Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enabling Secure Secret Updating for Unidirectional Key Distribution in RFID-Enabled Supply Chains Shaoying Cai 1, Tieyan Li 2, Changshe Ma 1, Yingjiu Li.

Published byBethanie Conley Modified over 9 years ago

Similar presentations

Presentation on theme: "Enabling Secure Secret Updating for Unidirectional Key Distribution in RFID-Enabled Supply Chains Shaoying Cai 1, Tieyan Li 2, Changshe Ma 1, Yingjiu Li."— Presentation transcript:

1 Enabling Secure Secret Updating for Unidirectional Key Distribution in RFID-Enabled Supply Chains Shaoying Cai 1, Tieyan Li 2, Changshe Ma 1, Yingjiu Li 1, Robert H. Deng 1 1 Singapore Management University (SMU) 2 Institute for Infocomm Research (I 2 R) 15 Dec. 2009 ICICS 2009, Beijing, China

2 ICICS’09 - RFID Security 2 Project Summary - why should it be done? Outline Introduction The problem –Security requirements in RFID-enabled supply chains –Secret sharing approach and JPP mechanism –Our observations The protocol –Secure secret updating protocol –Security properties –Comparisons –Implementation considerations –Security proof Conclusions

3 ICICS’09 - RFID Security 3 Introduction RFID systems RFID technology has greatly facilitated the supply chains. –All evidences (standardizations; big promoters, adopters, …) show a new age is coming. –Security, visibility and efficiency are three equally important requirements. Reader (transceiver) Reads data off the tags without direct contact Radio signal (contactless) Range: from 3-5 inches to 100 yards Database Matches tag IDs to physical objects Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Perfect working conditions for attackers!

4 ICICS’09 - RFID Security 4 Source: Lyngsoe Increase visibility Lower uncertainty Prevent loss Reduce counterfeiting Improve efficiency RFID-Enabled Supply Chain

5 ICICS’09 - RFID Security 5 The problem Usually, EPC tags are used in supply chains –They are extremely cheap, where no true cryptographic functionality can be implemented. –Maintaining a synchronized and ubiquitous database is truly hard. –Thus, almost all privacy enhanced authentication protocols (more than hundreds) fail on practicability. Only explicit EPC privacy feature: Kill –On receiving tag-specific Kill PIN, tag self-destructs. –Who will own these Kill PINs? Or who will kill the tags, at the end of the supply chain or the end users? But supply chain partners: –Don’t want to manage Kill PINs, and how? –Have no channel to communicate secret keys downstream in supply chain. Key distribution is an essential problem!

6 ICICS’09 - RFID Security 6 Supply chain characteristics An RFID-enabled supply chain typically features: –None pre-existing trust relationship: a case might comes from or goes to any non-trusted parties. –Unidirectional downsizing: de-packing and re-packing into smaller sized aggregates at downstream parties. –Compulsory processing orders: only dispersion, no combination

7 ICICS’09 - RFID Security 7 Secret sharing approach Idea: Apply secret sharing to spread a secret key  across multiple tags, E.g.,   (s1, s2, s3, …)  s1s1 s2s2 s3s3 Collecting enough shares can recover the key Individual shares / small sets reveal no information

8 ICICS’09 - RFID Security 8 JPP mechanism (Juels et al. Usenix Sec. 08) Encrypt tag data under secret key  Apply secret sharing to spread key  across tags in case E.g.,   (s1, s2, s3, …) E  (m 1 ) s 1 E (m2)s2E (m2)s2 E (m3)s3E (m3)s3  Supersteroids 500mg; 100 count Serial #87263YHG Mfg: ABC Inc. Exp: 6 Mar 2010

9 ICICS’09 - RFID Security 9 JPP mechanism (Juels et al. Usenix Sec. 08) SWISS ( Sliding Window Information Secret-Sharing) Given  2 out of 4 s i, get corresponding  i s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 11 22 33 44 55 66

10 ICICS’09 - RFID Security 10 Our observations JPP mechanism is vulnerable to tracking: –A tag T i always sends the same reply (S i, M i ) to any reader who queries it. Although an adversary may not get enough shares to decrypt the content of the tag, the never-changing reply can be used by the adversary to track the tag. JPP mechanism is vulnerable to counterfeiting: –As the public accessible message (S i, M i ) is used for a reader to identify the tag T i, an adversary can easily fabricate a tag that also sends (S i, M i ), and replace the tagged item with the fabricated tag. JPP mechanism features monopolistic key assignment model: –A monopoly (typically the manufacturer of the goods) pre-assigns all the keys (shares) to the tags according a fixed secret sharing scheme with conjectured parameters. –The one-size-fits-all solutions restrict the realistic deployment of JPP mechanism.

11 ICICS’09 - RFID Security 11 Secret updating protocol JPP mechanism –A tag T i stores (S i, M i ) only. –Where S i is the share of T i and M i is the (encrypted ) information carried on the tag. Our protocol –A tag T i stores (S i, M i, c i ). –Where c i is the individual secret key of T i, derived from the common secret k, for the purpose of authenticating the reader. During updating –Old secret key k is replaced with a new secret key k’; –Old (t, n) threshold scheme is replaced with new (t’, n’) scheme, according to new requirements; –Old share S i is replaced with new share S′ i ; –Old values (S i, M i, c i ) of a tag T i is updated with new values (S′ i, M′ i, c′ i ).

12 ICICS’09 - RFID Security 12 Secret updating protocol

13 ICICS’09 - RFID Security 13 Security properties Authoritative access to RFID tags –The security of the secret update protocol relies on the confidentiality of the shared secret c i. –Given an update message (A, B, C), only the one who knows the value of c i can obtain the new values (S′ i, M′ i, c′ i ). Authenticity of tags –A tag T i is authenticated with any privacy-enhanced authentication scheme (E.g., a challenge-response authentication protocol). Forward secrecy –A tag T i is updated with new values (S′ i, M′ i, c′ i ), which are totally independent from its previous values (S i, M i, c i ). Untraceability –The protocol messages are updated in different sessions. –However, active adversary is possible to correlate identifiers (S i or S’ i ).

14 ICICS’09 - RFID Security 14 Comparison [4] A. Juels, R. Pappu, and B. Parno, Unidirectional key distribution across time and space with applications to RFID security. USENIX Security’08. [10] Y. Li and X. Ding, Protecting RFID Communications in Supply Chains. ASIACCS’07. [11] David Molnar and David Wagner. Privacy and Security in Library RFID: Issues, Practices, and Architectures. ACM CCS 2004. [12] Miyako Ohkubo, Koutarou Suzuki, and Shingo Kinoshita. Efficient Hash-Chain Based RFID Privacy Protection Scheme. Ubicomp 2004.

15 ICICS’09 - RFID Security 15 Implementation considerations JPP mechanism implemented a (15, 20) threshold secret sharing scheme. –For 20 available tags, a reader needs to collect at least 15 tags’ shares to successfully recover the secret key and decrypt the encrypted information. –It employs a “Alien Squiggle” Gen2 tag, of which 16 bits are used for storing a single share and 80 bits are used for storing the encrypted identity. –WORM memory (Write-once, Read-many times) is required. In our protocol, (S i, M i ) is replaced with (S’ i, M’ i, c’ i ), requires additional memory space for storing c’ i message –It is equivalent to 160 bits, can be put into the “User” memory bank. –Rewritable memory, perhaps needs “access password” to access the memory. –Access password can be derived from the decrypted key “k”. How to determine the threshold in the real applications? –Less than certain upper bound to maximally tolerate reading or erasure errors –Greater than certain lower bound to guarantee the robustness on recovering key

16 ICICS’09 - RFID Security 16 Security proof (sketch) 1.The privacy game: 1.Setup phase: the game initializes the RFID system. 2.Learning phase: the adversary A performs a series of queries to enlarge its knowledge base about the RFID system. 3.Challenge phase: the adversary A chooses two tags. Then, a tag is chosen by randomly updating one of the two tags. After this, the updated tag is given to the adversary as a challenging tag for him to distinguish it from the original two tags. 2.We conclude that an RFID system is private if there exists no polynomial probabilistic time adversary A whose advantage is non-negligible to win the privacy game. 3.We then prove that the secret sharing scheme is private. 4.Theorem: the proposed RFID protocol is private if the underlying secret sharing scheme is private.

17 ICICS’09 - RFID Security 17 Conclusions We tackle the key distribution problem in RFID-enabled supply chains. We investigate the secret sharing approaches and particularly the JPP mechanism. We propose a secure and flexible secret updating protocol to improve the original JPP mechanism. Our protocol provides sound security properties, desirable flexibility and with proved privacy. However, our protocol requires more powerful tags to pay for additional security and functionality. Future points: i.e., Verifiable Secret Sharing; Confidentiality + Access Control; Real experiments/deployments; etc.

18 ICICS’09 - RFID Security 18 Q & A ? Contact: litieyan@i2r.a-star.edu.sg (for Post-doc position) litieyan@i2r.a-star.edu.sg Web: http://icsd.i2r.a-star.edu.sg/staff/tieyan/SecureRFID Call for participants: RFIDsec’10 Asia, 22-23 Feb. 2009, Singapore Thank you!

Download ppt "Enabling Secure Secret Updating for Unidirectional Key Distribution in RFID-Enabled Supply Chains Shaoying Cai 1, Tieyan Li 2, Changshe Ma 1, Yingjiu Li."

Similar presentations

Mitigate Unauthorized Tracking in RFID Discovery Service Qiang Yan 1, Robert H. Deng 1, Zheng Yan 2, Yingjiu Li 1, Tieyan Li 3 1 Singapore Management University,

Mitigate Unauthorized Tracking in RFID Discovery Service Qiang Yan 1, Robert H. Deng 1, Zheng Yan 2, Yingjiu Li 1, Tieyan Li 3 1 Singapore Management University,
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.

TAODV: A Trusted AODV Routing Protocol for MANET Li Xiaoqi, GiGi March 22, 2004.
KAIS T Message-In-a-Bottle: User-Friendly and Secure Key Deployment for Sensor Nodes Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig(CMU), Sensys07 2007.

KAIS T Message-In-a-Bottle: User-Friendly and Secure Key Deployment for Sensor Nodes Cynthia Kuo, Mark Luk, Rohit Negi, Adrian Perrig(CMU), Sensys
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.
TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.

TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.
A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.

A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
RFID Security and Privacy Part 2: security example.

RFID Security and Privacy Part 2: security example.
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Similar presentations

Ads by Google