1. New Directions in Reliability, Security and Privacy in Radio Frequency Identification Systems
Leonid Bolotnyy
Gabriel Robins
Department of Computer Science University of Virginia

2. Talk Outline Introduction to RFID Reliable Object Identification
Multi-Tag RFID Systems
Physical Security and Privacy
PUF-Based Algorithms
Inter-Tag Communication
Generalized Yoking-Proofs
Common Themes and Conclusion

3. Talk Outline Introduction to RFID Reliable Object Identification
Multi-Tag RFID Systems
Physical Security and Privacy
PUF-Based Algorithms
Inter-Tag Communication
Generalized Yoking-Proofs
Common Themes and Conclusion

4. General RFID System
Tag ID
Tags
Reader
Local Server

5. Introduction to RFID Tags types:
passive
semi-passive
active
Tags types:
Frequencies: Low (125KHz), High (13.56MHz), UHF (915MHz)
Coupling methods:
reader
antenna
signal
Inductive coupling
Backscatter coupling

6. RFID History
1960
1935
1973
1999
What’s next?
1999
2006
2004

7. Talk Outline Introduction to RFID Reliable Object Identification
Multi-tag RFID Systems
Physical Security and Privacy
PUF-Based Algorithms
Inter-Tag Communication
Generalized Yoking-Proofs
Common Themes and Conclusion

8. Obstacles of Reliable Identification
Bar-codes vs. RFID
line-of-sight
scanning rate
Object detection obstacles
radio noise is ubiquitous
liquids and metals are opaque to RF
milk, water, juice
metal-foil wrappers
temperature and humidity
objects/readers moving speed
object occlusion
number of objects grouped together
tag variability and receptivity
tag aging

9. Case Studies Defense Logistics Agency trials (2001)
3% of moving objects did not reach destination
20% of tags recorded at every checkpoint
2% of a tag type detected at 1 checkpoint
some tags registered on arrival but not departure
Wal-Mart experiments (2005)
90% tag detection at case level
95% detection on conveyor belts
66% detection inside fully loaded pallets

10. Multi-Tag RFID
Use Multiple tags per object to increase reliability of object detection/identification

11. The Power of an Angle Inductive coupling: distance ~ (power)1/6
Far-field propagation: distance ~ (power)1/2
B-field β
power ~ sin2(β)
Optimal Tag Placement: 1 4 3 2

12. Equipment and Setup Equipment Setup empty roomx4 x1 x8 x1
x100’s
x100’s
Setup
empty room
20 solid non-metallic & 20 metallic and liquid objects
tags positioned perpendicular to each other
tags spaced apart
software drivers

13. Experiments Read all tags in reader’s field Randomly shuffle objects
Compute average detection rates
Variables
reader type
antenna type
tag type
antenna power
object type
number of objects
number of tags per object
tags’ orientation
tags’ receptivity

14. Linear Antennas
1Tag: 58%
2Tags: 79%
3Tags: 89%
4Tags: 93%

15. Circular Antennas
1Tag: 75%
2Tags: 94%
3Tags: 98%
4Tags: 100%

16. Linear Antennas vs. Multi-tags
Power = 31.6dBm
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Object Number
Detection Probability
2 Readers, 2 Tags 84.5%
Δ= 5.2%
Δ=19.8%
1 Reader, 2 Tags 79.3%
Δ=14.4%
Δ=21.3%
2 Readers, 1 Tag %
Δ= 6.9%
1 Reader, 1 Tag %

17. Importance of Tag Orientation
12%
21%
25%
-7%

18. Detection in Presence of Metals & Liquids
Power=31.6dBm, No Liquids/Metals
Power=31.6dBm, With Liquids/Metals
Power=27.6dBm, No Liquids/Metals
Power=27.6dBm, With Liquids/Metals
Circular Antenna
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9 1 2 3 4
Number of Tags
Detection Probability
Decrease in solid/non-liquid object detection
Significant at low power
Similar results for linear antennas

19. Varying Number of Objects
Experiment 1: 15 solid non-metallic & 15 liquids and metals
Experiment 2: 20 solid non-metallic & 20 liquids and metals
Metals & Liquids
∆ : 3%-13%

20. Applications of Multi-Tags
Reliability
Availability
Localization
Safety

21. More Applications Security Theft Prevention Packaging
Tagging Bulk Materials

22. Economics of Multi-Tags
Year
Cost
Rapid decrease in passive tag cost
5 cent tag expected in 2008
1 penny tag in a few years

23. Cost Trends
Time

24. Multi-Tag Conclusion Unreliability of object detection
radio noise is ubiquitous
liquids and metals are opaque to RF
milk, water, juice
metal-foil wrappers
temperature and humidity
objects/readers moving speed
object occlusion
number of objects grouped together
tag variability and receptivity
tag aging
$0.00
$0.20
$0.40
$0.60
$0.80
$1.00
2001
2002
2003
2004
2005
2006
2007
2008
2011
Historical Cost
Prediction Cost
Many useful applications
Favorable economics

25. Talk Outline Introduction to RFID Reliable Object Identification
Multi-tag RFID Systems
Physical Security and Privacy
PUF-Based Algorithms
Inter-Tag Communication
Generalized Yoking-Proofs
Common Themes and Conclusion

26. Motivation Digital crypto implementations require 1000’s of gates
Low-cost alternatives
Pseudonyms / one-time pads
Low complexity / power hash function designs
Hardware-based solutions
MD4
7350
MD5
8400
SHA-256
10868
Yuksel
1701
AES
3400
algorithm
# of gates

27. PUF-Based Security Physical Unclonable Function [Gassend et al 2002]
PUF security is based on
wire delays
gate delays
quantum mechanical fluctuations
PUF characteristics
uniqueness
reliability
unpredictability
PUF assumptions
Infeasible to accurately model PUF
Pair-wise PUF output-collision probability is constant
Physical tampering will modify PUF

28. Individual Privacy in RFIDB C
Alice was here: A, B, C
privacy

29. Hardware Tampering Privacy Models
Allow adversary to tamper with tag’s memory
Cannot provide privacy without restricting adversary
- simple secret overwrite allows tag tracking
Restrict memory tampering functions
- allow bit flips
read-proof
tamper-proof
2. Purely physical privacy
- no digital secrets
3. Detect privacy compromise
- detect PUF modification

30. Private Identification Algorithm
Database
ID1, p(ID1), p2(ID1), …, pk(ID1)
...
IDn, pn(IDn), pn2(IDn), …, pnk(IDn) ID ID
p(ID)
Request
It is important to have
a reliable PUF
no loops in PUF chains
no identical PUF outputs
Assumptions
no denial of service attacks (e.g., passive adversaries, DoS detection/prevention mechanisms)
physical compromise of tags not possible

31. PUF-Based Ownership Transfer
To maintain privacy we need
ownership privacy
forward privacy
Physical security is especially important
Solutions
public key cryptography (expensive)
knowledge of owners sequence
short period of privacy
trusted authority

32. PUF-Based MAC Algorithms
MAC = (K, τ, υ) K
valid signature σ : υ (M, σ) = 1
forged signature σ’ : υ (M’, σ’) = 1, M = M’
MAC based on PUF
Motivation: “yoking-proofs”, signing sensor data
large keys (PUF is the key)
cannot support arbitrary messages
Assumptions
adversary can adaptively learn poly-many (m, σ) pairs
signature verifiers are off-line
tag can store a counter (to timestamp signatures)

33. Large Message Space
Assumption: tag can generate good random numbers (can be PUF-based)
Key: PUF
σ (m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)
Signature verification
requires tag’s presence
password-based or in radio-protected environment (Faraday Cage)
learn pc(ri, m), 1 ≤ i ≤ n
verify that the desired fraction of PUF computations is correct
To protect against hardware tampering
authenticate tag before MAC verification
store verification password underneath PUF

34. Small Message Space Assumption: small and known a priori message space
Key[p, mi, c] = c, pc(1)(mi), ..., pc(n) (mi)
PUF
message
counter
PUF reliability is again crucial
σ(m) = c, pc(1)(m), ..., pc(n) (m), ,
c+q-1, pc+q-1(1)(m), pc+q-1(n)(m)
sub-signature
Verify that the desired number of sub-signatures are valid

35. Attacks on MAC Protocols
original
clone
Impersonation attacks
manufacture an identical tag
obtain (steal) existing PUFs
Modeling attacks
build a PUF model to predict PUF’s outputs
Side-channel attacks
algorithm timing
power consumption
Hardware-tampering attacks
physically probe wires to learn the PUF
physically read-off/alter keys/passwords

36. Conclusions and Future Work
Hardware primitive for RFID security
Identification, MAC, Ownership Transfer,
and Tag Authentication Algorithms
Properties:
Physical keys
Protect tags from physical attacks
New attack models
Future Work:
Design new PUF
Manufacture and test PUF
Develop PUF theory
New attack models

37. Talk Outline Introduction to RFID Reliable Object Identification
Multi-tag RFID Systems
Physical Security and Privacy
PUF-Based Algorithms
Inter-Tag Communication
Generalized Yoking-Proofs
Common Themes and Conclusion

38. Inter-Tag Communication in RFID
Idea: Heterogeneity in ubiquitous computing
Applications:

39. “Yoking-Proofs”
Yoking: joining together / simultaneous presence of multiple tags
Key Observation: Passive tags can communicate
with each other through reader
Problem Statement: Generate proof that a group of passive tags were identified nearly-simultaneously
Applications – verify that:
medicine bottle sold together with instructions
tools sold together with safety devices
matching parts were delivered together
several forms of ID were presented

40. Assumptions and Goals Assumptions Solution Goals Timer on-board a tag
Tags are passive
Tags have limited computational abilities
Tags can compute a keyed hash function
Tags can maintain some state
Verifier is trusted and powerful
Solution Goals
Allow readers to be adversarial
Make valid proofs improbable to forge
Allow verifier to verify proofs off-line
Detect replays of valid proofs
Timer on-board a tag
Capacitor discharge can implement timeout

41. Generalized “Yoking-Proof” Protocol
Idea: construct a chain of mutually dependent MACs 1 2 3 5 4
Anonymous Yoking: tags keep their identities private

42. Related Work on “Yoking-Proofs”
Juels [2004]
protocol is limited to two tags
no timely timer update (minor/crucial omission)
Saito and Sakurai [2005]
solution relies on timestamps generated by trusted database
violates original problem statement
one tag is assumed to be more powerful than the others
vulnerable to “future timestamp” attack
Piramuthu [2006]
discusses inapplicable replay-attack problem of Juels’ protocol
independently observes the problem with Saito/Sakurai protocol
proposed fix only works for a pair of tags
violates original problem statement

43. Talk Outline Introduction to RFID Reliable Object Identification
Multi-tag RFID Systems
Physical Security and Privacy
PUF-Based Algorithms
Inter-Tag Communication
Generalized Yoking-Proofs
Common Themes and Conclusion

44. Common Themes PUF-Based Security and Privacy Multi-Tags RFID
Generalized “Yoking-Proofs”

45. Conclusion and Future Research
Contributions
Future Research
More multi-tag tests
Object localization using multi-tags
Split tag functionality between tags
Prevent adversarial merchandize inventorization
PUF design
More examples of inter-tag communication
Applications of RFID

46. Publications
L. Bolotnyy and G. Robins, Multi-tag Radio Frequency Identification Systems, IEEE Workshop on Automatic Identification Advanced Technologies (Auto-ID), Oct
L. Bolotnyy and G. Robins, Randomized Pseudo-Random Function Tree Walking Algorithm for Secure Radio-Frequency Identification, IEEE Workshop on Automatic Identification Advanced Technologies (Auto-ID), Oct
L. Bolotnyy and G. Robins, Generalized “Yoking Proofs” for a Group of Radio Frequency Identification Tags, International Conference on Mobile and Ubiquitous Systems (Mobiquitous), San Jose, CA, July 2006.
L. Bolotnyy and G. Robins, Physically Unclonable Function -Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing and Communications (PerCom), New York, March 2007.
L. Bolotnyy, S. Krize, and G. Robins, The Practicality of Multi-Tag RFID Systems, International Workshop on RFID Technology - Concepts, Applications, Challenges (IWRT), Madeira, Portugal, June 2007.
L. Bolotnyy and G. Robins, The Case for Multi-Tag RFID Systems, International Conference on Wireless Algorithms, Systems and Applications (WASA), Chicago, Aug
L. Bolotnyy and G. Robins, Multi-Tag RFID Systems, International Journal of Internet and Protocol Technology, Special issue on RFID: Technologies, Applications, and Trends, 2(3/4), 2007.
1 conference and 1 journal paper in submission
2 invited book chapters in preparation Security in RFID and Sensor Networks, to be published by Auerbach Publications, CRC Press, Taylor&Francis Group

47. More Successes
Deutsche Telekom (largest in EU) offered to patent our multi-tags idea.
Received $450,000 NSF Cyber Trust grant, 2007 (PI: Gabriel Robins).
Technical Program Committee member: International Workshop on RFID Technology - Concepts, Applications, Challenges (IWRT), Barcelona, Spain, June 2008.
Our papers and presentation slides used in lecture-based undergraduate/graduate courses (e.g., Rice University,
George Washington University).

49. lbol@cs.virginia.edu www.cs.virginia.edu/~lb9xk
Thank You!
Dissertation Committee: Gabriel Robins (advisor), Dave Evans, Paul Reynolds, Nina Mishra, and Ben Calhoun
Stephen Wilson, Blaise Gassend, Daihyun Lim,
Karsten Nohl, Patrick Graydon, and Scott Krize
Questions?

50. BACK UP SLIDES NOT USED DURING PRESENTATION

51. Types of Multi-Tags Redundant Tags Complimentary Tags Dual-Tags
Own Memory Only
Shared Memory Only
Own and Shared Memory
Triple-Tags
n-Tags

52. Controlling Variables
Radio noise
Tag variability
Reader variability
Reader power level
Distance to objects & type, # of antennas

53. Circular Antennas vs. Multi-Tags
Power = 31.6dBm 1
0.9
0.8
0.7
Detection Probability
0.6
1 Reader, 1 Tag %
2 Readers, 1 Tag %
1 Reader, 2 Tags 94.2%
2 Readers, 2 Tags 99.4%
Δ=18.3%
Δ=8.4%
Δ= 5.2%
Δ=3.2%
Δ= 15.1%
0.5
0.4
0.3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Object Number

54. Power Decrease in detection with decrease in power
1 Tag
2 Tags
3 Tags
4 Tags
Decrease in detection with decrease in power
More rapid decrease in detection for circular antennas

55. Multi-Tags on Metals and Liquids
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1 Tag
2 Tags
3 Tags
Antenna #1
Antenna #2
Antenna #1 and #2
Number of Tags
Detection Probability
Power=31.6dBm, Circular Antennas
Power=31.6dBm, Linear Antennas
Power=27.6dBm, Circular Antennas
Power=27.6dBm, Linear Antennas
Low detection probabilities
Drop in detection at low power
Linear antennas outperform circular
Multi-tags better than multiple readers

56. Detection Delta
0.030
0.014
0.029
0.036 1
tag 2
tags 3
tags 1
tag 2
tags 3
tags 1
tag 2
tags 3
tags 1
tag 2
tags 3
tags

57. Anti-Collision Algorithms
Redundant Tags
Connected-Tags
Binary
No Effect
Binary Variant
Randomized
Linear Increase**
No Effect*
STAC
Causes DoS
Slotted Aloha
* Assuming tags communicate to form a single response
** If all tags are detected

58. Business Case for RFID Costs & benefits (business case)
Moore’s law
higher employee productivity
automated business processes
workforce reduction
Tag manufacturing yield and testing
30% of chips damaged during manufacturing
15% damaged during printing [U.S. GAO]
20% tag failure rate in field [RFID Journal]
5% of tags purchased marked defective

59. RFID Tag Demand Demand drivers Cost effective tag design techniques
tag cost
desire to stay competitive
Increase in RFID tag demand
Decrease in RFID tag cost
Cost effective tag design techniques
memory design (self-adaptive silicon)
assembly technology (fluidic self assembly)
antenna design (antenna material)

60. Thesis
Multi-tags can considerably improve reliability in RFID systems at a reasonable cost;
effective PUF implementations can enable hardware-tampering resistant algorithms for RFID security and privacy;
generalized yoking-proofs can provide auditing mechanisms for the near-simultaneous reading of multiple RFID tags.

61. Related Work on PUF Optical PUF [Ravikanth 2001]
Silicon PUF [Gassend et al 2002]
Design, implementation, simulation, manufacturing
Authentication algorithm
Controlled PUF
PUF in RFID
Identification/authentication [Ranasinghe et al 2004]
Off-line reader authentication using public key cryptography [Tuyls et al 2006]

62. Privacy Model Experiment:
A passive adversary observes polynomially-many rounds of reader-tag communications with multiple tags
An adversary selects 2 tags
The reader randomly and privately selects one of the 2 tags and runs one identification round with the selected tag
An adversary determines the tag that the reader selected
Definition: The algorithm is privacy-preserving if an adversary can not determine reader selected tag with probability substantially greater than ½
Theorem: Given random oracle assumption for PUFs,
an adversary has no advantage in the above experiment.

63. Improving Reliability of Responses
Run PUF multiple times for same ID & pick majority
μm(1-μ)N-m )k
R(μ, N, k) ≥ (1 - ∑ N m
N+1 2 m=
number of runs
chain length
unreliability
probability
overall
reliability
R(0.02, 5, 100) ≥ 0.992
Create tuples of multi-PUF computed IDs & identify a tag based on at least one valid position value ∞
expected number of identifications
S(μ, q) = ∑ i [(1 – (1-μ)i+1)q - (1 – (1-μ)i)q]
i=1
tuple size
S(0.02, 1) = 49, S(0.02, 2) = 73, S(0.02, 3) = 90
(ID1, ID2, ID3)

64. Choosing # of PUF Computations
probv(n, 0.1n, 0.02)
i=t+1
μi(1-μ)n-i
probv(n, t, μ) = 1 - ∑ n i
probf(n, 0.1n, 0.4)
j=t+1
τj(1-τ)n-j
probf(n, t, τ) = 1 - ∑ n j
α < probv ≤ 1 and probf ≤ β ≤ 1
0 ≤ t ≤ n-1

65. MAC Large Message Space Theorem
Given random oracle assumption for a PUF,
the probability that an adversary could forge a signature for a message is bounded from above by the tag impersonation probability.

66. MAC Small Message Space Theorem
Given random oracle assumption for a PUF, the probability that an adversary could forge a signature for a message is bounded by the tag impersonation probability times the number of sub-signatures.

67. Purely Physical Ownership Transfer
r0, c1, ..., cn
oid = h(counter)
r1, a = hs(r0, r1)
(r1, a)
counter = counter - 1
hs(r1, new)
s = poid(v1) poid(vn)
v1 = h(c1), ..., vn = h(cn) +
Challenges sent to tag in increasing order
Properties:
All PUF computations must be correct
PUF-based random number generator
Physical write-once counter
oid is calculated for each identification
Inherently limited # of owners

68. Using PUF to Detect and Restore Privacy of Compromised System
Detect potential tag compromise
Update secrets of affected tags

69. PUF vs. Digital Hash Function
MD4
7350
MD5
8400
SHA-256
10868
Yuksel
1701
PUF
545
AES
3400
algorithm
# of gates
Reference PUF: 545 gates for 64-bit input
6 to 8 gates for each input bit
33 gates to measure the delay
Low gate count of PUF has a cost
probabilistic outputs
difficult to characterize analytically
non-unique computation
extra back-end storage
Different attack target for adversaries
model building rather than key discovery
Physical security
hard to break tag and remain undetected

70. PUF Design Attacks on PUF Weaknesses of existing PUF New PUF design
impersonation
modeling
hardware tampering
side-channel
Weaknesses of existing PUF
reliability
New PUF design
no oscillating circuit
sub-threshold voltage
Compare different non-linear delay approaches

71. PUF Contribution and Motivation
Physical privacy models
Privacy-preserving tag identification algorithm
Ownership transfer algorithm
Secure MAC algorithms
Comparison of PUF with digital hash functions
Motivation
Digital crypto implementations require 1000’s of gates
Low-cost alternatives
Pseudonyms / one-time pads
Low complexity / power hash function designs
Hardware-based solutions

72. Speeding Up The Yoking Protocol
Idea: split cycle into several sequences of dependent MACs
starting / closing tags
Requires
multiple readers or multiple antennas
anti-collision protocol