Workshop on RFID Security 2009
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

Semi-Destructive Private Rfid Systems PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on
  • Presentation posted in: General

Workshop on RFID Security 2009 June 30 - July 2 , 2009, Leuven. Semi-Destructive Private Rfid Systems. by. Paolo D’Arco , Alessandra Scafuro and Ivan Visconti. University of Salerno Italy. Focus of this paper. Vaudenay ’ s Privacy Model [Vau07] Asiacrypt2007.

Download Presentation

Semi-Destructive Private Rfid Systems

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Semi destructive private rfid systems

Workshop on RFID Security 2009

June 30 - July2, 2009, Leuven

Semi-Destructive Private RfidSystems

by

Paolo D’Arco, Alessandra Scafuro and Ivan Visconti

Universityof Salerno

Italy


Semi destructive private rfid systems

Focus ofthispaper

Vaudenay’s Privacy Model [Vau07] Asiacrypt2007

Itabstracts and extends in a clear, concise and generalframework some previousRfid privacy models

[e.g. Avo05, JW06, DO06]


Semi destructive private rfid systems

Contribution

  • An “extension” of the modelto take into account certainphysicalattacks

  • A new privacy notion–semi-destructiveprivacy - whichisachievablethroughtsymmetricprimitives


Semi destructive private rfid systems

RfidScheme

Tag

secure

channel

Reader

BackendServer / DB

Rfid system

  • SetupReader: generates key materials (Ks, Kp) + resets database DB

  • SetupTag: tag ID receivesaninitial state S and (ID, data) isinsertedinto DB

  • Protocols

Tag

(S)

Reader

(Ks, DB)

Output ID (ifvalid) or _|_


Semi destructive private rfid systems

Functionality

Correctness: Identification under normalexecution

Cryptoproperties

  • Security: anAdversarycannot impersonate a tag

  • Privacy: anonimity, unlinkability, …


Semi destructive private rfid systems

Real World

Eavesdrop, intercept,

modify, corrupttags…

Reader

Out-of-rangetags

Adv

vtag3

vtag1

vtag2


Semi destructive private rfid systems

Security and Privacy Definitions

Set oforacles

Oracle queries

Rules

GAME = Adversary’s Goal


Semi destructive private rfid systems

Oracles and Oracle Queries

(vtag1, ID1)

(vtag2, ID2)

DrawTag

CreateTag

Launch

distr

ID

b

π

vtag, b

msg, π

msg, vtag

SendTag

Send

Reader

msg

msg

vtag

π

S

vtag

b

Free

Corrupt

Result

…Advreproducesrealexecutionsof the protocol


Semi destructive private rfid systems

Security Game

Winning condition for Adv: the readeridentified ID butthis (uncorrupted) tag did not have any matching conversationwith the reader

Definition

An Rfidschemeissecureif, foranypolynomialboundedadversary, the probabilityof success isnegligible


Semi destructive private rfid systems

Privacy Game

Intuition: the transcriptofrealprotocolexecutionsdoesnotprovideany help to the adversarywhichistryingtoinfer some relations about the tagswhichplayed the protocol


Semi destructive private rfid systems

Privacy Adversary

QueryingPhase

CreateTag, FreeTag, CorruptTag

Launch, SendReader, SendTag, result

DrawTag

ADVERSARY

(vtag1, ID1)

(vtag2, ID2)

AnalysisPhase

Table

Adversarywinningcondition = True

True/False


Semi destructive private rfid systems

Blinder

  • A Blinderisan interface between the adversary and the oraclesthat:

  • passivelylooks at the comm. toCreateTag, DrawTag, Free, Corrupt

  • simulates the oraclesLaunch, SendReader, SendTag, and Result

DrawTag

CreateTag

Launch

ID

b

distr

π

vtag, b

msg, π

msg, vtag

SendTag

Send

Reader

msg

msg

Blinder

vtag

π

S

vtag

b

Free

Corrupt

Result


Semi destructive private rfid systems

Privacy Game

QueryPhase

QueryPhase

CreateT, FreeT,

CorruptT

CreateT, FreeT,

CorruptT

Launch, SendR,

SendT, Result

Launch, SendR,

SendT, Result

DrawTag

DrawTag

BLINDED ADVERSARY

ADVERSARY

(vtag1, ID1)

(vtag2, ID2)

(vtag1, ID1)

(vtag2, ID2)

AnalysisPhase

AnalysisPhase

True/False

True/False

Table

Table

An Rfid scheme protects privacy if, for any polynomial boundedadversaryA, thereexistsa polynomialboundedblinderB, suchthat

Pr[A wins] ≈Pr[AB wins]


Semi destructive private rfid systems

Privacy Notions

DefinedthroughrestrictionsimposedtoAdv on the useof the oraclequeries


Semi destructive private rfid systems

State of Art

…Weak and Forward are the onlynon-narrownotionsachieved.

Destructiveisan open problem…


Semi destructive private rfid systems

Extensions/Revisitationsof the Model

[NSMSN08] RFID Privacy ModelsRevisited, ESORICS08

… the eightnotionscollapsetothree under certainassumptions

on the adversarycapabilities and propertiesof the RFID scheme

2. [PV08] MutualAuthentication in RFID: Security and Privacy, ASIACCS08

…extensionof the modelto deal withmutualauthentication

3. [SVW09] Anonymizer-Enabled Security and Privacy for RFID, RFIDSec09

…extensionof the modelwithanonymizers

4. [BCI] Efficient ZK IdentificationSchemeswhichrespect Privacy, ASIACCS09

…frameworktotransform ZK schemes in private schemes


Semi destructive private rfid systems

Our work


Semi destructive private rfid systems

A Narrow-Destructiveprotocol

Simplifiedversion [Vau07]

F, GrandomoraclesTag and Readerhaveaccessto

Tag

Reader

state: K

{… (ID,K)…}

a

Pick a in {0,1}α

c=F(K,a)

replaceKbyG(K)

c

find (ID,K) s.t. c=F(K,a)

replaceKbyG(K)

output: ID

or _|_ ifnotfound


Semi destructive private rfid systems

Privacy Attack

1

Create(ID0)

Create(ID1)

vtag=Draw(ID0)

SendTag(vtag, x)

Free(vtag)

…tag ID0hasbeendesynchronised


Semi destructive private rfid systems

Privacy Attack

2

vtag = DrawTag(-$-);

(π, τ ) ← Execute(vtag);

x ← Result(π);

Output Idx = Table(vtag)

…Aalwaysdistinguishesdesynchtag/synchtag

… the schemeisnotweak private becausethereis no blinder

Bsuchthat AB can do the same


Semi destructive private rfid systems

Tags “out of the game”

  • In real life, Advhasseveralwaystopush “out of the game” a tag

  • DoSattacks (at protocollevel, like the aboveone)

  • Physicalattacks (a strong electromagneticfieldtodestroy the circuit)

Do weneedtomodelsuchactions?

Do weneedtoconsider the distinctionbetween a “workingtag” and an “inactive” tagas a privacy breach?

Yes

May be no


Semi destructive private rfid systems

New Oracle: Makeinactive

MakeInactive

Theorem1. In the modelof [Vau07], ifanadversaryisallowed

toquery the MakeInactiveoracle, then no privacy isachievable.


Semi destructive private rfid systems

Proof

1

2

Create(ID0)

Create(ID1)

vtag=Draw(ID0)

MakeInactive(vtag)

Free(vtag)

vtag = DrawTag(-$-);

(π, τ ) ← Execute(vtag);

x=0 if no tagmessage

Output Idx = Table(vtag)

…tag ID0isnowinactive

…Aalwaysdistinguishesinactivetag/activetag

…thisresultmatchesreal life: anAdv can alwaysdistinguish a

workingtagfromaninactiveone


Semi destructive private rfid systems

Privacy game: workingtagsonly

We look at what can bedoneifweconsideronlytagswhichhavenotbeenruled out of the game aspossibletargetsof the privacy game

Changesto the Model:

  • Makeinactive

  • Draw (givesonlyactivetagswheninvoked)


Semi destructive private rfid systems

Destructive Privacy

…challengingnotion and closeto the real world

Note: with the Makeinactiveoraclecall, wedo notneedtochangethe semanticof the CorruptTagoraclecall (i.e., reading the state + destroy).

Destructive Privacy notion: “CorrupTagmustbefollowedbyMakeinactive”

GOAL

Target: Destructive privacy

Tools: symmetriccrypto, standard assumptions

Up tonow…wehavenotsucceeded in gettingananswer (or a protocol) on Destructive Private, butwehavegotsomethingclose…


Semi destructive private rfid systems

An Hardware Perspective


Semi destructive private rfid systems

Semi-Destructive Privacy

We assume an hardware capabilityof the tags, whenpoweredby a reader, todetectcorruption and killthemselves.

Possible in real-life? Costly? As expensiveas PK crypto? We do notknow…

LikeDestructivebutCorruptioncannothappenduring the instants in which the tagispoweredby a reader


Semi destructive private rfid systems

Semi-Destructive Privacy isPossible


Semi destructive private rfid systems

Semi-Destructive Privacy isPossible

Theorem2.

The abovethree-round RFID protocoliscorrect,secureandsemi-destructiveprivate underthe assumptionthat the underlyingencryptionschemeisIND-CPA-secure and INT-CTXT-secure.


Semi destructive private rfid systems

AuthenticatedEncryption

M. Bellare and C. Namprempre

[Asiacrypt00]

IND-CPA∧INT-CTXT

IND-CCA

NM-CCA

IND-CPA ∧ INT-PTXT

IND-CPA

NM-CPA

  • IND-CPA ∧INT-CTXT : Achievable through the Encrypt-Then-Mac paradigm.

  • IND-CPA symmetricencryptionscheme

  • STRONG MAC


Semi destructive private rfid systems

Open Problems

  • Is the hardware safetymeasureidentifiedrealisable in real life?

  • Issemi-destructive privacy of interest in applications (especiallyifdestructiveturns out tobeimpossible)?

  • Are ourconditions on the encryptionschemenecessary?

  • Practicalinstancesforimplementation (using the compositionparadigmforauthenticatedencryption or directconstructions)?


  • Login