Enabling Secure Secret Updating for Unidirectional Key Distribution in RFID-Enabled Supply Chains Shaoying Cai 1, Tieyan Li 2, Changshe Ma 1, Yingjiu Li 1, Robert H. Deng 1 1 Singapore Management University (SMU) 2 Institute for Infocomm Research (I 2 R) 15 Dec ICICS 2009, Beijing, China
ICICS’09 - RFID Security 2 Project Summary - why should it be done? Outline Introduction The problem –Security requirements in RFID-enabled supply chains –Secret sharing approach and JPP mechanism –Our observations The protocol –Secure secret updating protocol –Security properties –Comparisons –Implementation considerations –Security proof Conclusions
ICICS’09 - RFID Security 3 Introduction RFID systems RFID technology has greatly facilitated the supply chains. –All evidences (standardizations; big promoters, adopters, …) show a new age is coming. –Security, visibility and efficiency are three equally important requirements. Reader (transceiver) Reads data off the tags without direct contact Radio signal (contactless) Range: from 3-5 inches to 100 yards Database Matches tag IDs to physical objects Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Perfect working conditions for attackers!
ICICS’09 - RFID Security 4 Source: Lyngsoe Increase visibility Lower uncertainty Prevent loss Reduce counterfeiting Improve efficiency RFID-Enabled Supply Chain
ICICS’09 - RFID Security 5 The problem Usually, EPC tags are used in supply chains –They are extremely cheap, where no true cryptographic functionality can be implemented. –Maintaining a synchronized and ubiquitous database is truly hard. –Thus, almost all privacy enhanced authentication protocols (more than hundreds) fail on practicability. Only explicit EPC privacy feature: Kill –On receiving tag-specific Kill PIN, tag self-destructs. –Who will own these Kill PINs? Or who will kill the tags, at the end of the supply chain or the end users? But supply chain partners: –Don’t want to manage Kill PINs, and how? –Have no channel to communicate secret keys downstream in supply chain. Key distribution is an essential problem!
ICICS’09 - RFID Security 6 Supply chain characteristics An RFID-enabled supply chain typically features: –None pre-existing trust relationship: a case might comes from or goes to any non-trusted parties. –Unidirectional downsizing: de-packing and re-packing into smaller sized aggregates at downstream parties. –Compulsory processing orders: only dispersion, no combination
ICICS’09 - RFID Security 7 Secret sharing approach Idea: Apply secret sharing to spread a secret key across multiple tags, E.g., (s1, s2, s3, …) s1s1 s2s2 s3s3 Collecting enough shares can recover the key Individual shares / small sets reveal no information
ICICS’09 - RFID Security 8 JPP mechanism (Juels et al. Usenix Sec. 08) Encrypt tag data under secret key Apply secret sharing to spread key across tags in case E.g., (s1, s2, s3, …) E (m 1 ) s 1 E (m2)s2E (m2)s2 E (m3)s3E (m3)s3 Supersteroids 500mg; 100 count Serial #87263YHG Mfg: ABC Inc. Exp: 6 Mar 2010
ICICS’09 - RFID Security 9 JPP mechanism (Juels et al. Usenix Sec. 08) SWISS ( Sliding Window Information Secret-Sharing) Given 2 out of 4 s i, get corresponding i s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 11 22 33 44 55 66
ICICS’09 - RFID Security 10 Our observations JPP mechanism is vulnerable to tracking: –A tag T i always sends the same reply (S i, M i ) to any reader who queries it. Although an adversary may not get enough shares to decrypt the content of the tag, the never-changing reply can be used by the adversary to track the tag. JPP mechanism is vulnerable to counterfeiting: –As the public accessible message (S i, M i ) is used for a reader to identify the tag T i, an adversary can easily fabricate a tag that also sends (S i, M i ), and replace the tagged item with the fabricated tag. JPP mechanism features monopolistic key assignment model: –A monopoly (typically the manufacturer of the goods) pre-assigns all the keys (shares) to the tags according a fixed secret sharing scheme with conjectured parameters. –The one-size-fits-all solutions restrict the realistic deployment of JPP mechanism.
ICICS’09 - RFID Security 11 Secret updating protocol JPP mechanism –A tag T i stores (S i, M i ) only. –Where S i is the share of T i and M i is the (encrypted ) information carried on the tag. Our protocol –A tag T i stores (S i, M i, c i ). –Where c i is the individual secret key of T i, derived from the common secret k, for the purpose of authenticating the reader. During updating –Old secret key k is replaced with a new secret key k’; –Old (t, n) threshold scheme is replaced with new (t’, n’) scheme, according to new requirements; –Old share S i is replaced with new share S′ i ; –Old values (S i, M i, c i ) of a tag T i is updated with new values (S′ i, M′ i, c′ i ).
ICICS’09 - RFID Security 12 Secret updating protocol
ICICS’09 - RFID Security 13 Security properties Authoritative access to RFID tags –The security of the secret update protocol relies on the confidentiality of the shared secret c i. –Given an update message (A, B, C), only the one who knows the value of c i can obtain the new values (S′ i, M′ i, c′ i ). Authenticity of tags –A tag T i is authenticated with any privacy-enhanced authentication scheme (E.g., a challenge-response authentication protocol). Forward secrecy –A tag T i is updated with new values (S′ i, M′ i, c′ i ), which are totally independent from its previous values (S i, M i, c i ). Untraceability –The protocol messages are updated in different sessions. –However, active adversary is possible to correlate identifiers (S i or S’ i ).
ICICS’09 - RFID Security 14 Comparison [4] A. Juels, R. Pappu, and B. Parno, Unidirectional key distribution across time and space with applications to RFID security. USENIX Security’08. [10] Y. Li and X. Ding, Protecting RFID Communications in Supply Chains. ASIACCS’07. [11] David Molnar and David Wagner. Privacy and Security in Library RFID: Issues, Practices, and Architectures. ACM CCS [12] Miyako Ohkubo, Koutarou Suzuki, and Shingo Kinoshita. Efficient Hash-Chain Based RFID Privacy Protection Scheme. Ubicomp 2004.
ICICS’09 - RFID Security 15 Implementation considerations JPP mechanism implemented a (15, 20) threshold secret sharing scheme. –For 20 available tags, a reader needs to collect at least 15 tags’ shares to successfully recover the secret key and decrypt the encrypted information. –It employs a “Alien Squiggle” Gen2 tag, of which 16 bits are used for storing a single share and 80 bits are used for storing the encrypted identity. –WORM memory (Write-once, Read-many times) is required. In our protocol, (S i, M i ) is replaced with (S’ i, M’ i, c’ i ), requires additional memory space for storing c’ i message –It is equivalent to 160 bits, can be put into the “User” memory bank. –Rewritable memory, perhaps needs “access password” to access the memory. –Access password can be derived from the decrypted key “k”. How to determine the threshold in the real applications? –Less than certain upper bound to maximally tolerate reading or erasure errors –Greater than certain lower bound to guarantee the robustness on recovering key
ICICS’09 - RFID Security 16 Security proof (sketch) 1.The privacy game: 1.Setup phase: the game initializes the RFID system. 2.Learning phase: the adversary A performs a series of queries to enlarge its knowledge base about the RFID system. 3.Challenge phase: the adversary A chooses two tags. Then, a tag is chosen by randomly updating one of the two tags. After this, the updated tag is given to the adversary as a challenging tag for him to distinguish it from the original two tags. 2.We conclude that an RFID system is private if there exists no polynomial probabilistic time adversary A whose advantage is non-negligible to win the privacy game. 3.We then prove that the secret sharing scheme is private. 4.Theorem: the proposed RFID protocol is private if the underlying secret sharing scheme is private.
ICICS’09 - RFID Security 17 Conclusions We tackle the key distribution problem in RFID-enabled supply chains. We investigate the secret sharing approaches and particularly the JPP mechanism. We propose a secure and flexible secret updating protocol to improve the original JPP mechanism. Our protocol provides sound security properties, desirable flexibility and with proved privacy. However, our protocol requires more powerful tags to pay for additional security and functionality. Future points: i.e., Verifiable Secret Sharing; Confidentiality + Access Control; Real experiments/deployments; etc.
ICICS’09 - RFID Security 18 Q & A ? Contact: (for Post-doc position) Web: Call for participants: RFIDsec’10 Asia, Feb. 2009, Singapore Thank you!