1 / 49

RFID Security and Privacy

RFID Security and Privacy. Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790. 1. 2. 3. 4. 5. Roadmap. Background RFID Risks Privacy: Simple Solutions Privacy: More Involved Solutions Authentication: Some Solutions Conclusion. 1. 2. 3. 4. 5. What is RFID?.

hope-shelton
Télécharger la présentation

RFID Security and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RFID Security and Privacy Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790

  2. 1 2 3 4 5 Roadmap • Background • RFID Risks • Privacy: Simple Solutions • Privacy: More Involved Solutions • Authentication: Some Solutions • Conclusion

  3. 1 2 3 4 5 What is RFID? • Radio-Frequency Identification Tag Antenna • Sticker containing microchip and antenna • Gains power from wireless signal received from tag reader • Tag-reader communication with range of up to half a meter • Tag returns its unique number and static data Chip

  4. 1 2 3 4 5 How Does RFID System Work? • Tags consists of antenna and a microchip • Readers consists of a transmitter, receiver, 1+ antennas • Management system • Communication protocol • Computer Networks EasyToll card #816 Radio signal (contactless) Range: from 3-5 inches to 3 meters 02.3DFEX4.78AF51 Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Reader (transceiver) Reads data off the tags without direct contact Database Matches tag IDs to physical objects

  5. 1 2 3 4 5 RFID Advantages Barcode RFID Fast, automated scanning (object doesn’t have to leave pocket, shelf or container) • Reading by radio contact • Reader can be anywhere within range • Line-of-sight reading • Reader must be looking at the barcode • Specifies object type • E.g., “I am a pack of Juicy Fruit” • Specifies unique object id • E.g., “I am a pack of Juicy Fruit #86715-A” Can look up this object in the database (provides pointer)

  6. 1 2 3 4 5 RFID Tag Power Sources • Passive • inactive until the reader’s interrogation signal “wakes” them up • Cheap, but short range only • Semi-passive • On-board battery, but cannot initiate communication • More expensive, longer range • Active • On-board battery, can initiate communication

  7. 1 2 3 4 5 RFID Types • Inductive Coupling • Backscatter (radiative) Coupling

  8. 1 2 3 4 5 Closer look

  9. 1 2 3 4 5 RFID examples • Pervasive Devices • Low memory, few gates • Low power, no clock, little state • Low computational power • You may own a few. • Billions on the way.

  10. 1 2 3 4 5 Current Applications • Public Transport and Ticketing • Access Control • Logistics • Animal identification • Anti-theft system • Real time measurements in sports • Inventory Control in supermarkets • Electronic payments • Industry automation • Medical • Banknotes, casino chips

  11. 1 2 3 4 5 Futuristic Applications • “Smart” appliances • Refrigerators that automatically create shopping lists • Closets that tell you what clothes you have available, and search the Web for advice on current styles, etc. • Ovens that know how to cook pre-packaged food • “Smart” products • Clothing, appliances, CDs, etc. tagged for store returns • “Smart” paper • Airline tickets that indicate your location in the airport • Library books • Business cards • Recycling • Plastics that sort themselves

  12. 1 2 3 4 5 RFID Risks • Mr. Jones pays with a credit card; his RFID tags now linked to his identity • Mr. Jones attends a political rally; law enforcement scans his RFID tags • Mr. Jones wins Turing Award; physically tracked by paparazzi via RFID

  13. 1 2 3 4 5 Why RFID Risks Arise Three technical aspects of today’s RFID tags create potential problems: • They are promiscuous • they talk to any compatible reader. • They are remotely readable: • they can be read at a distance through materials like cardboard, cloth, and plastic. • They are stealthy • not only are the tags inconspicuous, you don't know when they are transmitting information or to whom. In short, the personal information

  14. 1 2 3 4 5 Risks: Privacy • Personal privacy • Clandestine inventory and tracking • Unsanctioned readers • Customer profiling • Tracking personal activities (e.g., purchase habits, travel) • Big brother • Illicit or inappropriate use of personal data • Data cross contamination • Inventory tags plus personal info • Corporate espionage • Track your competitor’s inventory • Military espionage • Harvesting RFID communication to make inferences

  15. 1 2 3 4 5 Risks: Eavesdropping • Read ranges • nominal read range • max distance at which a normally operating reader can reliably scan tags • rogue scanning range • rogue reader can emit stronger signal and read tags from a larger distance than the nominal range • tag-to-reader eavesdropping range • read-range limitations result from the requirement that the reader powers the tag • however, one reader can power the tag, while another one can monitor its emission (eavesdrop) • reader-to-tag eavesdropping range • readers transmit at much higher power than tags • readers can be eavesdropped form much further • readers may reveal tag specific information

  16. 1 2 3 4 5 Risks: Counterfeits • Comes down to authentication • How can be accomplished • Replaying (RF “tape-recorder”) • Tag cloning • Back-engineering • A few examples from real life (easy to break) • Speed passes • Ignition keys • Physical coercion and attack • In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric-enabled Mercedes • What would happen if the VeriChip were used to access ATM machines and secure facilities? • Perhaps it is better then if tags can be cloned and are not used for authentication—only for identification

  17. 1 2 3 4 5 RFID capabilities • Little power • Receives power from reader • Range a few meters • Little memory • Static 64-to-128-bit identifier • Hundreds of bits soon • Little computational power • A few thousand gates • No cryptographic functions available • Static keys for read/write permission • In terms of computational power can be divided into • BASIC tags • SYMMETRIC KEY tags

  18. 1 2 3 4 5 Privacy protection approaches • standard tags • jamming • “kill” command • “sleep” command • Renaming • Blocking • crypto enabled tags • synchronization approach • hash chain based approach • tree-approach

  19. 1 2 3 4 5 Easiest solution • Keep it close to your body • Liquids are not penetrable by microwave frequencies • Faraday cage • Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies • Shoplifters are already known to use foil-lined bags • Maybe works for a wallet, but huge hassle in general • Active jamming • Disables all RFID, including legitimate applications • All kinds of the above protections can be purchased now days • protective sleevers for passports, wallets, ids, etc.

  20. 1 2 3 4 5 Dead tags tell no tales • Idea: permanently disable tags with a special “kill” command • part of the EPC specification • Advantages: • Simple and effective • Disadvantages: • eliminates all post-purchase benefits of RFID for the consumer and for society • no return of items without receipt • no smart house-hold appliances • cannot be applied in some applications • library, e-passports, banknotes • Similar approaches: • put RFID tags into price tags or packaging which are removed and discarded

  21. 1 2 3 4 5 Don’t kill the tag, put it to sleep • Idea: instead of killing the tag put it in sleep mode • tag can be re-activated if needed • Advantages: • Simple • effective • Disadvantages: • difficult to manage in practice • tag re-activation must be password protected • how the consumers will manage hundreds of passwords for their tags? • passwords can be printed on tags, but then they need to be scanned optically or typed in by the consumer

  22. 1 2 3 4 5 Partial destruction • Renaming • In simplest case renaming to gibberish • No intrinsic meaning • Still can be tracked • Backscatter from antennas • Hypothesize manufacturer type may be learnable • Do tags possess uniquely detectable RF fingerprints? (Device signatures a staple of electronic warfare) • Relabelings • Retain only product ID for later use • Destroy unique ID at the time of purchase • Splitting identifiers across two tags • Peel off one at time of purchase

  23. 1 2 3 4 5 Distance Measuring • Signal-to-noise ratio of the reader signal in an RFID system provides a rough metric of the distance between a reader and a tag. • With some additional, low-cost circuitry a tag might achieve rough measurement of the distance of an interrogating reader. • Distance can serve as a metric for trust. • Release general information (“I am attached to a bottle of water”) when scanned at a distance • Release more specific information (ID), only at close range.

  24. 1 2 3 4 5 Proxying • Proxying • Consumers carry their own privacy-enforcing devices (Higher-powered intermediaries like mobile phones) • Watch dog • Observer observing the observer: monitor if someone scans you • Selectively jams tag replies as needed • RFID guardian • Talk to the guardian first • Communication is released through a fortified intermediate

  25. Please show reader certificate and privileges 1 2 3 4 5 Proxying • Problems • Change of ownership: how to release control • Impersonating the guardian itself • Cannot suppress tag replies entirely, only jam • Cannot suppress reader commands

  26. 1 2 3 4 5 Renaming • Idea: avoid using real Ids, change Identifiers across the reads • get rid of fixed names (identifiers). Pseudonyms stored on tag (limited storage, i.e. 10 or so), tag cycles through pseudonyms • use random pseudonyms and change them frequently • Requirements: • only authorized readers should be able to determine the real identifier behind a pseudonym • standard tags cannot perform computations -> next pseudonym to be used must be set by an authorized reader • A possible implementation • pseudonym = {R|ID}K • R is a random number • K is a key shared by all authorized readers • authorized readers can decrypt pseudonyms and determine real ID • authorized readers can generate new pseudonyms • for unauthorized readers, pseudonyms look like random bit strings • Potential problems • tracking is still possible between two renaming operations • if someone can eavesdrop during the renaming operation, then she may be able to link the new pseudonym to the old one • no reader authentication -> rogue reader can overwrite pseudonyms in tags (tags will be erroneously identified by authorized readers)

  27. Random Bits No Connect V 1 2 3 4 5 Example of RNG The voltage signal is amplified, disturbed, stretched, and sampled, resulting in random bits.

  28. 1 2 3 4 5 Renaming (re-encryption) • A public key based implementation: • El Gamal scheme: • Inputs are ciphertexts • Outputs are a re-encryption of the inputs. • Anyone can encrypt without the public key E • Those who know the secret key D can also decrypt messages encrypted with different keys are indistinguishable

  29. 1 2 3 4 5 Renaming (re-encryption) • El Gamal Encryption Parameters • Public parameters: • q is a prime • p = 2kq+1 is a prime • g generator of Gp, i.e. efficient description of a cyclic group of order q with generator g (I know only one generator which is relatively prime) • Secret key of RFID tag: x (where 0 < x < q) • Public key of RFID tag : y = gx mod p • Encryption for message (plaintext) m • Pick a number k randomly from [0…q-1] • Compute a = yk .m mod p and b = gk mod p • Output (a,b)

  30. 1 2 3 4 5 Renaming (re-encryption) • Decryption • Compute m as a / bx (= yk. m/ (gk)x = gxk. m/ gkx = m) • One can re-encrypt a ciphertext (a, b) without decryption:Input: a ciphertext (a,b) and public key y • Pick a number a randomly from [0…q-1] • Compute a’ = ya . a mod p and b’ = ga . b mod p • Output (a’, b’) • Same decryption technique • Compute m a’ / b’x (= yk. ya. m/ (gk . ga ) x = gx (k+a). m/ gx (k+a) = m) • Properties: • new tag pseudonyms can be computed by readers that know the public key • real tag ID can be computed only by readers that know the private key • Semantic security: Cannot distinguish between C = EPK,r [Alice] and C’ = EPK,r’ [Bob] • An attacker who intercepts C and C’ cannot tell if they come from the same chip, that is the attacker cannot identify or track Alice

  31. 1 2 3 4 5 Blocking • When the reader sends a signal, more than one RFID tag may respond: this is a collision • typical commercial application, such as scanning a bag of groceries, potentially hundreds of tags might be within range of the reader. • Reader must engage in a special singulation protocol to talk to each tag separately • Singulation is used by an RFID reader only when necessary to identify a specific tag (and its ID) from a number of tags in the field • Tree-walking is a common singulation method • Used by 915 Mhz tags, the most common type in the U.S. • Slotted aloha is used for LF tags

  32. 1 2 3 4 5 Anti-collision • "Tree Walking" • Recursive depth-first search • Requirement: Reader is able to detect bit position of a collision • Example: 1 Reader, 3 Transponder, 3-bit ID • Example: 1 Reader, 3 Transponder, 3-bit ID • Synchronized by reader • Example: 1 Reader, 5 Tags, 8-bit ID

  33. 1 2 3 4 5 Tree Walking prefix=0 prefix=1 Reader broadcasts current prefix Each tag with this prefix responds with its next bit prefix=00 prefix=01 prefix=10 prefix=11 If responses don’t collide, reader adds 1 bit to current prefix, otherwise tries both possibilities 000 001 010 011 100 101 110 111 Every tag has a k-bit identifier This takes O(k  number of tags)

  34. 1 2 3 4 5 Tree-Walking • Tree-walking” protocol for identifying tags recursively asks question: • “What is your next bit?” • Something along the lines of: “Will all tags with 1 as their first digit raise their hand”. “Will all tags with 1 as their first digit, and 0 as their second....” • Blocker tag always says both ‘0’ and ‘1’! • Makes it seem like all possible tags are present by making an RFID tag misbehave, and answers yes to every question.

  35. 1 2 3 4 5 Blocker Tag • A form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader • Guarantees collision no matter what tags are present • To talk to a tag, reader must traverse every tree path • With 128-bit IDs, reader must try 2128 values – infeasible! • To prevent illegitimate blocking, make blocker tag selective (block only certain ID ranges) • Blocker tag can be selective:

  36. Blocker Tag • privacy zone • tree is divided into two zones • privacy zone: all IDs starting with 1 • upon purchase of a product, its tag is transferred into the privacy zone by setting the leading bit • the blocker tag • when the prefix in the reader’s query starts with 1, it simulates a collision • when the blocker tag is not present, everything works normally • Alternative: polite blocking (notify the reader)

  37. 1 2 3 4 5 Hash Locks • Locked tag transmit only metaID • Similar to the proximity approach • Unlocked tag can do all operations • Locking mechanism: • Reader R selects a nonce and computes metaID = hash(key) • R writes metaID to tag T • T enters locked state • R stores the pair (metaID, key). • Unlocking • Reader R queries tag T for its metaID • R looks up (metaID, key) • R sends key to T • If (hash(key) == metaID), T unlocks itself

  38. 1 2 3 4 5 Hash locks • Cheap to implement on tags: • A hash function and storage for metaID. • Security based on hardness of hash. • Hash output has nice random properties. • Low key look-up overhead. • Tags respond predictably; allows tracking. • Motivates randomization. • Requires reader to know all keys

  39. “Who are you?” R, hash(R,IDk) “You must be IDk” 1 2 3 4 5 Randomized Hash Locks Goal: authenticate reader to the RFID tag Reader RFID tag Generate random R Compute hash(R,IDi) for every known IDi and compare Stores its own IDk Stores all IDs: ID1, … ,IDn

  40. 1 2 3 4 5 Randomized Hash Locks • Tag must store hash implementation and pseudo-random number generator • Low-cost RNGs exist; can use physical randomness • Secure against tracking because tag response is different each time • Reader must perform brute-force ID search • Effectively, reader must stage a mini-dictionary attack to unlock the tag • Alternative: better searching • Tree approach • Synchronization approach

  41. 1 2 3 4 5 Avoiding brute force synch • c is a counter, H and G are one-way hash functions • reader maintains • synchronized state with tags • operation of tag: • state is si • when queried, the tag responds with the current pseudonym pi=G(si) and computes its new state si+1 = H(si) • operation of the reader: • reader must approximately know the current counter value of each tag • for each tag, it maintains a table with the most likely current counters and corresponding pseudonyms • Operation of the reader • when a tag responds with a pseudonym p, it finds p in any of its tables, identifies the tag, and updates the table corresponding to the tag • one-wayness of the hash ensures that current counter value cannot be computed from observed pseudonym

  42. 1 2 3 4 5 Avoiding brute force (tree of secrets) • Tag == leaf of the tree. • Each tag receives the keys on path from leaf to the root. • Tag ij generates pseudonyms as (Key1(r), Key2(r), …, Fkij (r)). • Reader can decode pseudonym using a depth-first search. • In the worst case, the reader searches through db keys, where d is the depth of the tree, and b is the branching factor • compare this to bd, which is the total number of tags

  43. 1 2 3 4 5 Authentication Workarounds • No explicit counterfeiting measures whatsoever • Possible solutions: • Repurpose the kill function for limited counterfeit • Yoking • cryptographic proof that two tags have been scanned simultaneously and evidence (although not proof) that the tags were scanned in physical proximity to one another. • Usable only in certain circumstances (pharmacy, aircraft safety) • Physical markers • Similar to explosive markers • Special dyes and packaging

  44. 1 2 3 4 5 HB Protocol • Created by Nicholas Hopper and Manuel Blum as a tool for secure authentication and identification of unassisted humans to computers. • Juels and Weis realized that this protocol was actually a natural protocol for the authentication of RFID tags to readers. • The security of the HB Protocol is based on the underlining hardness of the Learning Parity with Noise (LPN) problem.

  45. 1 2 3 4 5 HB Protocol Definitions • The secret x is a k length binary string (tag ID). • The tag needs to prove to the reader that it knows one of the S's on the reader's list of acceptable secrets. • The tag only has one secret, but the reader generally has many. • A query q is also a k length binary string. • Produced by the reader. • One query is produced for each iteration of the protocol • Epsilon is a probability, ranging from 0 to Ѕ that the response calculated by the tag will be flipped • if the correct response was 1, the tag will send back 0, and vice versa. • Nu equals 1 with probability epsilon. • Delta is an error factor, • ranges from 0 to Ѕ • defines how close the tag's actual flipping of responses must be to epsilon in order to be accepted.

  46. k-bit random value a (ax)v 1 2 3 4 5 Crypto RFID: authentication (HB Protocol) Goal: authenticate RFID tag to the reader Reader RFID tag Generate random v: 1 with prob. , else 0 Response correct if it is equal to (ax)  chance that response is incorrect Knows secret x; parameter  Knows secret x; parameter repeat r times RFID tag is authenticated if fewer than r responses are incorrect

  47. k-bit random value a blinding value b (ax)(by)v 1 2 3 4 5 Crypto RFID: authentication (HB+ Protocol) Goal: authenticate RFID tag to the reader Reader RFID tag Generate random v: 1 with prob. , else 0 Response correct if it is equal to (ax)(by) Knows secrets x,y; parameter Knows secrets x,y; parameter  repeat r times RFID tag is authenticated if fewer than r responses are incorrect

  48. Wrapping it up • Some basic trends are apparent: • Pressure to build a smaller, cheaper tags without cryptography • reverse-engineering a cheap RFID tag unlikely to be hard… • Urgent need for cheaper hardware for primitives • “Security through obscurity” doesn’t work • Simple static identifiers are the most naïve • How about encrypting ID? • How about creating new static identifiers, i.e., “meta-ID” • How about a law-enforcement access key? • Tag-specific keys require initial release of identity • Universal keys subject to interception • Special properties: • RFID tags are close and personal giving privacy a special dimension • RFID tags change ownership frequently • Key management will be a major problem • Think for a moment after this talk about distribution of kill passwords… • Are there good hardware approaches to key distribution, e.g., proximity as measure of trust • Some privacy is clearly better than for naive approaches

  49. Future Work Find New and Improve Existing Algorithms Authentication algorithms with human protocols Tag identification with delegation, ownership transfer Efficient cloning-resistant identification algorithms New and emerging problems

More Related