1 / 15

Robert H. Deng & Yingjiu Li School of Information Systems Singapore Management University

RFID Security & Privacy at both Physical and System Levels - Presentation to IoT -GSI 26 th August 2011. Robert H. Deng & Yingjiu Li School of Information Systems Singapore Management University. RFID Security & Privacy at Physical Level. Radio Frequency IDentification (RFID).

bettymoore
Download Presentation

Robert H. Deng & Yingjiu Li School of Information Systems Singapore Management University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RFID Security & Privacy at both Physical and System Levels- Presentation to IoT-GSI26thAugust 2011 Robert H. Deng & Yingjiu Li School of Information Systems Singapore Management University

  2. RFID Security & Privacy at Physical Level

  3. Radio Frequency IDentification(RFID) Radio signal (contactless) Authenticate / Identify Read / Update Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Reader (transceivers) Read data off tags without direct contact Database Match tag IDs to physical objects

  4. RFID Security Issues • Tag Authentication • Only valid tags are accepted by a valid reader • Reader Authentication • Only valid readers are accepted by valid tags • Not always required but mandatory in some applications (e.g., e-tickets) • Availability • Infeasible to manipulate honest tags such that honest readers do not accept them

  5. RFID Privacy Issues • Privacy requirements • Anonymity: Confidentiality of the tag identity • Untraceability:Unlinkability of the tag’s transactions • Privacy issues • Adversaries identify tags • Adversaries track tags Radio signal (contactless) Tags Reader

  6. RFID Privacy Preserving Authentication Protocol Design Tag T Reader R c r f (optional) • Security requirements • One way or mutual authentication • Privacy requirements • Anonymity: Confidentiality of the tag identity • Untraceability:Unlinkability of the tag’s transactions

  7. Cryptographic Protocols for RFID Privacy • Numerous lightweight RFID protocols for low-cost tags have been proposed • They use simple operations (XOR, bit inner product, CRC, etc) • Most of them have been broken (T. van Deursen and S. Radomirovic: Attacks on RFID Protocols, ePrint Archive: Report 2008/310)

  8. Recent Progress: RFID Privacy Models • Ind-privacy: indistinguishability of two tags(Jules & Weis, PerCom 2007) • Ideal model, but not easy to work with • Unp-privacy: unpredictability of protocol messages • (Ha, Moon, Zhou & Ha, ESORICS 2008), (Ma, Li, Deng, Li, CCS09) • Only works with symmetric key based protocols • ZK-privacy model: Zero knowledge model • (Deng, Li, Yung, Zhao, Esorics 2010) • Output of real world experiment and output of simulated world experiment are indistinguishable • Works with both symmetric key and public key protocols

  9. RFID Security & Privacy at System Level

  10. An IoT Architecture for Sharing RFID Information Query/ Answer Discovery service Query/ Answer Internet User Query/ Answer Publish/ Update Publish/ Update Information service Information service RFID readers RFID readers RFID tags RFID tags Enterprise information system Enterprise information system

  11. Security and Privacy • Security: Identification/authentication of involving parties • Users, discovery services, information services • Privacy: Only authorized parties can access RFID data as needed • Query, read, write, update, delete • Solution: Access control • Policy management, enforcement, implementation

  12. Access Control Requirements • Cross domain • RFID data to be shared are managed by different parties (IS and DS) • Unknown users • Query issuer may not have prior business relationship or be known to data holders • Visibility • Access to RFID data is based on supply chain information • Compatibility • Access control can be easily enforced in web services and database systems

  13. Existing Access Control Models • Discretionary access control (DAC) • Mandatory access control (MAC) • Role based access control (RBAC) • Attribute based access control (ABAC) Access Subject Object

  14. Comparison

  15. Current Effort • Data Discovery Requirements Document (EPCglobal draft, 2009) • Description of requirements on RFID discovery services, including data confidentiality, integrity and access control • A framework of components for access control in data discovery services (BRIDGE final report, 2009) • Focus on networked services for inter-company operation of supply chains • Our current work • Design secure discovery services and implement the whole system in Singapore

More Related