1 / 33

Privacy Protection

Privacy Protection. privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks;. Chapter outline. 1 Important privacy related notions and metrics 2 Privacy in RFID systems 3 Location privacy in vehicular networks. Privacy related notions.

hyman
Download Presentation

Privacy Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks;

  2. Chapter outline 1 Important privacy related notions and metrics 2 Privacy in RFID systems 3 Location privacy in vehicular networks

  3. Privacy related notions • Anonymity: hiding the identity of the entity who performs a given action • Untraceability: making it difficult for an adversary to identify that a given set of actions were performed by the same subject • Unlinkability: hiding information about the relationships between any items (e.g. subjects, messages, actions, etc.): • E.g. is a determined set of message senders and message receivers, the adversary may be still unable to relate senders to receivers • Unobservability: hiding the items themselves (e.g., hide the fact that a message was sent at all) • Pseudonymity: making use of a pseudonym instead of the real identity

  4. Privacy metrics (1/2) • Anonymity set: aset of subjects that might have performed the observed action • Is a good measure only if all the members of the set are equally likely to have performed the observed action • Entropy-based measure of anonymity:

  5. Privacy metrics (2/2) • Entropy-based measure for unlinkability:

  6. Outline 1 Important privacy related notions and metrics 2 Privacy in RFID systems 3 Location privacy in vehicular networks

  7. What is RFID? RFID reader RFID tag reading signal tagged object back-end database ID ID detailed object information • RFID = Radio-Frequency Identification • RFID system elements • RFID tag + RFID reader + back-end database • RFID tag = microchip + RF antenna • microchip stores data (few hundred bits) • tags can be active • have their own battery  expensive • or passive • powered up by the reader’s signal • reflect the RF signal of the reader modulated with stored data

  8. suitcase: Samsonite watch: Casio jeans: Lee Cooper book: Applied Cryptography shoes: Nike RFID privacy problems • RFID tags respond to reader’s query automatically, without authenticating the reader  clandestine scanning of tags is a plausible threat • two particular problems: 1. inventorying: a reader can silently determine what objects a person is carrying • books • medicaments • banknotes • underwear • … • tracking: set of readers can determine where a given person is located • tags emit fixed unique identifiers • even if tags do not emit unique identifiers, it is possible to track a person by tracking a constellation of a set of particular tags: in a given period of time, there may be a single person in a city wearing a specific type of shoes and wrist watch and carrying a specific book in a specific suitcase

  9. RFID read ranges • nominal read range • max distance at which a normally operating reader can reliably scan tags • e.g., ISO 14443 specifies 10 cm for contactless smart cards • rogue scanning range • rogue reader can emit stronger signal and read tags from a larger distance than the nominal range • e.g., ISO 14443 cards can possibly be read from 50-100 cm • tag-to-reader eavesdropping range • read-range limitations result from the requirement that the reader powers the tag • however, one reader can power the tag, while another one can monitor its emission (eavesdrop) • e.g., RFID enabled passports can be eavesdropped from a few meters • reader-to-tag eavesdropping range • readers transmit at much higher power than tags • readers can be eavesdropped form much further (kilometers?) • readers may reveal tag specific information

  10. Classification of privacy protection approaches • standard tags • “kill” command • “sleep” command • renaming • blocking • legislation • crypto enabled tags • synchronization approach • hash chain based approach • tree-approach

  11. Dead tags tell no tales • idea: permanently disable tags with a special “kill” command • advantages: • simple • effective • disadvantages: • eliminates all post-purchase benefits of RFID for the consumer and for society • no return of items without receipt • no smart house-hold appliances • … • cannot be applied in some applications • library • e-passports • banknotes • ... • similar approaches: • put RFID tags into price tags or packaging which are removed and discarded

  12. “Sleep” command • idea: • instead of killing the tag put it in sleep mode • tag can be re-activated if needed • advantages: • simple • effective • disadvantages: • difficult to manage in practice • tag re-activation must be password protected • how the consumers will manage hundreds of passwords for their tags? • passwords can be printed on tags, but then they need to be scanned optically or typed in by the consumer

  13. Renaming • idea: • get rid of fixed names (identifiers) • use random pseudonyms and change them frequently • requirements: • only authorized readers should be able to determine the real identifier behind a pseudonym • authorized readers would be able to refresh the list of pseudonyms in a tag • The tag rotates the pseudonym list and uses a new tag each time being read • a possible implementation • pseudonym = {R|ID}K • R is a random number • K is a key shared by all authorized readers • authorized readers can decrypt pseudonyms and determine real ID • for unauthorized readers, pseudonyms look like random bit strings

  14. Renaming • potential problems • if someone can eavesdrop during the renaming operation, then she may be able to link the new pseudonym to the old one • An adversary can rapidly query the tag several times until all pseudonyms are emitted --> tag tracked until the next refresh operation • Solution: limited bandwidth at the tags (by hardware means) • no reader authentication  rogue reader can overwrite pseudonyms in tags (tags will be erroneously identified by authorized readers)

  15. 001 100 101 Blocking • Uses a mechanism which is designed for determining present tags: • binary tree walking • a mechanism to determine which tags are present (singulation procedure) • IDs are leaves of a binary tree • reader performs a depth first search in the tree as follows • reader asks for the next bit of the ID starting with a given prefix • if every tag’s ID starts with that prefix, then no collision will occur, and the reader can extend the prefix with the response • if there’s a collision, then the reader recurses on both possible extensions of the prefix • Example: 3 tags are present with IDs 001, 100 and 101 reader: prefix “-” ? tags: collision reader: prefix “0” ? tags: 0 reader: prefix “00” ? tags: 1 reader: prefix “1” ? tags: 0 reader: prefix “10” ? tags: collision - 0 1 00 01 10 11 000 010 100 110 001 011 101 111 Note: real tag sizes are much larger (e.g., 96 bits for EPC)

  16. Blocking • blocker tag: simulates a collision upon each request of the reader to force it to go through the whole tree and to stall as the tree is usually very big • Privacy protection solution using binary tree walking mechanism: • The user can carry the blocker with her to prevent scanning and tracking of her tags and can deactivate the blocker when its tags need to be read, e.g. returning an item to a shop • Problem: blocks reading all tags nearby even by legitimate readers

  17. Blocking - privacy zone 0 1 00 01 10 11 000 010 100 110 001 011 101 111 transfer to the privacy zone upon purchase • Solution: • tree is divided into two zones • privacy zone: all IDs starting with 1 • Tags can be sent between two zones by appropriately setting the leading bit of their IDs • upon purchase of a product, its tag is transferred into the privacy zone by setting the leading bit • the blocker tag simulates a collision when the prefix in the reader’s query starts with 1 • when the blocker tag is present, all IDs in the privacy zone will appear to be present for the reader • when the blocker tag is not present, everything works normally • Clearly, a reader that transfers tags from one zone to another must be authenticated

  18. Crypto enabled tags • assume that tags can perform some crypto operations  tags can compute their own pseudonyms ! • a solution that doesn’t scale: • next pseudonym = {ID,R}K • R is a random number generated by the tag (ensures that pseudonyms look random and they are different) • ID is the real identifier • K is a key shared by the tag to the readers • the reader tries all possible keys until it finds the right one (Some redundancy in the encrypted message is required to let the reader realize it used the right key) • if there are many tags, then the verification may be too slow

  19. Synchronization approach … c c+1 c+2 c+3 EK EK EK EK p2 p3 p0 p1 • c is a counter, K is a key shared by the tag and the reader • operation of tag: • when queried by the reader, the tag responds with its current pseudonym p = EK(c) and then increments the counter • operation of the reader: • reader must know approximate current counter value • for each tag, it maintains a table with the most likely current counters and corresponding pseudonyms (c+1, p1)…(c+d, pd) • when a tag responds with a pseudonym p, it looks up p in any of its tables, identifies the tag, and updates the table corresponding to the tag

  20. Hash-chain based approach H H H H … s1 s2 s3 s4 G G G G p3 p4 p1 p2 • H and G are one-way functions (e.g., hash functions) • operation of the tag: • current state is si • when queried the tag responds with the current pseudonym pi = G(si) and computes its new state si+1 = H(si) • operation of the reader is similar to the previous approach • one-wayness of H ensures forward secrecy : • even if a disposed tag is broken and its current state is determined, previous states (and pseudonyms) cannot be computed

  21. R E(k1, R’ | R), E(k11, R’ | R), E(k111, R’ | R) The tree-based approach try all these keys until one of them works k1, k11, k111 tag reader k1, k11, k111  tag ID Each leave represents a tag and a key is assigned to each edge A tag sends all of its keys from highest to lowest level in the tree For each level the reader searches through keys only in that level below the already identified key previous-level key After identifying all the keys the tag can be identified by the reader

  22. Optimal key-trees • if tags get compromised, then the level of privacy provided to other tags decreases: • E.g. if the leftmost leave of the tree is compromised: k1, k11, k111 are revealed to the adversary • Later on, by observing the transactions of any non-compromised tag, the adversary can recognize the use of some compromised keys • P0: contains the compromised tag; P1: contains tags whose parent is the same as the compromised tag and not in P0; P2: contains tags whose grandparent is the same as the compromised tag and not in P0 or P1; etc. • tags in different partitions can be distinguished • tags in a given partition (Pi) are indistinguishable

  23. Consider a l level tree with b branches at each level • To measure privacy, one can calculate the expected anonymity set size of a randomly selected tag (or the average size of the anonymity set of non-compromised tags) • where N is the total number of tags, Pi is partition i • this can be normalized to N to obtain a metric value between 0 and 1:

  24. Normalized Average Anonymity Set Size (NAASS) (3/3) computing NAASS for regular trees (same branching factor at each level) when a single tag is compromised:

  25. Outline 1 Important privacy related notions and metrics 2 Privacy in RFID systems 3 Location privacy in vehicular networks

  26. The location privacy problem and a solution vehicles continuously broadcast heart beat messages, containing their ID, position, speed, etc. tracking the physical location of vehicles is easy just by eavesdropping on the wireless channel one possible solution is to change the vehicle identifier, or in other words, to use pseudonyms

  27. Adversary model predicted position at the time of the next heart beat A, GPS position, speed, direction B, GPS position, speed, direction changing pseudonyms is ineffective against a global eavesdropper hence, the adversary is assumed to be able to monitor the communications only at a limited number of places and in a limited range

  28. The mix zone concept • A mix network is a store-and-forward networks containing mix nodes • A mix node collects n messages and forwards them all at the same time, and then does the same to the next n messages so on. • So an observer can not easily determine which outgoing message belongs to which incoming message. • In our case, the adversary can not easily say which vehicle in the unmonitored area belongs to which one entering it • unmonitored area functions as a mix zone • we assume that the vehicles change pseudonyms frequently so that each vehicle changes pseudonym while in the mix zone • note that the vehicles do not know where the mix zone is

  29. Example of mix zone • Example: the mix zone has 3 gates; gate 2 is far away from gates 1 and 3 • the adversary observes vehicles 1 and 2 entered gates 1 and 2 and after a short time a vehicle exited the mix zone at gate 3 • If the distance between gates 2 and 3 is so large that it is impossible to go from 2 to 3 in such a short time, then the adversary can link the vehicle entered at gate 1 to the one exited at gate 3 (no privacy is provided by the mix zone in this case)

  30. Model of the mix zone dij(t) t time is divided into discrete steps pij = Pr{ exiting at j | entering at i } Dij is a random variable (delay) that represents the time that elapses between entering at i and exiting at j dij(t) = Pr{ Dij = t } Pr{ exiting at j at t | entering at i at t } = pij dij(t-t)

  31. Observations N1 N2 Nk t2 t1 = 0 tk n1 n2 nk t x1 x2 xk t1 tk X1 X2 Xk • the adversary can observe the points (ni, xi) and the times (ti, ti) of enter and exit events (Ni, Xi) • by assumption, the nodes change pseudonyms inside the mix zone  there’s no easy way to determine which exit event corresponds to which enter event • each possible mapping between exit and enter events is represented by a permutation p of {1, 2, …, k}: mp = (N1 ~ Xp[1], N2 ~ Xp[2], …, Nk ~ Xp[k]) where p[i] is the i-th element of the permutation • we want to determine Pr{ mp | (N, X) }

  32. Computing the level of privacy where mπ is the mapping described by the permutation π where pij is a cell of the matrix P of size nxn, where n is the number of gates of the mix zone and dij(t) describes the probability distribution of the delay when crossing the mix zone from gate i to gate j , (i.e. dij(t) is the probability of having delay t for an object who enters at gate i And exits from gate j).

  33. Summary • Privacy problems and solutions in RFID: • Privacy problems: clandestine reading and eavesdropping • Low-cost RFID tags: • resource constrained • any privacy protecting solution must be carefully designed and optimized • Location privacy in vehicular networks: • Adversary model: monitored zones and unmonitored zones • The level of location privacy can be quantified using an entropy based metric

More Related