag (limited storage, i.e. 10 or so), tag cycles through pseudonyms use random pseudonyms and change them frequently uRequirements: only authorized readers should be able to determine the real identifier behind a pseudonym standard tags cannot perform computations -> next pseudonym to be used must be set by an authorized reader uA possible implementation pseudonym = {R|ID} K –R is a random number –K is a key shared by all authorized readers authorized readers can decrypt pseudonyms and determine real ID authorized readers can generate new pseudonyms for unauthorized readers, pseudonyms look like random bit strings uPotential problems tracking is still possible between two renaming operations if someone can eavesdrop during the renaming operation, then she may be able to link the new pseudonym to the old one no reader authentication -> rogue reader can overwrite pseudonyms in tags (tags will be erroneously identified by authorized readers) 12345

slide 27 Example of RNG V Random Bits No Connect The voltage signal is amplified, disturbed, stretched, and sampled, resulting in random bits.

slide 28 Renaming (re-encryption) uA public key based implementation: El Gamal scheme: –Inputs are ciphertexts –Outputs are a re-encryption of the inputs. –Anyone can encrypt without the public key E –Those who know the secret key D can also decrypt messages encrypted with different keys are indistinguishable 12345

slide 29 Renaming (re-encryption) uEl Gamal Encryption Parameters Public parameters: –q is a prime –p = 2 k q+1is a prime –ggenerator of G p, i.e. efficient description of a cyclic group of order q with generator g (I know only one generator which is relatively prime)relatively prime Secret key of RFID tag: x (where 0 < x < q) Public key of RFID tag : y = g x mod p uEncryption for message (plaintext) m 1.Pick a number k randomly from [0…q-1] 2.Compute a = y k.m mod p and b = g k mod p 3.Output (a,b) 12345

slide 30 Renaming (re-encryption) uDecryption Compute m as a / b x (= y k. m/ (g k ) x = g xk. m/ g kx = m) uOne can re-encrypt a ciphertext (a, b) without decryption:Input: a ciphertext (a,b) and public key y 1.Pick a number  randomly from [0…q-1] 2.Compute a’ = y . a mod p and b’ = g . b mod p 3.Output (a’, b’) uSame decryption technique Compute m a’ / b’ x (= y k. y . m/ (g k. g  ) x = g x ( k+  ). m/ g x ( k+  ) = m) uProperties: new tag pseudonyms can be computed by readers that know the public key real tag ID can be computed only by readers that know the private key Semantic security: Cannot distinguish between C = E PK,r [Alice] and C’ = E PK,r’ [Bob] –An attacker who intercepts C and C’ cannot tell if they come from the same chip, that is the attacker cannot identify or track Alice 12345

slide 31 Blocking uWhen the reader sends a signal, more than one RFID tag may respond: this is a collision typical commercial application, such as scanning a bag of groceries, potentially hundreds of tags might be within range of the reader. uReader must engage in a special singulation protocol to talk to each tag separately Singulation is used by an RFID reader only when necessary to identify a specific tag (and its ID) from a number of tags in the field uTree-walking is a common singulation method Used by 915 Mhz tags, the most common type in the U.S. Slotted aloha is used for LF tags 12345

slide 32 Anti-collision u"Tree Walking" uRecursive depth-first search uRequirement: Reader is able to detect bit position of a collision uExample: 1 Reader, 3 Transponder, 3-bit ID uSynchronized by reader uExample: 1 Reader, 5 Tags, 8-bit ID 12345

slide 33 Tree Walking Every tag has a k-bit identifier prefix=0 prefix=00prefix=01 prefix=10prefix=11 prefix=1 Reader broadcasts current prefix Each tag with this prefix responds with its next bit If responses don’t collide, reader adds 1 bit to current prefix, otherwise tries both possibilities This takes O(k  number of tags) 12345

slide 34 Tree-Walking uTree-walking” protocol for identifying tags recursively asks question: “What is your next bit?” Something along the lines of: “Will all tags with 1 as their first digit raise their hand”. “Will all tags with 1 as their first digit, and 0 as their second....” uBlocker tag always says both ‘0’ and ‘1’! Makes it seem like all possible tags are present by making an RFID tag misbehave, and answers yes to every question

slide 35 Blocker Tag uA form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader Guarantees collision no matter what tags are present To talk to a tag, reader must traverse every tree path –With 128-bit IDs, reader must try values – infeasible! uTo prevent illegitimate blocking, make blocker tag selective (block only certain ID ranges) uBlocker tag can be selective: 12345

slide 36 Blocker Tag uprivacy zone tree is divided into two zones privacy zone: all IDs starting with 1 upon purchase of a product, its tag is transferred into the privacy zone by setting the leading bit uthe blocker tag when the prefix in the reader’s query starts with 1, it simulates a collision when the blocker tag is not present, everything works normally uAlternative: polite blocking (notify the reader)

slide 37 Hash Locks uLocked tag transmit only metaID uSimilar to the proximity approach uUnlocked tag can do all operations uLocking mechanism: Reader R selects a nonce and computes metaID = hash(key) R writes metaID to tag T T enters locked state R stores the pair (metaID, key). uUnlocking Reader R queries tag T for its metaID R looks up (metaID, key) R sends key to T If (hash(key) == metaID), T unlocks itself 12345

slide 38 Hash locks uCheap to implement on tags: A hash function and storage for metaID. uSecurity based on hardness of hash. uHash output has nice random properties. uLow key look-up overhead. uTags respond predictably; allows tracking. Motivates randomization. uRequires reader to know all keys 12345

slide 39 Randomized Hash Locks ReaderRFID tag Stores its own ID k Goal: authenticate reader to the RFID tag “Who are you?” R, hash(R,ID k ) “You must be ID k ” Compute hash(R,ID i ) for every known ID i and compare Stores all IDs: ID 1, …,ID n Generate random R 12345

slide 40 Randomized Hash Locks uTag must store hash implementation and pseudo- random number generator Low-cost RNGs exist; can use physical randomness uSecure against tracking because tag response is different each time uReader must perform brute-force ID search Effectively, reader must stage a mini-dictionary attack to unlock the tag uAlternative: better searching Tree approach Synchronization approach 12345

slide 41 Avoiding brute force synch uoperation of tag: state is s i when queried, the tag responds with the current pseudonym p i =G(s i ) and computes its new state s i +1 = H(s i ) uoperation of the reader: reader must approximately know the current counter value of each tag for each tag, it maintains a table with the most likely current counters and corresponding pseudonyms uOperation of the reader when a tag responds with a pseudonym p, it finds p in any of its tables, identifies the tag, and updates the table corresponding to the tag one-wayness of the hash ensures that current counter value cannot be computed from observed pseudonym u c is a counter, H and G are one-way hash functions u reader maintains synchronized state with tags 12345

slide 42 Avoiding brute force (tree of secrets) uTag == leaf of the tree. uEach tag receives the keys on path from leaf to the root. uTag ij generates pseudonyms as (Key 1 (r), Key 2 (r), …, Fk ij (r)). uReader can decode pseudonym using a depth-first search. uIn the worst case, the reader searches through db keys, where d is the depth of the tree, and b is the branching factor compare this to b d, which is the total number of tags

slide 43 Authentication Workarounds uNo explicit counterfeiting measures whatsoever uPossible solutions: Repurpose the kill function for limited counterfeit Yoking –cryptographic proof that two tags have been scanned simultaneously and evidence (although not proof) that the tags were scanned in physical proximity to one another. –Usable only in certain circumstances (pharmacy, aircraft safety) Physical markers –Similar to explosive markers –Special dyes and packaging 12345

slide 44 HB Protocol uCreated by Nicholas Hopper and Manuel Blum as a tool for secure authentication and identification of unassisted humans to computers. uJuels and Weis realized that this protocol was actually a natural protocol for the authentication of RFID tags to readers. uThe security of the HB Protocol is based on the underlining hardness of the Learning Parity with Noise (LPN) problem

slide 45 HB Protocol Definitions uThe secret x is a k length binary string (tag ID). The tag needs to prove to the reader that it knows one of the S's on the reader's list of acceptable secrets. The tag only has one secret, but the reader generally has many. uA query q is also a k length binary string. Produced by the reader. One query is produced for each iteration of the protocol uEpsilon is a probability, ranging from 0 to Ѕ that the response calculated by the tag will be flipped if the correct response was 1, the tag will send back 0, and vice versa. uNu equals 1 with probability epsilon. uDelta is an error factor, ranges from 0 to Ѕ defines how close the tag's actual flipping of responses must be to epsilon in order to be accepted

slide 46 Crypto RFID: authentication (HB Protocol) ReaderRFID tag Goal: authenticate RFID tag to the reader k-bit random value a (a  x)  v Response correct if it is equal to (a  x) Generate random v: 1 with prob. , else 0 Knows secret x; parameter  Knows secret x; parameter   chance that response is incorrect repeat r times RFID tag is authenticated if fewer than  r responses are incorrect 12345

slide 47 Crypto RFID: authentication (HB+ Protocol) ReaderRFID tag Goal: authenticate RFID tag to the reader k-bit random value a (a  x)  (b  y)  v Generate random v: 1 with prob. , else 0 Knows secrets x,y; parameter  Knows secrets x,y; parameter  repeat r times RFID tag is authenticated if fewer than  r responses are incorrect Response correct if it is equal to (a  x)  (b  y) blinding value b 12345

slide 48 Wrapping it up uSome basic trends are apparent: Pressure to build a smaller, cheaper tags without cryptography –reverse-engineering a cheap RFID tag unlikely to be hard… Urgent need for cheaper hardware for primitives “Security through obscurity” doesn’t work uSimple static identifiers are the most naïve How about encrypting ID? How about creating new static identifiers, i.e., “meta-ID” How about a law-enforcement access key? –Tag-specific keys require initial release of identity –Universal keys subject to interception uSpecial properties: RFID tags are close and personal giving privacy a special dimension RFID tags change ownership frequently Key management will be a major problem –Think for a moment after this talk about distribution of kill passwords… –Are there good hardware approaches to key distribution, e.g., proximity as measure of trust uSome privacy is clearly better than for naive approaches

slide 49 Future Work Authentication algorithms with human protocols New and emerging problems Tag identification with delegation, ownership transfer Efficient cloning-resistant identification algorithms Find New and Improve Existing Algorithms