privacy in library rfid attacks and proposals
Download
Skip this Video
Download Presentation
Privacy in Library RFID Attacks and Proposals

Loading in 2 Seconds...

play fullscreen
1 / 25

Privacy in Library RFID Attacks and Proposals - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

Privacy in Library RFID Attacks and Proposals. David Molnar David Wagner {dmolnar, daw}@eecs.berkeley.edu. Privacy in Libraries. Must protect what patrons are reading Library only source of info for many FBI Library Awareness Program

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Privacy in Library RFID Attacks and Proposals' - jessamine-french


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
privacy in library rfid attacks and proposals

Privacy in Library RFIDAttacks and Proposals

David Molnar

David Wagner

{dmolnar, daw}@eecs.berkeley.edu

privacy in libraries
Privacy in Libraries
  • Must protect what patrons are reading
  • Library only source of info for many
  • FBI Library Awareness Program
    • 1973-1988, official policy to monitor “suspicious” persons’ reading habits
    • Library privacy laws passed as backlash
    • Even with PATRIOT act, need court order
  • Privacy adversaries not limited to FBI
    • Marketers, Scientologists, pick your favorite…
rfid library overview
RFID & Library Overview
  • RFID = Radio Frequency IDentification
  • One RFID tag per book
  • Each RFID tag has ``bar code” ID number
    • Unique to each book, may identify library
  • Exit gates read RFID for anti-theft
  • 13.56MHz passive RFID
    • ISO 15693, Checkpoint, TAGSYS C220
    • Read range depends on antenna size
  • Deployed in Oakland, Santa Clara, 130+
why rfid
Why RFID?
  • Speedy self-checkout
    • reduce library employee RSI (carpal tunnel)
  • Security devices
    • ensure checkout occured
  • Inventory Tracking
slide6

Pictures courtesy

Santa Clara City Library

privacy and ubiquitous readers
Privacy and Ubiquitous Readers
  • Read range not whole privacy story
  • Even full in-view readers can be problem
    • Scan at airport security, events, etc.
    • Like metal detectors now
    • Not clear what read or how used
  • Readers easy to camouflage
    • RFID reader looks like store anti-theft gate
library rfid architecture
Library RFID Architecture

Library database

Bar code

  • No authentication between reader and tag
  • Database maps bar code  (title, status)
attack book scanning
Attack: Book Scanning
  • Can Mallory scan me and tell what I am reading?
    • No reader – tag authentication
    • Anyone can read tag data
  • Most deployments data limited to bar code
    • Some vendors suggest more
  • Need library database
  • In CA, database protected by law
    • Varies by state
attack hotlisting and profiling
Attack: Hotlisting and Profiling
  • Hotlisting  is book on special list?
    • It’s real – FBI and almanacs
  • Profiling – bar code prefix identifies library
    • Is library in predominantly minority area?
  • Bar code never changes so hotlisting easy
    • Walk into library, read bar code
    • See the book again, recognize book
    • Does not need library database
attack book tracking
Attack: Book Tracking
  • Bar code never changes
  • Can link different sightings
  • Track book movement
    • Spatial movement
    • Combine w/video for person-to-person
      • “This person checked out same book as terrorist”
  • Does not need library database
security bit denial of service
“Security Bit” Denial of Service
  • RFID used for anti-theft
  • Some vendors store “security bit” on tag
    • Security bit = checked out/not checked out
    • Bit re-written each checkout
  • ISO 15693 tags have “write, then lock”
    • No way to unlock data, no password on lock
  • Adversary can lock security bit data page
  • Can’t change security bit  tag useless
collision avoidance and privacy
Collision Avoidance and Privacy
  • Collision avoidance protocols identify tag
  • Example: ISO 15693 mandates MFR ID
  • Read passwords,changing ID,etc. don’t help
  • Privacy requires attention to all layers

Mask

Does mask match MFR ID?

Respond if yes

rfid limitations
RFID Limitations
  • RFID powered only when near reader
    • No precomputation, no caching
  • RFID have few gates (< 5,000 for security)
  • Randomness difficult on RFID
  • “Cryptography” extremely hard on RFID
    • Best we can do is a few XOR
  • Future generation tags focus on price, not on security features
problem private authentication
Problem: Private Authentication
  • Reader does not know tag ID
  • Authentication must preserve privacy
  • Privacy and authentication in tension
random transaction ids
Random Transaction IDs
  • Required: rewritable tags
  • Attacker model: outside the library
  • On checkout
    • Obtain random # r
    • Write (r, D) to DB
    • Erase D & Write r to tag
  • On checkin
    • Use r to lookup D
    • Write D to tag
attacks against random ids
Attacks Against Random IDs
  • Tracking
    • Possible
    • Only for checkout duration
  • Hot-listing
    • Not Possible
  • Comparison-based
    • Not possible
password enhancement
Password Enhancement
  • Eavesdropping
    • Not the same in the two channels
    • Tag to Reader is Harder

Hello

r

cmd, p=r s

good and bad of passwords
Good and Bad of Passwords
  • Good
    • low computation cost
    • s remains secure (info-theoretically!)
    • r is independent of book info
      • cannot be tracked
  • Bad
    • Requires randomness on tag
private authentication
Private Authentication
  • Every tag has a secret
    • DB has all (secret, ID) pairs
  • Basic ID
    • Reader sends a nonce
    • Tag sends new nonce
    • Tag sends ID  f(s, 0, nonce 1, nonce 2)
    • Reader checks the whole DB
  • Problems?
tree based
Tree-based
  • Set it all up as a binary balanced tree
  • log(n) rounds
    • Check if the secret is on the left or right
    • Get down to a single leaf
  • Advanced version
    • 1 million tags
    • 168 bits of communication
summary
Summary
  • Library RFID is here now
  • All today’s technology has privacy flaws
  • Privacy is achievable efficiently
  • Work still ongoing
acknowledgements
Acknowledgements
  • Many, many people to thank!

In no particular order:

Peter Warfield, Karen Duffy (Santa Clara City Library), Karen Saunders (Santa Clara City Library), Susan Hildreth (San Francisco Public Library), Al Skinner (Checkpoint), Paul Simon (Checkpoint),Doug Karp(Checkpoint), Rebekah E. Anderson (3M), Jackie Griffin(Berkeley Public Library), Elena Engel (BPL), Alicia Abramson(BPL)Lee Tien (Electronic Frontier Foundation), Dan Moniz (EFF), Laura Quliter (Boalt Hall School of Law, UC-Berkeley), Jennifer Urban(Boalt), Nathaniel Good (SIMS), Samuelson Technology and PolicyLaw Clinic at Boalt Hall School of Law, Elizabeth Miles (Boalt),John Han (SIMS), Ross Stapleton-Gray, Eric Ipsen, Oleg Boyarsky(Library Automation/FlashScan), Laura Smart (Library RFIDWeblog/Cal State Pomona), Craig K. Harmon (ISO 18000 committee),Justin Chen (SVCWireless RFID SIG), Steve Halliday(ISO 18000 committee), Zulfikar Ramzan (NTT DoCoMo), Craig Gentry (NTTDoCoMo), Hoeteck Wee, Matt Piotrowski, Jayanth Kumar Kannan, Kris Hildrum, David Schultz, and Rupert Scammell(RSA Security).

ad