#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels

#2 The tide is turning... Pervasive computing is coming... It’s time to get serious about privacy.

#3 RFID and identification systems Protocols for private identification The challenge of scalability; trees of secrets Outline

#4 Example applications: Electronic passports ID cards and badges Proximity cards, building access control Automatic payment systems (Fastrak, EZPass) Item tagging & tracking, inventory management Key technologies: RFID Contactless smart card Identification systems Challenge: privacy (and security) for ID systems

#5 RFID tags are passive, powered by reader, carry identity Privacy issues: Unwanted tracking of people and items Introduction to RFID Power Identity Reader Tag

#6 Tags might lack writable non-volatile memory Takes more energy to permanently write bits Thus, state might only last as long as tag is powered Cryptography is expensive Public-key out of reach for all but priciest tags AES within reach for mid-class tags? [Feldhofer] Can’t take random number generation for granted Readers might not be network-connected RFID systems are resource-limited

#7 Intended read range  Computation  ISO E-passports, ID cards US$5 ISO Library books US$0.50 EPC WalMart US$ cm 3DES, RSA sym.-key crypto no crypto 1m3m RFID technologies vary widely

#8 normal reader (10cm / 3m) malicious reader (50cm / 15m) eavesdrop on tag (???) Read range? eavesdrop on reader (50m / ???)

#9 Simple trick: Defeating eavesdropping on forward link r m  r “go ahead” wants to send m picks random r Appears in EPC Gen II standards.

#10 A first attempt at defeating eavesdropping and unauthorized tag-reading E k (r, ID) k k “pseudonym” Problem: All tags and readers share the same key k If any tag is compromised, all security is lost If any reader is compromised, all security is lost Risk: Massive data spills.

#11 Take #2: Independently keyed tags r, F ki (r) Scans through all keys to decode kiki “pseudonym” Problem: Doesn’t scale. Takes O(N) work to decode each pseudonym (k 1, ID 1 ) : (k N, ID N )

#12 Private identification protocols Goal: a tag reader protocol, providing: Identification: Authorized reader learns tag’s identity Privacy: Unauthorized readers learn nothing Attacker cannot even link two sightings of same tag Authentication: Tag identity cannot be spoofed Scalability: Can be used with many tags A non-trivial technical challenge, with many possible applications.

#13 A beautiful method for private identification r, F k i (r), F k ij (r) k i, k ij pseudonym More scalable: O(√N) work to decode each pseudonym First, scan all k i to learn i Then, scan all k ij to learn j and thus tag identity : (k i, i) : (i, k ij, ID ij ) : Decodes i, then j

#14 The tree of secrets Tag  leaf of the tree. Each tag receives the keys on path from leaf to the root. Tag ij generates pseudonyms as (r, F k i (r), F k ij (r)). Reader can decode pseudonym using a depth-first search. k0k0 k 00 k 01 k0k0 k 00 k 01 k1k1 k 10 k 11

#15 Analysis: tree of secrets Generalizations: Use any depth tree (e.g., lg N) Use any branching factor (e.g., 2 10 ) Use any other identification scheme (e.g., mutual auth) TheoryA concrete example Number of tags: N 2 20 tags Tag storage:O(lg N) 128 bits Tag work:O(lg N)2 PRF invocations Communications:O(lg N) 138 bits Reader work:O(lg N)2  2 10 PRF invocations Privacy degrades gracefully if tags are compromised

#16 Reducing trust in readers r, F k i (r), F k ij (r) k i, k ij If readers are online, Trusted Center can do decoding for them, and enforce a privacy policy for each tag. No keys stored at reader => less chance of privacy spills. Trusted Center r, F k i (r), F k ij (r) ID ij Reader  (k ij, Policy ij ) 

#17 Reducing trust: Delegation r, F k i (r), F k ij (r) k i, k ij For offline or partially disconnected readers, can delegate power to decode pseudonyms for a single tag to designated readers. Reader workload: O(D) per pseudonym, where D = # of tags delegated to this reader. Trusted Center ID ij k ij  (k ij, Policy ij )  k ij

#18 Time-limited delegation pseudonym ctr, k i, k ij Trusted Center ID ij, L, R {keys} Only good for decoding L-th through R-th pseudonyms from tag ID ij Even less trust: Reader gets access to the next 100 pseudonyms from this tag (say), and nothing more.

#19 k 0000 Enabling time-limited delegation Use GGM at lower levels: (k s0, k s1 ) = G(k s ) Tag uses leaves sequentially Reader gets keys for a subset k0k0 k 00 k 01 k0k0 k 00 k 01 k1k1 k 10 k 11 k 000 k 0001 k 0010 k 0011 k 001

#20 Identification systems: an exciting research area Privacy is central Many non-trivial technical challenges, many opportunities for clever solutions There’s still time to have an impact on deployments Research question: Private identification protocols Tree schemes have useful properties Can we do better? Can do without persistent state? Recent work: Controlling readers with Trusted Computing (to appear at WPES’05) Conclusions