Presentation is loading. Please wait.

Presentation is loading. Please wait.

RFID Privacy Models & A Minimal Condition

Published byPhebe Harris Modified over 6 years ago

Similar presentations

Presentation on theme: "RFID Privacy Models & A Minimal Condition"— Presentation transcript:

1 RFID Privacy Models & A Minimal Condition
Robert H. Deng Singapore Management University 2018/11/21

2 Radio Frequency IDentification (RFID)
Radio signal (contactless) Range: from 3-5 inches to 3 yards Database Match tag IDs to physical objects Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Reader (transceivers) Read data off tags without direct contact Range can be 100 meters Perfect working conditions for attackers! 2018/11/21

3 RFID Applications Most important usage: identifying valid users or entities eTicket Credit Cards Access Control Cheap Expensive Supply Chain ePass High computational and storage resources No computational and very low storage resources 2018/11/21

4 RFID Security Issues Tag Authentication: Only valid tags are accepted by a valid reader Reader Authentication: Only valid readers are accepted by valid tags Not always required but mandatory in some applications (e.g., e-tickets) Prevents unauthorized access to /or tampering with tag data Availability: Infeasible to manipulate honest tags such that honest readers do not accept them 2018/11/21

5 RFID Privacy Issues Unauthorized tracking
© RSA Laboratories Unauthorized tracking Disclosure of the tag identity Linkability of the transactions of a tag  Allows creation & misuse of user profiles 2018/11/21

6 Physical Privacy-Enhancing Methods (from Sadeghi et. al MINES2009)
“Kill”-command [EPC05] Tag-specific password programmed at manufacturing that permanently deactivates the tag to prevent readout Used for electronic product labels (e.g., EPC-Tags) that are disabled when the labeled product is given to end user Passive jamming [DIFR09] Faraday cage (e.g., embedded into wallets) prevents readout of RFID tag User must manually authorize readout by removing Faraday cage Active jamming [LCTR06] Jamming device disturbs radio signals of tags and readers in the vicinity User must manually authorize readout by deactivating jammer  Inefficient: Tags permanently disabled or user interaction required [EPC05] EPCglobal Inc.: Specification for RFID air interface—EPC radio-frequency protocols, Class-1 Generation-2 UHF RFID, protocol for communications at 860 MHz–960 MHz, version (December 2005) [DIFR09] DIFRwear: Web site of difrwear. (January 2009) [LCTR06] Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: RFID systems: A survey on security threats and proposed solutions. In Cuenca, P., Orozco-Barbosa, L., eds.: IFIP TC6 11th International Conference, PWC 2006, Albacete, Spain, September 20–22, 2006, Proceedings. Volume 4217 of LNCS., Springer Verlag (2006) 159–170 New Directions in RFID Security and Privacy 6 2018/11/21 6

7 Cryptographic Protocols for RFID Privacy
Numerous lightweight RFID protocols for low-cost tags have been proposed They use simple operations (XOR, bit inner product, CRC, etc) Many have been broken (T. van Deursen and S. Radomirovic: Attacks on RFID Protocols, ePrint Archive: Report 2008/310) 2018/11/21

8 Outline Existing RFID Privacy Models A New Model A Minimal Condition
Conclusion 2018/11/21

9 RFID System Model T = {T1,…,Tn} - a fixed, polynomial-size tag set
Read / Update T = {T1,…,Tn} - a fixed, polynomial-size tag set R/D - and a reader/database as the elements for an RFID system. The adversary A has complete control over communications between R and T, while the communications between R and D are over a secure channel. 2018/11/21

10 A Canonical RFID Protocol 
Tag T Reader R c  C r  R f  F (optional) Shorthand notation: (c, r, f) ← (R, T) 2018/11/21

11 Query Types Available to Adversary
Launch(): return a session id sid and the 1st message c. SendTag(sid, c, T): return r, the response of tag T. SendReader(sid, r): return f, the response of Reader. Corrupt(T): return the secret information of tag T. Let O1, O2, O3, O4 denote, Launch, SendTag, SendReader, Corrupt oracles, respectively. 2018/11/21

12 JW06 (Jules & Weis, ePrint 2006, PerCom 2007)
Ind-privacy: indistinguishability of two tags. Experiment: {Ti, Tj} ← A1O1,O2,O3,O4(R, T); b∈{0, 1}; If b = 0 then Tc = Ti, else Tc= Tj; T’ = T - {Ti, Tj}; b’ ←A2O1,O2,O3,O4(R, T’, Tc). A1 not allowed to query O4 on Ti and Tj A2 not allowed to query O4 on Tc Adversary A wins the game if b’ = b The advantage of adversary A = |Pr[b'=b]-1/2| Drawback: Not easy to work with 2018/11/21

13 HMZH08 (Ha, Moon, Zhou & Ha, ESORICS 2008)
Unp-privacy: unpredictability of protocol Experiment: Tc← A1O1,O2,O3,O4(R, T); b∈ {0, 1}; If b = 0 then (c, r, f) ← (R, Tc), else (c, r, f) ← random; b’ ← A2 (c, r, f). A1 not allowed to query O4 on Tc The advantage of adversary A = |Pr[b'=b]-1/2| Drawback – Incomplete: A2 is not allowed to query O2 (SendTag) oracle on Tc   protocols meeting Unp-privacy but with known weakness in privacy (Deursen & Radomirovic, ePrint Archive: Report 2008/477) 2018/11/21

14 MLDL09 (Ma, Li, Deng & Li, CCS 2009)
Unp’-privacy: unpredictability of protocol Experiment: {Tc, c}← A1O1,O2,O3,O4(R, T); b∈ {0, 1}; If b = 0 then (c, r, f) ← (R, Tc), else (c, r, f) ← random; T’ = T – {Tc} b’ ← A2O1,O2,O3,O4(R, T’, r, f). A1 not allowed to query O4 on Tc The advantage of adversary A = |Pr[b'=b]-1/2| Drawback: (c,r,f)←(R, Tc)??? A2 is not allowed to query O2 (SendTag) oracle on Tc 2018/11/21

15 Vau07, PV08 (Vaudenay AsiaCrypt07, Paise & Vaudenay AsiaCCS08)
Adversary’s capabilities modeled by oracles Adversary A Tag Initialization Tag Communication Tag Corruption Reader Initialization Reader Communication Side channel Information (whether authentication was successful) 2018/11/21

16 Vau07 (Vaudenay AsiaCrypt07)
b R {0,1} Adversary A1 Querying Phase Privacy Challenger Reader Initialization /Tag Initialization / Tag Corruption Blinder B simulates Tag Communication / Reader Communication / Side channel Information b = 1 Tag Communication / Reader Communication / Side channel Information b = 0 Adversary A2 Analysis Phase A wins privacy experiment if b’=b RFID system is private if every A has negligible advantage to detect blinder B: AdvA = |Pr[ b’=1 | b=0 ] - Pr[ b’=1 | b=1 ]| b’ 2018/11/21

17 PV Model (Paise & Vaudenay AsiaCCS08)
Privacy and Security Framework for RFID Based on model of [Vau07] Additionally captures reader authentication Problem Privacy definition contradicts reader authentication for any privacy notion that allows tag corruption (except the weak privacy notions which do not alllow tag corruption)  PV model cannot be used for evaluation of practical protocols where adversary can corrupt tags 2018/11/21

18 Outline Existing RFID Privacy Models A New Model A Minimal Condition
Conclusion 2018/11/21

19 New Model – Definition Experiment:
Unp’’-privacy: indistinguishability of a real tag and a virtual tag Experiment: Tc ← A1O1,O2,O3,O4(R, T); b∈ {0, 1}; When A2 makes queries to O1, O2, O3 on Tc If b = 0, return oracles’ responses Else (b = 1) return c R C if query O1 return r R R if query O2 Return f R F if query O3 b’ ← A3 A1 and A2 are not allowed to query O4 on Tc The advantage of adversary A = |Pr[b'=b]-1/2| 2018/11/21

20 Summary of the Privacy Models
Ind-privacy model No flaws being found but not easy to work with Unp-privacy and Unp’-privacy models Incomplete PV model Contraction between reader authentication and their notions of privacy that allow tag corruption Unp”-privacy model Does not suffer from the above problems Relationship between Ind-privacy and Unp”-model? 2018/11/21

21 Relation Between Ind-privacy & Unp”-privacy
Assume that (c, r, f) (R, T) is of Ind-privacy. Let (c, r|r, f)  ’(R,T). ’(R,T) is of Ind-privacy, but it is not of Unp”-privacy. 2018/11/21

22 New Model –Relations (2)
Ind-privacy  Unp”-privacy. Ind-privacy Adversary A Unp”-privacy adversary B Unp”-privacy protocol 2018/11/21

23 Outline Existing RFID Privacy Models A New Model A Minimal Condition
Conclusion 2018/11/21

24 Minimal Condition – Results
Minimal requirement for RFID systems to achieve RFID system privacy Unp”-privacy PRF Theoretical foundation to explain why so many lightweight RFID protocols suffer from privacy vulnerabilities without implementing necessary cryptographic primitives 2018/11/21

25 Minimal Condition – Unp”-privacy ⇒ PRF
Given a RFID system with Unp”-privacy, each tag’s computation function Fki,sti can be used to construct a PRF family, ki is tag’s secret key, and sti is tag’s internal state. Reader Tag c r f 2018/11/21

26 Minimal Condition – PRF ⇒ Unp”-privacy
An efficient construction using PRF Reader {(I, k, ctr, ID)} Tag (k, ctr) c I = Fk(ctr|pad1) r1 = Fk(c|I)(ctr|pad2) ctr = ctr + 1 I | r1 Search: {If find (I, k, ctr, ID) then If ctr|pad2 = r1Fk(c|I) then Update & accept; Else reject Else if  (*, k, *, *) s. t. ctr|pad2 = r1Fk(c|I) & I = Fk(ctr|pad1) then Update & accept; Else reject } Update: {ctr = ctr + 1 & I = Fk(ctr|pad1) } 2018/11/21

27 Outline Existing RFID Privacy Models A New Model
Relations Between Two Models & A Minimal Condition Conclusion 2018/11/21

28 Conclusion Existing privacy models
Ind-privacy, unp-privacy, unp’-privacy, Vau07 & PV08 A new model: Unp”-privacy Relations Unp”-privacy Ind-privacy PRF 2018/11/21

29 Acknowledgement Junzuo LAI1, 2 Tieyan LI3 Yingjiu LI1 Changshe MA1
Singapore Management University Shanghai Jiaotong University Institute for Infocomm Research, Singapore 2018/11/21

30 Thank You! 2018/11/21

Download ppt "RFID Privacy Models & A Minimal Condition"

Similar presentations

Mitigate Unauthorized Tracking in RFID Discovery Service Qiang Yan 1, Robert H. Deng 1, Zheng Yan 2, Yingjiu Li 1, Tieyan Li 3 1 Singapore Management University,

Mitigate Unauthorized Tracking in RFID Discovery Service Qiang Yan 1, Robert H. Deng 1, Zheng Yan 2, Yingjiu Li 1, Tieyan Li 3 1 Singapore Management University,
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Semi-Destructive Private Rfid Systems Paolo D’Arco, Alessandra Scafuro and Ivan Visconti by University of Salerno Italy Workshop on RFID Security 2009.

Semi-Destructive Private Rfid Systems Paolo D’Arco, Alessandra Scafuro and Ivan Visconti by University of Salerno Italy Workshop on RFID Security 2009.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.

Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
Security for RFID Department of Information Management, ChaoYang University of Technology. Speaker : Che-Hao Chen ( 陳哲豪 ) Date:2006/01/18.

Security for RFID Department of Information Management, ChaoYang University of Technology. Speaker : Che-Hao Chen ( 陳哲豪 ) Date:2006/01/18.
A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.

A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.

RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.
Security in RFID Presented By… NetSecurity-Spring07

Security in RFID Presented By… NetSecurity-Spring07
RFID Security and Privacy Part 2: security example.

RFID Security and Privacy Part 2: security example.
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.
#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels.

#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels.
YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.

YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.
RFID in Mobile Commerce and Security Concerns Chassica Braynen April 25, 2007.

RFID in Mobile Commerce and Security Concerns Chassica Braynen April 25, 2007.
R R FID Authentication : M inimizing Tag Computation CHES2006 Rump Session, Yokohama. Japan 2006. 10. 11. Ph.D. Jin Kwak Kyushu University, JAPAN

R R FID Authentication : M inimizing Tag Computation CHES2006 Rump Session, Yokohama. Japan Ph.D. Jin Kwak Kyushu University, JAPAN
David Molnar, David Wagner - Authors Eric McCambridge - Presenter.

David Molnar, David Wagner - Authors Eric McCambridge - Presenter.
SECURE SYMMETRIC AUTHENTICATION FOR RFID TAGS

SECURE SYMMETRIC AUTHENTICATION FOR RFID TAGS

Similar presentations

Ads by Google