Rfid security and privacy
Sponsored Links
This presentation is the property of its rightful owner.
1 / 49

RFID Security and Privacy PowerPoint PPT Presentation


  • 105 Views
  • Uploaded on
  • Presentation posted in: General

RFID Security and Privacy. Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790. 1. 2. 3. 4. 5. Roadmap. Background RFID Risks Privacy: Simple Solutions Privacy: More Involved Solutions Authentication: Some Solutions Conclusion. 1. 2. 3. 4. 5. What is RFID?.

Download Presentation

RFID Security and Privacy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


RFID Security and Privacy

Author: Ari Juels

Presenter: Yuliya Kopylova

CSCE 790


1

2

3

4

5

Roadmap

  • Background

  • RFID Risks

  • Privacy: Simple Solutions

  • Privacy: More Involved Solutions

  • Authentication: Some Solutions

  • Conclusion


1

2

3

4

5

What is RFID?

  • Radio-Frequency Identification Tag

Antenna

  • Sticker containing microchip and antenna

  • Gains power from wireless signal received from tag reader

  • Tag-reader communication with range of up to half a meter

  • Tag returns its unique number and static data

Chip


1

2

3

4

5

How Does RFID System Work?

  • Tags consists of antenna and a microchip

  • Readers consists of a transmitter, receiver, 1+ antennas

  • Management system

  • Communication protocol

  • Computer Networks

EasyToll card #816

Radio signal (contactless)

Range: from 3-5 inches to 3 meters

02.3DFEX4.78AF51

Tags (transponders)

Attached to objects,

“call out” identifying data

on a special radio frequency

Reader (transceiver)

Reads data off the tags

without direct contact

Database

Matches tag IDs to

physical objects


1

2

3

4

5

RFID Advantages

Barcode

RFID

Fast, automated scanning

(object doesn’t have to leave

pocket, shelf or container)

  • Reading by radio contact

  • Reader can be anywhere within range

  • Line-of-sight reading

  • Reader must be looking at the barcode

  • Specifies object type

  • E.g., “I am a pack of Juicy Fruit”

  • Specifies unique object id

  • E.g., “I am a pack of Juicy Fruit #86715-A”

Can look up this object

in the database (provides pointer)


1

2

3

4

5

RFID Tag Power Sources

  • Passive

    • inactive until the reader’s interrogation signal “wakes” them up

    • Cheap, but short range only

  • Semi-passive

    • On-board battery, but cannot initiate communication

    • More expensive, longer range

  • Active

    • On-board battery, can initiate communication


1

2

3

4

5

RFID Types

  • Inductive Coupling

  • Backscatter (radiative) Coupling


1

2

3

4

5

Closer look


1

2

3

4

5

RFID examples

  • Pervasive Devices

    • Low memory, few gates

    • Low power, no clock, little state

    • Low computational power

  • You may own a few.

  • Billions on the way.


1

2

3

4

5

Current Applications

  • Public Transport and Ticketing

  • Access Control

  • Logistics

  • Animal identification

  • Anti-theft system

  • Real time measurements in sports

  • Inventory Control in supermarkets

  • Electronic payments

  • Industry automation

  • Medical

  • Banknotes, casino chips


1

2

3

4

5

Futuristic Applications

  • “Smart” appliances

    • Refrigerators that automatically create shopping lists

    • Closets that tell you what clothes you have available, and search the Web for advice on current styles, etc.

    • Ovens that know how to cook pre-packaged food

  • “Smart” products

    • Clothing, appliances, CDs, etc. tagged for store returns

  • “Smart” paper

    • Airline tickets that indicate your location in the airport

    • Library books

    • Business cards

  • Recycling

    • Plastics that sort themselves


1

2

3

4

5

RFID Risks

  • Mr. Jones pays with a credit card; his RFID tags now linked to his identity

  • Mr. Jones attends a political rally; law enforcement scans his RFID tags

  • Mr. Jones wins Turing Award; physically tracked by paparazzi via RFID


1

2

3

4

5

Why RFID Risks Arise

Three technical aspects of today’s RFID tags create potential problems:

  • They are promiscuous

    • they talk to any compatible reader.

  • They are remotely readable:

    • they can be read at a distance through materials like cardboard, cloth, and plastic.

  • They are stealthy

    • not only are the tags inconspicuous, you don't know when they are transmitting information or to whom. In short, the personal information


1

2

3

4

5

Risks: Privacy

  • Personal privacy

    • Clandestine inventory and tracking

      • Unsanctioned readers

    • Customer profiling

      • Tracking personal activities (e.g., purchase habits, travel)

    • Big brother

      • Illicit or inappropriate use of personal data

  • Data cross contamination

    • Inventory tags plus personal info

  • Corporate espionage

    • Track your competitor’s inventory

  • Military espionage

    • Harvesting RFID communication to make inferences


1

2

3

4

5

Risks: Eavesdropping

  • Read ranges

    • nominal read range

      • max distance at which a normally operating reader can reliably scan tags

    • rogue scanning range

      • rogue reader can emit stronger signal and read tags from a larger distance than the nominal range

    • tag-to-reader eavesdropping range

      • read-range limitations result from the requirement that the reader powers the tag

      • however, one reader can power the tag, while another one can monitor its emission (eavesdrop)

    • reader-to-tag eavesdropping range

      • readers transmit at much higher power than tags

      • readers can be eavesdropped form much further

      • readers may reveal tag specific information


1

2

3

4

5

Risks: Counterfeits

  • Comes down to authentication

  • How can be accomplished

    • Replaying (RF “tape-recorder”)

    • Tag cloning

    • Back-engineering

  • A few examples from real life (easy to break)

    • Speed passes

    • Ignition keys

    • Physical coercion and attack

      • In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric-enabled Mercedes

      • What would happen if the VeriChip were used to access ATM machines and secure facilities?

    • Perhaps it is better then if tags can be cloned and are not used for authentication—only for identification


1

2

3

4

5

RFID capabilities

  • Little power

    • Receives power from reader

    • Range a few meters

  • Little memory

    • Static 64-to-128-bit identifier

    • Hundreds of bits soon

  • Little computational power

    • A few thousand gates

    • No cryptographic functions available

    • Static keys for read/write permission

  • In terms of computational power can be divided into

    • BASIC tags

    • SYMMETRIC KEY tags


1

2

3

4

5

Privacy protection approaches

  • standard tags

    • jamming

    • “kill” command

    • “sleep” command

    • Renaming

    • Blocking

  • crypto enabled tags

    • synchronization approach

    • hash chain based approach

    • tree-approach


1

2

3

4

5

Easiest solution

  • Keep it close to your body

    • Liquids are not penetrable by microwave frequencies

  • Faraday cage

    • Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies

    • Shoplifters are already known to use foil-lined bags

    • Maybe works for a wallet, but huge hassle in general

  • Active jamming

    • Disables all RFID, including legitimate applications

  • All kinds of the above protections can be purchased now days

    • protective sleevers for passports, wallets, ids, etc.


1

2

3

4

5

Dead tags tell no tales

  • Idea: permanently disable tags with a special “kill” command

    • part of the EPC specification

  • Advantages:

    • Simple and effective

  • Disadvantages:

    • eliminates all post-purchase benefits of RFID for the consumer and for society

    • no return of items without receipt

    • no smart house-hold appliances

    • cannot be applied in some applications

      • library, e-passports, banknotes

  • Similar approaches:

    • put RFID tags into price tags or packaging which are removed and discarded


1

2

3

4

5

Don’t kill the tag, put it to sleep

  • Idea: instead of killing the tag put it in sleep mode

    • tag can be re-activated if needed

  • Advantages:

    • Simple

    • effective

  • Disadvantages:

    • difficult to manage in practice

    • tag re-activation must be password protected

    • how the consumers will manage hundreds of passwords for their tags?

    • passwords can be printed on tags, but then they need to be scanned optically or typed in by the consumer


1

2

3

4

5

Partial destruction

  • Renaming

    • In simplest case renaming to gibberish

    • No intrinsic meaning

    • Still can be tracked

      • Backscatter from antennas

      • Hypothesize manufacturer type may be learnable

      • Do tags possess uniquely detectable RF fingerprints? (Device signatures a staple of electronic warfare)

  • Relabelings

    • Retain only product ID for later use

    • Destroy unique ID at the time of purchase

  • Splitting identifiers across two tags

    • Peel off one at time of purchase


1

2

3

4

5

Distance Measuring

  • Signal-to-noise ratio of the reader signal in an RFID system provides a rough metric of the distance between a reader and a tag.

  • With some additional, low-cost circuitry a tag might achieve rough measurement of the distance of an interrogating reader.

  • Distance can serve as a metric for trust.

    • Release general information (“I am attached to a bottle of water”) when scanned at a distance

    • Release more specific information (ID), only at close range.


1

2

3

4

5

Proxying

  • Proxying

    • Consumers carry their own privacy-enforcing devices (Higher-powered intermediaries like mobile phones)

    • Watch dog

      • Observer observing the observer: monitor if someone scans you

      • Selectively jams tag replies as needed

    • RFID guardian

      • Talk to the guardian first

      • Communication is released through a fortified intermediate


Please show reader certificate and privileges

1

2

3

4

5

Proxying

  • Problems

    • Change of ownership: how to release control

    • Impersonating the guardian itself

    • Cannot suppress tag replies entirely, only jam

    • Cannot suppress reader commands


1

2

3

4

5

Renaming

  • Idea: avoid using real Ids, change Identifiers across the reads

    • get rid of fixed names (identifiers). Pseudonyms stored on tag (limited storage, i.e. 10 or so), tag cycles through pseudonyms

    • use random pseudonyms and change them frequently

  • Requirements:

    • only authorized readers should be able to determine the real identifier behind a pseudonym

    • standard tags cannot perform computations -> next pseudonym to be used must be set by an authorized reader

  • A possible implementation

    • pseudonym = {R|ID}K

      • R is a random number

      • K is a key shared by all authorized readers

    • authorized readers can decrypt pseudonyms and determine real ID

    • authorized readers can generate new pseudonyms

    • for unauthorized readers, pseudonyms look like random bit strings

  • Potential problems

    • tracking is still possible between two renaming operations

    • if someone can eavesdrop during the renaming operation, then she may be able to link the new pseudonym to the old one

    • no reader authentication -> rogue reader can overwrite pseudonyms in tags (tags will be erroneously identified by authorized readers)


Random Bits

No

Connect

V

1

2

3

4

5

Example of RNG

The voltage signal is amplified, disturbed, stretched, and sampled,

resulting in random bits.


1

2

3

4

5

Renaming (re-encryption)

  • A public key based implementation:

    • El Gamal scheme:

      • Inputs are ciphertexts

      • Outputs are a re-encryption of the inputs.

      • Anyone can encrypt without the public key E

      • Those who know the secret key D can also decrypt messages encrypted with different keys are indistinguishable


1

2

3

4

5

Renaming (re-encryption)

  • El Gamal Encryption Parameters

    • Public parameters:

      • q is a prime

      • p = 2kq+1is a prime

      • ggenerator of Gp, i.e. efficient description of a cyclic group of order q with generator g (I know only one generator which is relatively prime)

    • Secret key of RFID tag: x (where 0 < x < q)

    • Public key of RFID tag : y = gx mod p

  • Encryption for message (plaintext) m

    • Pick a number k randomly from [0…q-1]

    • Compute a = yk .m mod p and b = gk mod p

    • Output (a,b)


1

2

3

4

5

Renaming (re-encryption)

  • Decryption

    • Compute m as a / bx (= yk. m/ (gk)x = gxk. m/ gkx = m)

  • One can re-encrypt a ciphertext (a, b) without decryption:Input: a ciphertext (a,b) and public key y

    • Pick a number a randomly from [0…q-1]

    • Compute a’ = ya . a mod p and b’ = ga . b mod p

    • Output (a’, b’)

  • Same decryption technique

    • Compute m a’ / b’x (= yk. ya. m/ (gk . ga ) x = gx (k+a). m/ gx (k+a) = m)

  • Properties:

    • new tag pseudonyms can be computed by readers that know the public key

    • real tag ID can be computed only by readers that know the private key

    • Semantic security: Cannot distinguish between C = EPK,r [Alice] and C’ = EPK,r’ [Bob]

      • An attacker who intercepts C and C’ cannot tell if they come from the same chip, that is the attacker cannot identify or track Alice


  • 1

    2

    3

    4

    5

    Blocking

    • When the reader sends a signal, more than one RFID tag may respond: this is a collision

      • typical commercial application, such as scanning a bag of groceries, potentially hundreds of tags might be within range of the reader.

    • Reader must engage in a special singulation protocol to talk to each tag separately

      • Singulation is used by an RFID reader only when necessary to identify a specific tag (and its ID) from a number of tags in the field

    • Tree-walking is a common singulation method

      • Used by 915 Mhz tags, the most common type in the U.S.

      • Slotted aloha is used for LF tags


    1

    2

    3

    4

    5

    Anti-collision

    • "Tree Walking"

    • Recursive depth-first search

    • Requirement: Reader is able to detect bit position of a collision

    • Example: 1 Reader, 3 Transponder, 3-bit ID

    • Example: 1 Reader, 3 Transponder, 3-bit ID

    • Synchronized by reader

    • Example: 1 Reader, 5 Tags, 8-bit ID


    1

    2

    3

    4

    5

    Tree Walking

    prefix=0

    prefix=1

    Reader broadcasts

    current prefix

    Each tag with this prefix

    responds with its next bit

    prefix=00

    prefix=01

    prefix=10

    prefix=11

    If responses don’t collide,

    reader adds 1 bit to current

    prefix, otherwise tries both

    possibilities

    000

    001

    010

    011

    100

    101

    110

    111

    Every tag has a k-bit identifier

    This takes O(k  number of tags)


    1

    2

    3

    4

    5

    Tree-Walking

    • Tree-walking” protocol for identifying tags recursively asks question:

      • “What is your next bit?”

      • Something along the lines of: “Will all tags with 1 as their first digit raise their hand”. “Will all tags with 1 as their first digit, and 0 as their second....”

    • Blocker tag always says both ‘0’ and ‘1’!

      • Makes it seem like all possible tags are present by making an RFID tag misbehave, and answers yes to every question.


    1

    2

    3

    4

    5

    Blocker Tag

    • A form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader

      • Guarantees collision no matter what tags are present

      • To talk to a tag, reader must traverse every tree path

        • With 128-bit IDs, reader must try 2128 values – infeasible!

    • To prevent illegitimate blocking, make blocker tag selective (block only certain ID ranges)

    • Blocker tag can be selective:


    Blocker Tag

    • privacy zone

      • tree is divided into two zones

      • privacy zone: all IDs starting with 1

      • upon purchase of a product, its tag is transferred into the privacy zone by setting the leading bit

    • the blocker tag

      • when the prefix in the reader’s query starts with 1, it simulates a collision

      • when the blocker tag is not present, everything works normally

    • Alternative: polite blocking (notify the reader)


    1

    2

    3

    4

    5

    Hash Locks

    • Locked tag transmit only metaID

    • Similar to the proximity approach

    • Unlocked tag can do all operations

    • Locking mechanism:

      • Reader R selects a nonce and computes metaID = hash(key)

      • R writes metaID to tag T

      • T enters locked state

      • R stores the pair (metaID, key).

    • Unlocking

      • Reader R queries tag T for its metaID

      • R looks up (metaID, key)

      • R sends key to T

      • If (hash(key) == metaID), T unlocks itself


    1

    2

    3

    4

    5

    Hash locks

    • Cheap to implement on tags:

      • A hash function and storage for metaID.

    • Security based on hardness of hash.

    • Hash output has nice random properties.

    • Low key look-up overhead.

    • Tags respond predictably; allows tracking.

      • Motivates randomization.

    • Requires reader to know all keys


    “Who are you?”

    R, hash(R,IDk)

    “You must be IDk”

    1

    2

    3

    4

    5

    Randomized Hash Locks

    Goal: authenticate reader to the RFID tag

    Reader

    RFID tag

    Generate random R

    Compute hash(R,IDi) for every

    known IDi and compare

    Stores its own IDk

    Stores all IDs:

    ID1, … ,IDn


    1

    2

    3

    4

    5

    Randomized Hash Locks

    • Tag must store hash implementation and pseudo-random number generator

      • Low-cost RNGs exist; can use physical randomness

    • Secure against tracking because tag response is different each time

    • Reader must perform brute-force ID search

      • Effectively, reader must stage a mini-dictionary attack to unlock the tag

    • Alternative: better searching

      • Tree approach

      • Synchronization approach


    1

    2

    3

    4

    5

    Avoiding brute force synch

    • c is a counter, H and G are one-way hash functions

    • reader maintains

    • synchronized state with tags

    • operation of tag:

      • state is si

      • when queried, the tag responds with the current pseudonym pi=G(si) and computes its new state si+1 = H(si)

    • operation of the reader:

      • reader must approximately know the current counter value of each tag

      • for each tag, it maintains a table with the most likely current counters and corresponding pseudonyms

    • Operation of the reader

      • when a tag responds with a pseudonym p, it finds p in any of its tables, identifies the tag, and updates the table corresponding to the tag

      • one-wayness of the hash ensures that current counter value cannot be computed from observed pseudonym


    1

    2

    3

    4

    5

    Avoiding brute force (tree of secrets)

    • Tag == leaf of the tree.

    • Each tag receives the keys on path from leaf to the root.

    • Tag ij generates pseudonyms as (Key1(r), Key2(r), …, Fkij (r)).

    • Reader can decode pseudonym using a depth-first search.

    • In the worst case, the reader searches through db keys, where d is the depth of the tree, and b is the branching factor

      • compare this to bd, which is the total number of tags


    1

    2

    3

    4

    5

    Authentication Workarounds

    • No explicit counterfeiting measures whatsoever

    • Possible solutions:

      • Repurpose the kill function for limited counterfeit

      • Yoking

        • cryptographic proof that two tags have been scanned simultaneously and evidence (although not proof) that the tags were scanned in physical proximity to one another.

        • Usable only in certain circumstances (pharmacy, aircraft safety)

      • Physical markers

        • Similar to explosive markers

        • Special dyes and packaging


    1

    2

    3

    4

    5

    HB Protocol

    • Created by Nicholas Hopper and Manuel Blum as a tool for secure authentication and identification of unassisted humans to computers.

    • Juels and Weis realized that this protocol was actually a natural protocol for the authentication of RFID tags to readers.

    • The security of the HB Protocol is based on the underlining hardness of the Learning Parity with Noise (LPN) problem.


    1

    2

    3

    4

    5

    HB Protocol

    Definitions

    • The secret x is a k length binary string (tag ID).

      • The tag needs to prove to the reader that it knows one of the S's on the reader's list of acceptable secrets.

      • The tag only has one secret, but the reader generally has many.

    • A query q is also a k length binary string.

      • Produced by the reader.

      • One query is produced for each iteration of the protocol

    • Epsilon is a probability, ranging from 0 to Ѕ that the response calculated by the tag will be flipped

      • if the correct response was 1, the tag will send back 0, and vice versa.

    • Nu equals 1 with probability epsilon.

    • Delta is an error factor,

      • ranges from 0 to Ѕ

      • defines how close the tag's actual flipping of responses must be to epsilon in order to be accepted.


    k-bit random value a

    (ax)v

    1

    2

    3

    4

    5

    Crypto RFID: authentication (HB Protocol)

    Goal: authenticate RFID tag to the reader

    Reader

    RFID tag

    Generate random v:

    1 with prob. , else 0

    Response correct if

    it is equal to (ax)

     chance that

    response is incorrect

    Knows secret x;

    parameter 

    Knows secret x;

    parameter

    repeat r times

    RFID tag is authenticated

    if fewer than r responses

    are incorrect


    k-bit random value a

    blinding value b

    (ax)(by)v

    1

    2

    3

    4

    5

    Crypto RFID: authentication (HB+ Protocol)

    Goal: authenticate RFID tag to the reader

    Reader

    RFID tag

    Generate random v:

    1 with prob. , else 0

    Response correct if

    it is equal to (ax)(by)

    Knows secrets x,y;

    parameter

    Knows secrets x,y;

    parameter 

    repeat r times

    RFID tag is authenticated

    if fewer than r responses

    are incorrect


    Wrapping it up

    • Some basic trends are apparent:

      • Pressure to build a smaller, cheaper tags without cryptography

        • reverse-engineering a cheap RFID tag unlikely to be hard…

      • Urgent need for cheaper hardware for primitives

      • “Security through obscurity” doesn’t work

    • Simple static identifiers are the most naïve

      • How about encrypting ID?

      • How about creating new static identifiers, i.e., “meta-ID”

      • How about a law-enforcement access key?

        • Tag-specific keys require initial release of identity

        • Universal keys subject to interception

    • Special properties:

      • RFID tags are close and personal giving privacy a special dimension

      • RFID tags change ownership frequently

      • Key management will be a major problem

        • Think for a moment after this talk about distribution of kill passwords…

        • Are there good hardware approaches to key distribution, e.g., proximity as measure of trust

    • Some privacy is clearly better than for naive approaches


    Future Work

    Find New and Improve Existing Algorithms

    Authentication algorithms with human protocols

    Tag identification with delegation, ownership transfer

    Efficient cloning-resistant identification algorithms

    New and emerging problems


  • Login