Presentation is loading. Please wait.

Presentation is loading. Please wait.

Changshe Ma, Yingjiu Li, Robert Deng, Tieyan Li

Published byJunior Watts Modified over 6 years ago

Similar presentations

Presentation on theme: "Changshe Ma, Yingjiu Li, Robert Deng, Tieyan Li"— Presentation transcript:

1 RFID Privacy: Relation Between Two Notions, Minimal Condition, and Efficient Construction
Changshe Ma, Yingjiu Li, Robert Deng, Tieyan Li Singapore Management University Institute for Infocomm Research 2018/11/12

2 Background – RFID Systems
Radio signal (contactless) Range: from 3-5 inches to 3 yards Database Match tag IDs to physical objects Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Reader (transceivers) Read data off tags without direct contact Range can be 100 meters Perfect working conditions for attackers! 2018/11/12

3 Background – RFID Privacy
Privacy issues Adversaries identify tags Adversaries track tags © RSA Laboratories 2018/11/12

4 Motivation – Research Effort
Lightweight RFID protocols for low-cost tags Simple operations (XOR, bit inner product, PRNG, CRC) Privacy flaws (T. van Deursen and S. Radomirovic: Attacks on RFID Protocols, ePrint Archive: Report 2008/310) Formal privacy models for RFID systems Ind-privacy: indistinguishability of two tags [Juels & Weis 07] Unp-privacy: unpredictability of protocol output [Ha et al. 08] Our research Examine privacy notions Explain privacy flaws Construct efficient protocol with strong privacy 2018/11/12

5 Outline Model of RFID systems RFID privacy notions Relations
Ind-privacy: indistinguishability-based privacy Unp-privacy: unpredictability-based privacy Relations Unp-privacy  Ind-privacy Ind-privacy (not) Unp-privacy Minimal condition Unp-privacyPRF Efficient construction 2018/11/12

6 Model of RFID Systems RFID system (R, T, InitializeR, InitializeT, )
Canonical form  of RFID protocols Adversary A (O_IR:InitReader, O_IT:InitTag, O_ST:SetTag, O_SR:SendRes) Completeness and soundness of RFID system Eavesdropping: InitReader, InitTag, SendRes Tag key compromise (tag corruption, physical or side-channel attack): SetTag Completeness: a legitimate tag will always be accepted by the legitimate reader Soundness: only legitimate tag will be accepted by the legitimate reader 2018/11/12

7 RFID Privacy – Ind-privacy
Experiment ExpAind[k, l, q, s, u, v] 1. setup the reader R and a set of tags T with |T | = l; 2. (Ti, Tj, st)A1O_IR,O_IT, O_ST, O_SR (R; T ); //learning stage 3. b R {0, 1}; 4. if b = 0 then Tc = Ti, otherwise Tc = Tj; 5. T’=T-{Ti,Tj} 6. b’ A2O_IR,O_IT, O_ST, O_SR (R, T’, st, Tc); //guess stage 7. the experiment outputs 1 if b’ = b, 0 otherwise Advantage of A: |Pr[ExpAind=1]-1/2| 2018/11/12

8 RFID Privacy – Unp-privacy
Experiment ExpAunp[k, l, q, s, u, v] 1. setup the reader R and a set of tags T with |T | = l; 2. (Tc, c0, st)A1O_IR,O_IT, O_ST, O_SR (R; T ); //learning stage 3. b R {0, 1}; 4. if b = 0 then set (r, f) as random pair, otherwise (c0, r0, f0)(R,Tc) and (r, f)=(r0, f0); 5. T’=T-{Tc} 6. b’A2 O_IR,O_IT, O_ST, O_SR (R, T’, st, r, f); //guess stage 7. the experiment outputs 1 if b’ = b, 0 otherwise Advantage of A: |Pr[ExpAunp=1]-1/2| 2018/11/12

9 Relations – Intuition Intuitively, Unp-privacyInd-privacy Ind-privacy
d(Ti, Tj)  d(Ti, r) + d(Tj, r) Ind-privacy Learning stage: AOracle queries Tc Guess stage: AOracle queries toTc Unp-privacy Learning stage: AOracle queries Tc Guess stage: ANo oracle queries to Tc How to simulate? 2018/11/12

10 Relations – Eunp-privacy
Extended Unp-privacy (Eunp-privacy) Experiment ExpAeunp[k, l, q, s, u, v,w] 1. setup the reader R and a set of tags T with |T | = l; 2. (Tc, st)A1O_IR,O_IT, O_ST, O_SR (R; T ); //learning stage 3. T’=T-{Tc} 4. b R {0, 1}; 5. let st0=st and cs= for i=1 to w (ci, sti) A2 O_IR,O_IT, O_ST, O_SR (R; T, sti-1, cs); if b = 0 then set (ri*, fi*) as random pair, otherwise (ci, ri, fi)(R,Tc) and (ri*, fi*)=(ri, fi); cs=cs{ri*, fi*} 6. b’A2 O_IR,O_IT, O_ST, O_SR (R, T’, stw, cs); //guess stage 7. the experiment outputs 1 if b’ = b, 0 otherwise ST: state information CS: set of challenge messages given to A2 A2 may choose the w test messages adaptively: it may chose ci according to the state information, the previous challenge message set, and its own strategy. 2018/11/12

11 Relations – Eunp-privacyInd-privacy
Learning stage: AOracle queries Tc Guess stage: Eunp-privacy Learning stage: AOracle queries Tc Guess stage: Aw test message queries + corrupt all other tags except Tc Be able to simulate 2018/11/12

12 Relations – Eunp-privacyUnp-privacy
Hybrid argument approach or game playing technique (r1,f1) (r2,f2) . (rw,fw) (r’1,f’1) (r2,f2) . (rw,fw) (r’1,f’1) (r’2,f’2) . (rw,fw) (r’1,f’1) (r’2,f’2) . (r’w-1,f’w-1) (rw,fw) (r’1,f’1) (r’2,f’2) . (r’w,f’w) . . . 2018/11/12

13 Relations – Ind-privacy (not) unp-privacy
Assume that (c,r,f)(R,Ti) is of ind-privacy Let (c,r||r,f)’(R,Ti). ’(R,Ti) is not of unp-privacy 2018/11/12

14 Minimal Condition Minimal requirement for RFID systems to achieve RFID system privacy Unp-privacy  PRF Theoretical foundation to explain why so many lightweight RFID protocols suffer from privacy vulnerabilities without implementing necessary cryptographic primitives 2018/11/12

15 Minimal Condition – Unp-privacy PRF
random c1 r1 p1 c2 tag r2 p2 rn cn pn ind c1 c2 . cn r1 r2 . rn Each tag’s computation function can be used to construct a PRF family Is this mapping a pseudorandom function? 2018/11/12

16 Minimal Condition – Tag Computation Function
st1 st2 stn FkT( ) Deterministic if we consider the tag key and internal state information 2018/11/12

17 Minimal condition – Unp-privacyPRF
Let PCH=PCN=PS={0,1} and PFT={0,1}2 1. If the tag Ti is stateless, define J(x)= r1=FkTi(c,cn), where c||cn=x{0,1}2 2. If the tag Ti is stateful 2.1 If cn=empty string, define J(x)=LFkTi(c,st_0) RFkTi(c,st0), where x {0,1} 2.2 Else J(x)= r1 =FkTi(c,cn,st0), where c||cn=x{0,1}2 Now define G(x)=J(J()x), then G is a PRF family, where  {0,1}2 except for the case 2.1 where  {0,1}. The function family G(x) is a PRF family if RS is complete, sound and unp-private. 2018/11/12

18 Minimal condition – PRFUnp-privacy
An efficient construction with PRF: Offline attack: long enough secret key Online attack: 0.01 sec/tag, 348 years for |ctr|=40 2018/11/12

19 Conclusion Eunp-privacy Ind-privacy Unp-privacy PRF 2018/11/12

20 Thanks! 2018/11/12

Download ppt "Changshe Ma, Yingjiu Li, Robert Deng, Tieyan Li"

Similar presentations

Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Mitigate Unauthorized Tracking in RFID Discovery Service Qiang Yan 1, Robert H. Deng 1, Zheng Yan 2, Yingjiu Li 1, Tieyan Li 3 1 Singapore Management University,

Mitigate Unauthorized Tracking in RFID Discovery Service Qiang Yan 1, Robert H. Deng 1, Zheng Yan 2, Yingjiu Li 1, Tieyan Li 3 1 Singapore Management University,
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.

Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.

A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.
1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.

1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Similar presentations

Ads by Google