Rfid security and privacy
This presentation is the property of its rightful owner.
Sponsored Links
1 / 49

RFID Security and Privacy PowerPoint PPT Presentation


  • 98 Views
  • Uploaded on
  • Presentation posted in: General

RFID Security and Privacy. Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790. 1. 2. 3. 4. 5. Roadmap. Background RFID Risks Privacy: Simple Solutions Privacy: More Involved Solutions Authentication: Some Solutions Conclusion. 1. 2. 3. 4. 5. What is RFID?.

Download Presentation

RFID Security and Privacy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Rfid security and privacy

RFID Security and Privacy

Author: Ari Juels

Presenter: Yuliya Kopylova

CSCE 790


Roadmap

1

2

3

4

5

Roadmap

  • Background

  • RFID Risks

  • Privacy: Simple Solutions

  • Privacy: More Involved Solutions

  • Authentication: Some Solutions

  • Conclusion


What is rfid

1

2

3

4

5

What is RFID?

  • Radio-Frequency Identification Tag

Antenna

  • Sticker containing microchip and antenna

  • Gains power from wireless signal received from tag reader

  • Tag-reader communication with range of up to half a meter

  • Tag returns its unique number and static data

Chip


How does rfid system work

1

2

3

4

5

How Does RFID System Work?

  • Tags consists of antenna and a microchip

  • Readers consists of a transmitter, receiver, 1+ antennas

  • Management system

  • Communication protocol

  • Computer Networks

EasyToll card #816

Radio signal (contactless)

Range: from 3-5 inches to 3 meters

02.3DFEX4.78AF51

Tags (transponders)

Attached to objects,

“call out” identifying data

on a special radio frequency

Reader (transceiver)

Reads data off the tags

without direct contact

Database

Matches tag IDs to

physical objects


Rfid advantages

1

2

3

4

5

RFID Advantages

Barcode

RFID

Fast, automated scanning

(object doesn’t have to leave

pocket, shelf or container)

  • Reading by radio contact

  • Reader can be anywhere within range

  • Line-of-sight reading

  • Reader must be looking at the barcode

  • Specifies object type

  • E.g., “I am a pack of Juicy Fruit”

  • Specifies unique object id

  • E.g., “I am a pack of Juicy Fruit #86715-A”

Can look up this object

in the database (provides pointer)


Rfid tag power sources

1

2

3

4

5

RFID Tag Power Sources

  • Passive

    • inactive until the reader’s interrogation signal “wakes” them up

    • Cheap, but short range only

  • Semi-passive

    • On-board battery, but cannot initiate communication

    • More expensive, longer range

  • Active

    • On-board battery, can initiate communication


Rfid types

1

2

3

4

5

RFID Types

  • Inductive Coupling

  • Backscatter (radiative) Coupling


Closer look

1

2

3

4

5

Closer look


Rfid examples

1

2

3

4

5

RFID examples

  • Pervasive Devices

    • Low memory, few gates

    • Low power, no clock, little state

    • Low computational power

  • You may own a few.

  • Billions on the way.


Current applications

1

2

3

4

5

Current Applications

  • Public Transport and Ticketing

  • Access Control

  • Logistics

  • Animal identification

  • Anti-theft system

  • Real time measurements in sports

  • Inventory Control in supermarkets

  • Electronic payments

  • Industry automation

  • Medical

  • Banknotes, casino chips


Futuristic applications

1

2

3

4

5

Futuristic Applications

  • “Smart” appliances

    • Refrigerators that automatically create shopping lists

    • Closets that tell you what clothes you have available, and search the Web for advice on current styles, etc.

    • Ovens that know how to cook pre-packaged food

  • “Smart” products

    • Clothing, appliances, CDs, etc. tagged for store returns

  • “Smart” paper

    • Airline tickets that indicate your location in the airport

    • Library books

    • Business cards

  • Recycling

    • Plastics that sort themselves


Rfid risks

1

2

3

4

5

RFID Risks

  • Mr. Jones pays with a credit card; his RFID tags now linked to his identity

  • Mr. Jones attends a political rally; law enforcement scans his RFID tags

  • Mr. Jones wins Turing Award; physically tracked by paparazzi via RFID


Why rfid risks arise

1

2

3

4

5

Why RFID Risks Arise

Three technical aspects of today’s RFID tags create potential problems:

  • They are promiscuous

    • they talk to any compatible reader.

  • They are remotely readable:

    • they can be read at a distance through materials like cardboard, cloth, and plastic.

  • They are stealthy

    • not only are the tags inconspicuous, you don't know when they are transmitting information or to whom. In short, the personal information


Risks privacy

1

2

3

4

5

Risks: Privacy

  • Personal privacy

    • Clandestine inventory and tracking

      • Unsanctioned readers

    • Customer profiling

      • Tracking personal activities (e.g., purchase habits, travel)

    • Big brother

      • Illicit or inappropriate use of personal data

  • Data cross contamination

    • Inventory tags plus personal info

  • Corporate espionage

    • Track your competitor’s inventory

  • Military espionage

    • Harvesting RFID communication to make inferences


Risks eavesdropping

1

2

3

4

5

Risks: Eavesdropping

  • Read ranges

    • nominal read range

      • max distance at which a normally operating reader can reliably scan tags

    • rogue scanning range

      • rogue reader can emit stronger signal and read tags from a larger distance than the nominal range

    • tag-to-reader eavesdropping range

      • read-range limitations result from the requirement that the reader powers the tag

      • however, one reader can power the tag, while another one can monitor its emission (eavesdrop)

    • reader-to-tag eavesdropping range

      • readers transmit at much higher power than tags

      • readers can be eavesdropped form much further

      • readers may reveal tag specific information


Risks counterfeits

1

2

3

4

5

Risks: Counterfeits

  • Comes down to authentication

  • How can be accomplished

    • Replaying (RF “tape-recorder”)

    • Tag cloning

    • Back-engineering

  • A few examples from real life (easy to break)

    • Speed passes

    • Ignition keys

    • Physical coercion and attack

      • In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric-enabled Mercedes

      • What would happen if the VeriChip were used to access ATM machines and secure facilities?

    • Perhaps it is better then if tags can be cloned and are not used for authentication—only for identification


Rfid capabilities

1

2

3

4

5

RFID capabilities

  • Little power

    • Receives power from reader

    • Range a few meters

  • Little memory

    • Static 64-to-128-bit identifier

    • Hundreds of bits soon

  • Little computational power

    • A few thousand gates

    • No cryptographic functions available

    • Static keys for read/write permission

  • In terms of computational power can be divided into

    • BASIC tags

    • SYMMETRIC KEY tags


Privacy protection approaches

1

2

3

4

5

Privacy protection approaches

  • standard tags

    • jamming

    • “kill” command

    • “sleep” command

    • Renaming

    • Blocking

  • crypto enabled tags

    • synchronization approach

    • hash chain based approach

    • tree-approach


Easiest solution

1

2

3

4

5

Easiest solution

  • Keep it close to your body

    • Liquids are not penetrable by microwave frequencies

  • Faraday cage

    • Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies

    • Shoplifters are already known to use foil-lined bags

    • Maybe works for a wallet, but huge hassle in general

  • Active jamming

    • Disables all RFID, including legitimate applications

  • All kinds of the above protections can be purchased now days

    • protective sleevers for passports, wallets, ids, etc.


Dead tags tell no tales

1

2

3

4

5

Dead tags tell no tales

  • Idea: permanently disable tags with a special “kill” command

    • part of the EPC specification

  • Advantages:

    • Simple and effective

  • Disadvantages:

    • eliminates all post-purchase benefits of RFID for the consumer and for society

    • no return of items without receipt

    • no smart house-hold appliances

    • cannot be applied in some applications

      • library, e-passports, banknotes

  • Similar approaches:

    • put RFID tags into price tags or packaging which are removed and discarded


Don t kill the tag put it to sleep

1

2

3

4

5

Don’t kill the tag, put it to sleep

  • Idea: instead of killing the tag put it in sleep mode

    • tag can be re-activated if needed

  • Advantages:

    • Simple

    • effective

  • Disadvantages:

    • difficult to manage in practice

    • tag re-activation must be password protected

    • how the consumers will manage hundreds of passwords for their tags?

    • passwords can be printed on tags, but then they need to be scanned optically or typed in by the consumer


Partial destruction

1

2

3

4

5

Partial destruction

  • Renaming

    • In simplest case renaming to gibberish

    • No intrinsic meaning

    • Still can be tracked

      • Backscatter from antennas

      • Hypothesize manufacturer type may be learnable

      • Do tags possess uniquely detectable RF fingerprints? (Device signatures a staple of electronic warfare)

  • Relabelings

    • Retain only product ID for later use

    • Destroy unique ID at the time of purchase

  • Splitting identifiers across two tags

    • Peel off one at time of purchase


Distance measuring

1

2

3

4

5

Distance Measuring

  • Signal-to-noise ratio of the reader signal in an RFID system provides a rough metric of the distance between a reader and a tag.

  • With some additional, low-cost circuitry a tag might achieve rough measurement of the distance of an interrogating reader.

  • Distance can serve as a metric for trust.

    • Release general information (“I am attached to a bottle of water”) when scanned at a distance

    • Release more specific information (ID), only at close range.


Proxying

1

2

3

4

5

Proxying

  • Proxying

    • Consumers carry their own privacy-enforcing devices (Higher-powered intermediaries like mobile phones)

    • Watch dog

      • Observer observing the observer: monitor if someone scans you

      • Selectively jams tag replies as needed

    • RFID guardian

      • Talk to the guardian first

      • Communication is released through a fortified intermediate


Proxying1

Please show reader certificate and privileges

1

2

3

4

5

Proxying

  • Problems

    • Change of ownership: how to release control

    • Impersonating the guardian itself

    • Cannot suppress tag replies entirely, only jam

    • Cannot suppress reader commands


Renaming

1

2

3

4

5

Renaming

  • Idea: avoid using real Ids, change Identifiers across the reads

    • get rid of fixed names (identifiers). Pseudonyms stored on tag (limited storage, i.e. 10 or so), tag cycles through pseudonyms

    • use random pseudonyms and change them frequently

  • Requirements:

    • only authorized readers should be able to determine the real identifier behind a pseudonym

    • standard tags cannot perform computations -> next pseudonym to be used must be set by an authorized reader

  • A possible implementation

    • pseudonym = {R|ID}K

      • R is a random number

      • K is a key shared by all authorized readers

    • authorized readers can decrypt pseudonyms and determine real ID

    • authorized readers can generate new pseudonyms

    • for unauthorized readers, pseudonyms look like random bit strings

  • Potential problems

    • tracking is still possible between two renaming operations

    • if someone can eavesdrop during the renaming operation, then she may be able to link the new pseudonym to the old one

    • no reader authentication -> rogue reader can overwrite pseudonyms in tags (tags will be erroneously identified by authorized readers)


Example of rng

Random Bits

No

Connect

V

1

2

3

4

5

Example of RNG

The voltage signal is amplified, disturbed, stretched, and sampled,

resulting in random bits.


Renaming re encryption

1

2

3

4

5

Renaming (re-encryption)

  • A public key based implementation:

    • El Gamal scheme:

      • Inputs are ciphertexts

      • Outputs are a re-encryption of the inputs.

      • Anyone can encrypt without the public key E

      • Those who know the secret key D can also decrypt messages encrypted with different keys are indistinguishable


Renaming re encryption1

1

2

3

4

5

Renaming (re-encryption)

  • El Gamal Encryption Parameters

    • Public parameters:

      • q is a prime

      • p = 2kq+1is a prime

      • ggenerator of Gp, i.e. efficient description of a cyclic group of order q with generator g (I know only one generator which is relatively prime)

    • Secret key of RFID tag: x (where 0 < x < q)

    • Public key of RFID tag : y = gx mod p

  • Encryption for message (plaintext) m

    • Pick a number k randomly from [0…q-1]

    • Compute a = yk .m mod p and b = gk mod p

    • Output (a,b)


Renaming re encryption2

1

2

3

4

5

Renaming (re-encryption)

  • Decryption

    • Compute m as a / bx (= yk. m/ (gk)x = gxk. m/ gkx = m)

  • One can re-encrypt a ciphertext (a, b) without decryption:Input: a ciphertext (a,b) and public key y

    • Pick a number a randomly from [0…q-1]

    • Compute a’ = ya . a mod p and b’ = ga . b mod p

    • Output (a’, b’)

  • Same decryption technique

    • Compute m a’ / b’x (= yk. ya. m/ (gk . ga ) x = gx (k+a). m/ gx (k+a) = m)

  • Properties:

    • new tag pseudonyms can be computed by readers that know the public key

    • real tag ID can be computed only by readers that know the private key

    • Semantic security: Cannot distinguish between C = EPK,r [Alice] and C’ = EPK,r’ [Bob]

      • An attacker who intercepts C and C’ cannot tell if they come from the same chip, that is the attacker cannot identify or track Alice


  • Blocking

    1

    2

    3

    4

    5

    Blocking

    • When the reader sends a signal, more than one RFID tag may respond: this is a collision

      • typical commercial application, such as scanning a bag of groceries, potentially hundreds of tags might be within range of the reader.

    • Reader must engage in a special singulation protocol to talk to each tag separately

      • Singulation is used by an RFID reader only when necessary to identify a specific tag (and its ID) from a number of tags in the field

    • Tree-walking is a common singulation method

      • Used by 915 Mhz tags, the most common type in the U.S.

      • Slotted aloha is used for LF tags


    Anti collision

    1

    2

    3

    4

    5

    Anti-collision

    • "Tree Walking"

    • Recursive depth-first search

    • Requirement: Reader is able to detect bit position of a collision

    • Example: 1 Reader, 3 Transponder, 3-bit ID

    • Example: 1 Reader, 3 Transponder, 3-bit ID

    • Synchronized by reader

    • Example: 1 Reader, 5 Tags, 8-bit ID


    Tree walking

    1

    2

    3

    4

    5

    Tree Walking

    prefix=0

    prefix=1

    Reader broadcasts

    current prefix

    Each tag with this prefix

    responds with its next bit

    prefix=00

    prefix=01

    prefix=10

    prefix=11

    If responses don’t collide,

    reader adds 1 bit to current

    prefix, otherwise tries both

    possibilities

    000

    001

    010

    011

    100

    101

    110

    111

    Every tag has a k-bit identifier

    This takes O(k  number of tags)


    Tree walking1

    1

    2

    3

    4

    5

    Tree-Walking

    • Tree-walking” protocol for identifying tags recursively asks question:

      • “What is your next bit?”

      • Something along the lines of: “Will all tags with 1 as their first digit raise their hand”. “Will all tags with 1 as their first digit, and 0 as their second....”

    • Blocker tag always says both ‘0’ and ‘1’!

      • Makes it seem like all possible tags are present by making an RFID tag misbehave, and answers yes to every question.


    Blocker tag

    1

    2

    3

    4

    5

    Blocker Tag

    • A form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader

      • Guarantees collision no matter what tags are present

      • To talk to a tag, reader must traverse every tree path

        • With 128-bit IDs, reader must try 2128 values – infeasible!

    • To prevent illegitimate blocking, make blocker tag selective (block only certain ID ranges)

    • Blocker tag can be selective:


    Blocker tag1

    Blocker Tag

    • privacy zone

      • tree is divided into two zones

      • privacy zone: all IDs starting with 1

      • upon purchase of a product, its tag is transferred into the privacy zone by setting the leading bit

    • the blocker tag

      • when the prefix in the reader’s query starts with 1, it simulates a collision

      • when the blocker tag is not present, everything works normally

    • Alternative: polite blocking (notify the reader)


    Hash locks

    1

    2

    3

    4

    5

    Hash Locks

    • Locked tag transmit only metaID

    • Similar to the proximity approach

    • Unlocked tag can do all operations

    • Locking mechanism:

      • Reader R selects a nonce and computes metaID = hash(key)

      • R writes metaID to tag T

      • T enters locked state

      • R stores the pair (metaID, key).

    • Unlocking

      • Reader R queries tag T for its metaID

      • R looks up (metaID, key)

      • R sends key to T

      • If (hash(key) == metaID), T unlocks itself


    Hash locks1

    1

    2

    3

    4

    5

    Hash locks

    • Cheap to implement on tags:

      • A hash function and storage for metaID.

    • Security based on hardness of hash.

    • Hash output has nice random properties.

    • Low key look-up overhead.

    • Tags respond predictably; allows tracking.

      • Motivates randomization.

    • Requires reader to know all keys


    Randomized hash locks

    “Who are you?”

    R, hash(R,IDk)

    “You must be IDk”

    1

    2

    3

    4

    5

    Randomized Hash Locks

    Goal: authenticate reader to the RFID tag

    Reader

    RFID tag

    Generate random R

    Compute hash(R,IDi) for every

    known IDi and compare

    Stores its own IDk

    Stores all IDs:

    ID1, … ,IDn


    Randomized hash locks1

    1

    2

    3

    4

    5

    Randomized Hash Locks

    • Tag must store hash implementation and pseudo-random number generator

      • Low-cost RNGs exist; can use physical randomness

    • Secure against tracking because tag response is different each time

    • Reader must perform brute-force ID search

      • Effectively, reader must stage a mini-dictionary attack to unlock the tag

    • Alternative: better searching

      • Tree approach

      • Synchronization approach


    Avoiding brute force synch

    1

    2

    3

    4

    5

    Avoiding brute force synch

    • c is a counter, H and G are one-way hash functions

    • reader maintains

    • synchronized state with tags

    • operation of tag:

      • state is si

      • when queried, the tag responds with the current pseudonym pi=G(si) and computes its new state si+1 = H(si)

    • operation of the reader:

      • reader must approximately know the current counter value of each tag

      • for each tag, it maintains a table with the most likely current counters and corresponding pseudonyms

    • Operation of the reader

      • when a tag responds with a pseudonym p, it finds p in any of its tables, identifies the tag, and updates the table corresponding to the tag

      • one-wayness of the hash ensures that current counter value cannot be computed from observed pseudonym


    Avoiding brute force tree of secrets

    1

    2

    3

    4

    5

    Avoiding brute force (tree of secrets)

    • Tag == leaf of the tree.

    • Each tag receives the keys on path from leaf to the root.

    • Tag ij generates pseudonyms as (Key1(r), Key2(r), …, Fkij (r)).

    • Reader can decode pseudonym using a depth-first search.

    • In the worst case, the reader searches through db keys, where d is the depth of the tree, and b is the branching factor

      • compare this to bd, which is the total number of tags


    Authentication workarounds

    1

    2

    3

    4

    5

    Authentication Workarounds

    • No explicit counterfeiting measures whatsoever

    • Possible solutions:

      • Repurpose the kill function for limited counterfeit

      • Yoking

        • cryptographic proof that two tags have been scanned simultaneously and evidence (although not proof) that the tags were scanned in physical proximity to one another.

        • Usable only in certain circumstances (pharmacy, aircraft safety)

      • Physical markers

        • Similar to explosive markers

        • Special dyes and packaging


    Hb protocol

    1

    2

    3

    4

    5

    HB Protocol

    • Created by Nicholas Hopper and Manuel Blum as a tool for secure authentication and identification of unassisted humans to computers.

    • Juels and Weis realized that this protocol was actually a natural protocol for the authentication of RFID tags to readers.

    • The security of the HB Protocol is based on the underlining hardness of the Learning Parity with Noise (LPN) problem.


    Hb protocol1

    1

    2

    3

    4

    5

    HB Protocol

    Definitions

    • The secret x is a k length binary string (tag ID).

      • The tag needs to prove to the reader that it knows one of the S's on the reader's list of acceptable secrets.

      • The tag only has one secret, but the reader generally has many.

    • A query q is also a k length binary string.

      • Produced by the reader.

      • One query is produced for each iteration of the protocol

    • Epsilon is a probability, ranging from 0 to Ѕ that the response calculated by the tag will be flipped

      • if the correct response was 1, the tag will send back 0, and vice versa.

    • Nu equals 1 with probability epsilon.

    • Delta is an error factor,

      • ranges from 0 to Ѕ

      • defines how close the tag's actual flipping of responses must be to epsilon in order to be accepted.


    Crypto rfid authentication hb protocol

    k-bit random value a

    (ax)v

    1

    2

    3

    4

    5

    Crypto RFID: authentication (HB Protocol)

    Goal: authenticate RFID tag to the reader

    Reader

    RFID tag

    Generate random v:

    1 with prob. , else 0

    Response correct if

    it is equal to (ax)

     chance that

    response is incorrect

    Knows secret x;

    parameter 

    Knows secret x;

    parameter

    repeat r times

    RFID tag is authenticated

    if fewer than r responses

    are incorrect


    Crypto rfid authentication hb protocol1

    k-bit random value a

    blinding value b

    (ax)(by)v

    1

    2

    3

    4

    5

    Crypto RFID: authentication (HB+ Protocol)

    Goal: authenticate RFID tag to the reader

    Reader

    RFID tag

    Generate random v:

    1 with prob. , else 0

    Response correct if

    it is equal to (ax)(by)

    Knows secrets x,y;

    parameter

    Knows secrets x,y;

    parameter 

    repeat r times

    RFID tag is authenticated

    if fewer than r responses

    are incorrect


    Wrapping it up

    Wrapping it up

    • Some basic trends are apparent:

      • Pressure to build a smaller, cheaper tags without cryptography

        • reverse-engineering a cheap RFID tag unlikely to be hard…

      • Urgent need for cheaper hardware for primitives

      • “Security through obscurity” doesn’t work

    • Simple static identifiers are the most naïve

      • How about encrypting ID?

      • How about creating new static identifiers, i.e., “meta-ID”

      • How about a law-enforcement access key?

        • Tag-specific keys require initial release of identity

        • Universal keys subject to interception

    • Special properties:

      • RFID tags are close and personal giving privacy a special dimension

      • RFID tags change ownership frequently

      • Key management will be a major problem

        • Think for a moment after this talk about distribution of kill passwords…

        • Are there good hardware approaches to key distribution, e.g., proximity as measure of trust

    • Some privacy is clearly better than for naive approaches


    Future work

    Future Work

    Find New and Improve Existing Algorithms

    Authentication algorithms with human protocols

    Tag identification with delegation, ownership transfer

    Efficient cloning-resistant identification algorithms

    New and emerging problems


  • Login