1 / 31

Semi-Destructive Private Rfid Systems

Workshop on RFID Security 2009 June 30 - July 2 , 2009, Leuven. Semi-Destructive Private Rfid Systems. by. Paolo D’Arco , Alessandra Scafuro and Ivan Visconti. University of Salerno Italy. Focus of this paper. Vaudenay ’ s Privacy Model [Vau07] Asiacrypt2007.

braima
Download Presentation

Semi-Destructive Private Rfid Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Workshop on RFID Security 2009 June 30 - July2, 2009, Leuven Semi-Destructive Private RfidSystems by Paolo D’Arco, Alessandra Scafuro and Ivan Visconti Universityof Salerno Italy

  2. Focus ofthispaper Vaudenay’s Privacy Model [Vau07] Asiacrypt2007 Itabstracts and extends in a clear, concise and generalframework some previousRfid privacy models [e.g. Avo05, JW06, DO06]

  3. Contribution • An “extension” of the modelto take into account certainphysicalattacks • A new privacy notion–semi-destructiveprivacy - whichisachievablethroughtsymmetricprimitives

  4. RfidScheme Tag secure channel Reader BackendServer / DB Rfid system • SetupReader: generates key materials (Ks, Kp) + resets database DB • SetupTag: tag ID receivesaninitial state S and (ID, data) isinsertedinto DB • Protocols Tag (S) Reader (Ks, DB) Output ID (ifvalid) or _|_

  5. Functionality Correctness: Identification under normalexecution Cryptoproperties • Security: anAdversarycannot impersonate a tag • Privacy: anonimity, unlinkability, …

  6. Real World Eavesdrop, intercept, modify, corrupttags… Reader Out-of-rangetags Adv vtag3 vtag1 vtag2

  7. Security and Privacy Definitions Set oforacles Oracle queries Rules GAME = Adversary’s Goal

  8. Oracles and Oracle Queries (vtag1, ID1) (vtag2, ID2) … DrawTag CreateTag Launch distr ID b π vtag, b msg, π msg, vtag SendTag Send Reader msg msg vtag π S vtag b Free Corrupt Result …Advreproducesrealexecutionsof the protocol

  9. Security Game Winning condition for Adv: the readeridentified ID butthis (uncorrupted) tag did not have any matching conversationwith the reader Definition An Rfidschemeissecureif, foranypolynomialboundedadversary, the probabilityof success isnegligible

  10. Privacy Game Intuition: the transcriptofrealprotocolexecutionsdoesnotprovideany help to the adversarywhichistryingtoinfer some relations about the tagswhichplayed the protocol

  11. Privacy Adversary QueryingPhase CreateTag, FreeTag, CorruptTag Launch, SendReader, SendTag, result DrawTag ADVERSARY (vtag1, ID1) (vtag2, ID2) … AnalysisPhase Table Adversarywinningcondition = True True/False

  12. Blinder • A Blinderisan interface between the adversary and the oraclesthat: • passivelylooks at the comm. toCreateTag, DrawTag, Free, Corrupt • simulates the oraclesLaunch, SendReader, SendTag, and Result DrawTag CreateTag Launch ID b distr π vtag, b msg, π msg, vtag SendTag Send Reader msg msg Blinder vtag π S vtag b Free Corrupt Result

  13. Privacy Game QueryPhase QueryPhase CreateT, FreeT, CorruptT CreateT, FreeT, CorruptT Launch, SendR, SendT, Result Launch, SendR, SendT, Result DrawTag DrawTag BLINDED ADVERSARY ADVERSARY (vtag1, ID1) (vtag2, ID2) … (vtag1, ID1) (vtag2, ID2) … AnalysisPhase AnalysisPhase True/False True/False Table Table An Rfid scheme protects privacy if, for any polynomial boundedadversaryA, thereexistsa polynomialboundedblinderB, suchthat Pr[A wins] ≈Pr[AB wins]

  14. Privacy Notions DefinedthroughrestrictionsimposedtoAdv on the useof the oraclequeries

  15. State of Art …Weak and Forward are the onlynon-narrownotionsachieved. Destructiveisan open problem…

  16. Extensions/Revisitationsof the Model [NSMSN08] RFID Privacy ModelsRevisited, ESORICS08 … the eightnotionscollapsetothree under certainassumptions on the adversarycapabilities and propertiesof the RFID scheme 2. [PV08] MutualAuthentication in RFID: Security and Privacy, ASIACCS08 …extensionof the modelto deal withmutualauthentication 3. [SVW09] Anonymizer-Enabled Security and Privacy for RFID, RFIDSec09 …extensionof the modelwithanonymizers 4. [BCI] Efficient ZK IdentificationSchemeswhichrespect Privacy, ASIACCS09 …frameworktotransform ZK schemes in private schemes

  17. Our work

  18. A Narrow-Destructiveprotocol Simplifiedversion [Vau07] F, GrandomoraclesTag and Readerhaveaccessto Tag Reader state: K {… (ID,K)…} a Pick a in {0,1}α c=F(K,a) replaceKbyG(K) c find (ID,K) s.t. c=F(K,a) replaceKbyG(K) output: ID or _|_ ifnotfound

  19. Privacy Attack 1 Create(ID0) Create(ID1) vtag=Draw(ID0) SendTag(vtag, x) Free(vtag) …tag ID0hasbeendesynchronised

  20. Privacy Attack 2 vtag = DrawTag(-$-); (π, τ ) ← Execute(vtag); x ← Result(π); Output Idx = Table(vtag) …Aalwaysdistinguishesdesynchtag/synchtag … the schemeisnotweak private becausethereis no blinder Bsuchthat AB can do the same

  21. Tags “out of the game” • In real life, Advhasseveralwaystopush “out of the game” a tag • DoSattacks (at protocollevel, like the aboveone) • Physicalattacks (a strong electromagneticfieldtodestroy the circuit) Do weneedtomodelsuchactions? Do weneedtoconsider the distinctionbetween a “workingtag” and an “inactive” tagas a privacy breach? Yes May be no

  22. New Oracle: Makeinactive MakeInactive Theorem1. In the modelof [Vau07], ifanadversaryisallowed toquery the MakeInactiveoracle, then no privacy isachievable.

  23. Proof 1 2 Create(ID0) Create(ID1) vtag=Draw(ID0) MakeInactive(vtag) Free(vtag) vtag = DrawTag(-$-); (π, τ ) ← Execute(vtag); x=0 if no tagmessage Output Idx = Table(vtag) …tag ID0isnowinactive …Aalwaysdistinguishesinactivetag/activetag …thisresultmatchesreal life: anAdv can alwaysdistinguish a workingtagfromaninactiveone

  24. Privacy game: workingtagsonly We look at what can bedoneifweconsideronlytagswhichhavenotbeenruled out of the game aspossibletargetsof the privacy game Changesto the Model: • Makeinactive • Draw (givesonlyactivetagswheninvoked)

  25. Destructive Privacy …challengingnotion and closeto the real world Note: with the Makeinactiveoraclecall, wedo notneedtochangethe semanticof the CorruptTagoraclecall (i.e., reading the state + destroy). Destructive Privacy notion: “CorrupTagmustbefollowedbyMakeinactive” GOAL Target: Destructive privacy Tools: symmetriccrypto, standard assumptions Up tonow…wehavenotsucceeded in gettingananswer (or a protocol) on Destructive Private, butwehavegotsomethingclose…

  26. An Hardware Perspective

  27. Semi-Destructive Privacy We assume an hardware capabilityof the tags, whenpoweredby a reader, todetectcorruption and killthemselves. Possible in real-life? Costly? As expensiveas PK crypto? We do notknow… LikeDestructivebutCorruptioncannothappenduring the instants in which the tagispoweredby a reader

  28. Semi-Destructive Privacy isPossible

  29. Semi-Destructive Privacy isPossible Theorem2. The abovethree-round RFID protocoliscorrect,secureandsemi-destructiveprivate underthe assumptionthat the underlyingencryptionschemeisIND-CPA-secure and INT-CTXT-secure.

  30. AuthenticatedEncryption M. Bellare and C. Namprempre [Asiacrypt00] IND-CPA∧INT-CTXT IND-CCA NM-CCA IND-CPA ∧ INT-PTXT IND-CPA NM-CPA • IND-CPA ∧INT-CTXT : Achievable through the Encrypt-Then-Mac paradigm. • IND-CPA symmetricencryptionscheme • STRONG MAC

  31. Open Problems • Is the hardware safetymeasureidentifiedrealisable in real life? • Issemi-destructive privacy of interest in applications (especiallyifdestructiveturns out tobeimpossible)? • Are ourconditions on the encryptionschemenecessary? • Practicalinstancesforimplementation (using the compositionparadigmforauthenticatedencryption or directconstructions)?

More Related