Presentation is loading. Please wait.

Presentation is loading. Please wait.

#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels."— Presentation transcript:

1 #1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels

2 #2 The tide is turning... Pervasive computing is coming... It’s time to get serious about privacy.

3 #3 RFID and identification systems Protocols for private identification The challenge of scalability; trees of secrets Outline

4 #4 Example applications: Electronic passports ID cards and badges Proximity cards, building access control Automatic payment systems (Fastrak, EZPass) Item tagging & tracking, inventory management Key technologies: RFID Contactless smart card Identification systems Challenge: privacy (and security) for ID systems

5 #5 RFID tags are passive, powered by reader, carry identity Privacy issues: Unwanted tracking of people and items Introduction to RFID Power Identity Reader Tag

6 #6 Tags might lack writable non-volatile memory Takes more energy to permanently write bits Thus, state might only last as long as tag is powered Cryptography is expensive Public-key out of reach for all but priciest tags AES within reach for mid-class tags? [Feldhofer] Can’t take random number generation for granted Readers might not be network-connected RFID systems are resource-limited

7 #7 Intended read range  Computation  ISO 14443 E-passports, ID cards US$5 ISO 15693 Library books US$0.50 EPC WalMart US$0.20 10cm 3DES, RSA sym.-key crypto no crypto 1m3m RFID technologies vary widely

8 #8 normal reader (10cm / 3m) malicious reader (50cm / 15m) eavesdrop on tag (???) Read range? eavesdrop on reader (50m / ???)

9 #9 Simple trick: Defeating eavesdropping on forward link r m  r “go ahead” wants to send m picks random r Appears in EPC Gen II standards.

10 #10 A first attempt at defeating eavesdropping and unauthorized tag-reading E k (r, ID) k k “pseudonym” Problem: All tags and readers share the same key k If any tag is compromised, all security is lost If any reader is compromised, all security is lost Risk: Massive data spills.

11 #11 Take #2: Independently keyed tags r, F ki (r) Scans through all keys to decode kiki “pseudonym” Problem: Doesn’t scale. Takes O(N) work to decode each pseudonym (k 1, ID 1 ) : (k N, ID N )

12 #12 Private identification protocols Goal: a tag reader protocol, providing: Identification: Authorized reader learns tag’s identity Privacy: Unauthorized readers learn nothing Attacker cannot even link two sightings of same tag Authentication: Tag identity cannot be spoofed Scalability: Can be used with many tags A non-trivial technical challenge, with many possible applications.

13 #13 A beautiful method for private identification r, F k i (r), F k ij (r) k i, k ij pseudonym More scalable: O(√N) work to decode each pseudonym First, scan all k i to learn i Then, scan all k ij to learn j and thus tag identity : (k i, i) : (i, k ij, ID ij ) : Decodes i, then j

14 #14 The tree of secrets Tag  leaf of the tree. Each tag receives the keys on path from leaf to the root. Tag ij generates pseudonyms as (r, F k i (r), F k ij (r)). Reader can decode pseudonym using a depth-first search. k0k0 k 00 k 01 k0k0 k 00 k 01 k1k1 k 10 k 11

15 #15 Analysis: tree of secrets Generalizations: Use any depth tree (e.g., lg N) Use any branching factor (e.g., 2 10 ) Use any other identification scheme (e.g., mutual auth) TheoryA concrete example Number of tags: N 2 20 tags Tag storage:O(lg N) 128 bits Tag work:O(lg N)2 PRF invocations Communications:O(lg N) 138 bits Reader work:O(lg N)2  2 10 PRF invocations Privacy degrades gracefully if tags are compromised

16 #16 Reducing trust in readers r, F k i (r), F k ij (r) k i, k ij If readers are online, Trusted Center can do decoding for them, and enforce a privacy policy for each tag. No keys stored at reader => less chance of privacy spills. Trusted Center r, F k i (r), F k ij (r) ID ij Reader  (k ij, Policy ij ) 

17 #17 Reducing trust: Delegation r, F k i (r), F k ij (r) k i, k ij For offline or partially disconnected readers, can delegate power to decode pseudonyms for a single tag to designated readers. Reader workload: O(D) per pseudonym, where D = # of tags delegated to this reader. Trusted Center ID ij k ij  (k ij, Policy ij )  k ij

18 #18 Time-limited delegation pseudonym ctr, k i, k ij Trusted Center ID ij, L, R {keys} Only good for decoding L-th through R-th pseudonyms from tag ID ij Even less trust: Reader gets access to the next 100 pseudonyms from this tag (say), and nothing more.

19 #19 k 0000 Enabling time-limited delegation Use GGM at lower levels: (k s0, k s1 ) = G(k s ) Tag uses leaves sequentially Reader gets keys for a subset k0k0 k 00 k 01 k0k0 k 00 k 01 k1k1 k 10 k 11 k 000 k 0001 k 0010 k 0011 k 001

20 #20 Identification systems: an exciting research area Privacy is central Many non-trivial technical challenges, many opportunities for clever solutions There’s still time to have an impact on deployments Research question: Private identification protocols Tree schemes have useful properties Can we do better? Can do without persistent state? Recent work: Controlling readers with Trusted Computing (to appear at WPES’05) Conclusions

Download ppt "#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels."

Similar presentations

Made Harta Dwijaksara Park, Yi Jae

Made Harta Dwijaksara Park, Yi Jae
SMUCSE 7349 RFID Security. SMUCSE 7349 Current Applications Logistics –Military supply logistics Gulf War I: Double orders to ensure arrival Gulf War.

SMUCSE 7349 RFID Security. SMUCSE 7349 Current Applications Logistics –Military supply logistics Gulf War I: Double orders to ensure arrival Gulf War.
Mitigate Unauthorized Tracking in RFID Discovery Service Qiang Yan 1, Robert H. Deng 1, Zheng Yan 2, Yingjiu Li 1, Tieyan Li 3 1 Singapore Management University,

Mitigate Unauthorized Tracking in RFID Discovery Service Qiang Yan 1, Robert H. Deng 1, Zheng Yan 2, Yingjiu Li 1, Tieyan Li 3 1 Singapore Management University,
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.

Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Security for RFID Department of Information Management, ChaoYang University of Technology. Speaker : Che-Hao Chen ( 陳哲豪 ) Date:2006/01/18.

Security for RFID Department of Information Management, ChaoYang University of Technology. Speaker : Che-Hao Chen ( 陳哲豪 ) Date:2006/01/18.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Computer Security Key Management

Computer Security Key Management
A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.

A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.

RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.
Security in RFID Presented By… NetSecurity-Spring07

Security in RFID Presented By… NetSecurity-Spring07
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Similar presentations

Ads by Google