Privacy in Library RFID Attacks and Proposals David Molnar David Wagner {dmolnar,

Slides:



Advertisements
Similar presentations
RFID: OPPORTUNITIES and CHALLENGES Yize Chen. History In 1969, Mario Cardullo presented a RFID business plan to investors. The application areas include:
Advertisements

Privacy in Library RFID Attacks and Proposals David Molnar David Wagner {dmolnar,
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security for RFID Department of Information Management, ChaoYang University of Technology. Speaker : Che-Hao Chen ( 陳哲豪 ) Date:2006/01/18.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.
Asmt. 10: ID chips in product Pro RFID chips in product Group 3. Team A Ivan Augustino Andres Crucitti.
#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
RFID in Mobile Commerce and Security Concerns Chassica Braynen April 25, 2007.
RFID Cow Jewelry – or – Revolution Travis Sparks
8/2/2015RapidRadio Solutions Pvt. Ltd.1 RFID BASED LIBRARY MANAGEMENT SYSTEM.
Radio Frequency Identification (RFID) Features and Functionality of RFID Including application specific ISO specifications Presented by: Chris Lavin Sarah.
RFID: Radio Frequency Identification (It’s not just a security system) By Carmin Langford LIS 515.
Technical Issues in Library RFID Privacy David Molnar UC-Berkeley Computer Science.
RFID What is RFID? The Georgetown Experience Technical Considerations
David Molnar, David Wagner - Authors Eric McCambridge - Presenter.
IPM Asset Solutions: Where Innovation Meets Experience.
ByBrendanMalindaRachael. Electronic Monitoring Electronic monitoring can take many forms, this happens because technology is becoming cheaper and very.
- 1 - Secure and Serverless RFID Authentication and Search Protocols Chiu C. Tan, Bo Sheng, and Qun Li IEEE Transactions on Wireless Communication APRIL.
Developing RFID Application In Supply Chain
Overview  What is RFID?  How to use it?  Relevant links  Future Trends  Bibliography.
RFID Inventory Management And Tracking System Greg McDaniel Hashem Garner Adam Kesner Thomas Harris.
RFID 101: What is RFID? Components of an RFID library system.
1 Ch. 17: Security of RFID slide 1. 2 Roles of RFID applications slide 2 TagsReaderServer(Database) Secure channel Slides modified from presentation by.
David A. Olive General Manager, Fujitsu Limited WITSA Public Policy Chairman WITSA Public Policy Meeting Hanoi, Vietnam November 26, 2005 Radio Frequency.
RFID Security without Extensive Cryptography Sindhu Karthikeyan Mikhail Nesterenko Kent State University SASN November 07, 2005.
多媒體網路安全實驗室 An Efficient RFID Authentication Protocol for Low-cost Tags Date : Reporter : Hong Ji Wei Authors : Yanfei Liu From : 2008 IEEE/IFIP.
Radio Frequency Identification (RFID) Be Safe Security Solutions.
A C JOSHI LIBRARY A C Joshi Library is considered to be one of the best libraries of India: Annual budget approx 5 Crores Annual budget approx 5 Crores.
- 1 - RFID Security and Privacy: A Research Survey Ari Juels RSA Laboratories IEEE Journal on Selected Areas in Communication (J-SAC) in 2006 Taesung Kim.
SixthSense RFID based Enterprise Intelligence Lenin Ravindranath, Venkat Padmanabhan Interns: Piyush Agrawal (IITK), SriKrishna (BITS Pilani)
University of Pennsylvania Electrical and Systems Engineering Department ABSTRACT: The last decade has seen the expansion of computer usage from scientific.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
RFID Privacy: An Overview of Problems and Proposed Solutions Maxim Kharlamov (mkha130, #13) S. Garfinkel, A. Juels, R. Pappu, “RFID Privacy: An Overview.
RFID TECHNOLOGY IN BABARIA INSTITUTE OF TECHNNOLOGY (BIT):an OVERVIEW BY BINAL H JOSHI LIBRARIAN BABARIA INSTITUTE OF TECHNOLOGY VADODARA.
CS3900 Richard Emerson1 Radio Frequency ID Tags Smart labels that send/receive data via radio waves Usually works like a barcode – contains a product code.
R F I D Presented by Kerry Wong. What is RFID? Radio Frequency IDentification –Analogous to electronic barcode –Uses radio waves to send info Serial numbers.
RFID (RADIO FREQUENCY IDENTIFICATION)
RFID: Radio Frequency Identification Amanda Di Maso Shreya Patel Tresit Tarko.
The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy Ari Juels, Ronald Rivest, and Michael Szydlo ACM CCS, October 2003 Presented by Himanshu.
Shanti Bramhacharya and Nick McCarty. This paper deals with the vulnerability of RFIDs A Radio Frequency Identifier or RFID is a small device used to.
© copyright NTT Information Sharing Platform Laboratories Cryptographic Approach to “Privacy-Friendly” Tags Miyako Ohkubo, Koutarou Suzuki, and Shingo.
Qinghan Xiao, Cam Boulet and Thomas Gibbons Second International Conference on Availability, Reliability and Security, 2007 Speaker : 黃韋綸 RFID Security.
1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?
Hoda Jannati School of Computer Science
Internet of Things. IoT Novel paradigm – Rapidly gaining ground in the wireless scenario Basic idea – Pervasive presence around us a variety of things.
RFID SECURITY.
Computer Science Department of University of Virginia  Voltage on a tag Radio Frequency Identification Systems New Ideas and Algorithms Introduction to.
IDENTITY NUMBERS BY A.M.VILLAVAN M.TECH(COS). RFID Acronymn: Radio Frequency Identification Device RFID is a technology, whose origins are found in the.
Ubiquitous means ‘everywhere’
LIBRARY AUTOMATION USING RFID LIBRARY AUTOMATION USING RFID Presented by; Joju Mohan -67 Ninitha Xavier -68 Priyanka C.P -69 Rahul K.Raj -70.
1 Security problems on RFID tags (short introduction) Sakurai Lab., Kyushu Univ. Junichiro SAITO
Regulation models addressing data protection issues in the EU concerning RFID technology Ioannis Iglezakis Assistant Professor in Computers & Law Faculty.
Nikita Maria Department of Applied Informatics University of Macedonia - Greece.
English for Advance Learners I
What is a Radio-Frequency Identification (RFID) tag?
Zahra Ahmadian Recursive Linear and Differential Cryptanalysis of Ultra-lightweight Authentication Protocols Zahra Ahmadian
Bluetooth, RFID, Data Link Layer Switching
Revisting Unpredictability-Based RFID Privacy Models
Radio Frequency Identification
Randomized PRF Tree Walking Algorithm for Secure RFID
An Improved Novel Key Management Protocol for RFID Systems
Mobile Computing Lecture Materials By Bintang Eka Putera.
Presentation transcript:

Privacy in Library RFID Attacks and Proposals David Molnar David Wagner {dmolnar,

Privacy in Libraries Must protect what patrons are reading Library only source of info for many FBI Library Awareness Program – , official policy to monitor “suspicious” persons’ reading habits –Library privacy laws passed as backlash –Even with PATRIOT act, need court order Privacy adversaries not limited to FBI –Marketers, Scientologists, pick your favorite…

RFID & Library Overview RFID = Radio Frequency IDentification One RFID tag per book Each RFID tag has ``bar code” ID number –Unique to each book, may identify library Exit gates read RFID for anti-theft 13.56MHz passive RFID –ISO 15693, Checkpoint, TAGSYS C220 –Read range depends on antenna size Deployed in Oakland, Santa Clara, 130+

Why RFID? Speedy self-checkout –reduce library employee RSI (carpal tunnel) Security devices –ensure checkout occured Inventory Tracking

Pictures courtesy Santa Clara City Library

Privacy and Ubiquitous Readers Read range not whole privacy story Even full in-view readers can be problem –Scan at airport security, events, etc. –Like metal detectors now –Not clear what read or how used Readers easy to camouflage –RFID reader looks like store anti-theft gate

Library RFID Architecture Library database No authentication between reader and tag Database maps bar code  (title, status) Bar code

Attack: Book Scanning Can Mallory scan me and tell what I am reading? –No reader – tag authentication –Anyone can read tag data Most deployments data limited to bar code –Some vendors suggest more Need library database In CA, database protected by law –Varies by state

Attack: Hotlisting and Profiling Hotlisting  is book on special list? –It’s real – FBI and almanacs Profiling – bar code prefix identifies library –Is library in predominantly minority area? Bar code never changes so hotlisting easy –Walk into library, read bar code –See the book again, recognize book –Does not need library database

Attack: Book Tracking Bar code never changes Can link different sightings Track book movement –Spatial movement –Combine w/video for person-to-person “This person checked out same book as terrorist” Does not need library database

“Security Bit” Denial of Service RFID used for anti-theft Some vendors store “security bit” on tag –Security bit = checked out/not checked out –Bit re-written each checkout ISO tags have “write, then lock” –No way to unlock data, no password on lock Adversary can lock security bit data page Can’t change security bit  tag useless

Collision Avoidance and Privacy Collision avoidance protocols identify tag Example: ISO mandates MFR ID Read passwords,changing ID,etc. don’t help Privacy requires attention to all layers Mask Does mask match MFR ID? Respond if yes

RFID Limitations RFID powered only when near reader –No precomputation, no caching RFID have few gates (< 5,000 for security) Randomness difficult on RFID “Cryptography” extremely hard on RFID –Best we can do is a few XOR Future generation tags focus on price, not on security features

Problem: Private Authentication Reader does not know tag ID Authentication must preserve privacy Privacy and authentication in tension

Random Transaction IDs Required: rewritable tags Attacker model: outside the library On checkout –Obtain random # r –Write (r, D) to DB –Erase D & Write r to tag On checkin –Use r to lookup D –Write D to tag

Attacks Against Random IDs Tracking –Possible –Only for checkout duration Hot-listing –Not Possible Comparison-based –Not possible

Password Enhancement Eavesdropping –Not the same in the two channels –Tag to Reader is Harder Hello r cmd, p=r  s

Good and Bad of Passwords Good –low computation cost –s remains secure (info-theoretically!) –r is independent of book info cannot be tracked Bad –Requires randomness on tag

Private Authentication Every tag has a secret –DB has all (secret, ID) pairs Basic ID –Reader sends a nonce –Tag sends new nonce –Tag sends ID  f(s, 0, nonce 1, nonce 2) –Reader checks the whole DB Problems?

Tree-based Set it all up as a binary balanced tree log(n) rounds –Check if the secret is on the left or right –Get down to a single leaf Advanced version –1 million tags –168 bits of communication

Summary Library RFID is here now All today’s technology has privacy flaws Privacy is achievable efficiently Work still ongoing

Acknowledgements Many, many people to thank! In no particular order: Peter Warfield, Karen Duffy (Santa Clara City Library), Karen Saunders (Santa Clara City Library), Susan Hildreth (San Francisco Public Library), Al Skinner (Checkpoint), Paul Simon (Checkpoint),Doug Karp(Checkpoint), Rebekah E. Anderson (3M), Jackie Griffin(Berkeley Public Library), Elena Engel (BPL), Alicia Abramson(BPL)Lee Tien (Electronic Frontier Foundation), Dan Moniz (EFF), Laura Quliter (Boalt Hall School of Law, UC- Berkeley), Jennifer Urban(Boalt), Nathaniel Good (SIMS), Samuelson Technology and PolicyLaw Clinic at Boalt Hall School of Law, Elizabeth Miles (Boalt),John Han (SIMS), Ross Stapleton-Gray, Eric Ipsen, Oleg Boyarsky(Library Automation/FlashScan), Laura Smart (Library RFIDWeblog/Cal State Pomona), Craig K. Harmon (ISO committee),Justin Chen (SVCWireless RFID SIG), Steve Halliday(ISO committee), Zulfikar Ramzan (NTT DoCoMo), Craig Gentry (NTTDoCoMo), Hoeteck Wee, Matt Piotrowski, Jayanth Kumar Kannan, Kris Hildrum, David Schultz, and Rupert Scammell(RSA Security).

Questions?