slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Privacy in pervasive computing What can technologists do? PowerPoint Presentation
Download Presentation
Privacy in pervasive computing What can technologists do?

Loading in 2 Seconds...

play fullscreen
1 / 20

Privacy in pervasive computing What can technologists do? - PowerPoint PPT Presentation

Download Presentation
Privacy in pervasive computing What can technologists do?
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Privacy in pervasive computingWhat can technologists do? David Wagner U.C. Berkeley In collaboration withDavid Molnar, Andrea Soppera, Ari Juels

  2. The tide is turning... Pervasive computing is coming... It’s time to get serious about privacy.

  3. Outline • RFID and identification systems • Protocols for private identification • The challenge of scalability; trees of secrets

  4. Identification systems • Example applications: • Electronic passports • ID cards and badges • Proximity cards, building access control • Automatic payment systems (Fastrak, EZPass) • Item tagging & tracking, inventory management • Key technologies: • RFID • Contactless smart card Challenge: privacy (and security) for ID systems

  5. Introduction to RFID RFID tags are passive, powered by reader, carry identity Privacy issues: Unwanted tracking of people and items Power Identity Reader Tag

  6. RFID systems are resource-limited • Tags might lack writable non-volatile memory • Takes more energy to permanently write bits • Thus, state might only last as long as tag is powered • Cryptography is expensive • Public-key out of reach for all but priciest tags • AES within reach for mid-class tags? [Feldhofer] • Can’t take random number generation for granted • Readers might not be network-connected

  7. RFID technologies vary widely ISO 14443 E-passports, ID cardsUS$5 3DES,RSA Computation  ISO 15693Library booksUS$0.50 sym.-keycrypto EPCWalMartUS$0.20 no crypto 10cm 1m 3m Intended read range 

  8. Read range? normalreader(10cm / 3m) maliciousreader(50cm / 15m) eavesdropon tag(???) eavesdropon reader(50m / ???)

  9. Simple trick:Defeating eavesdropping on forward link “go ahead” r m  r wants tosend m picksrandom r Appears in EPC Gen II standards.

  10. A first attempt at defeatingeavesdropping and unauthorized tag-reading Ek(r, ID) “pseudonym” k k • Problem: All tags and readers share the same key k • If any tag is compromised, all security is lost • If any reader is compromised, all security is lost • Risk: Massive data spills.

  11. Take #2: Independently keyed tags (k1, ID1) :(kN, IDN) r, Fki(r) “pseudonym” Scans throughall keys to decode ki • Problem: Doesn’t scale. • Takes O(N) work to decode each pseudonym

  12. Private identification protocols • Goal: a tag <-> reader protocol, providing: • Identification: Authorized reader learns tag’s identity • Privacy: Unauthorized readers learn nothing • Attacker cannot even link two sightings of same tag • Authentication: Tag identity cannot be spoofed • Scalability: Can be used with many tags A non-trivial technical challenge,with many possible applications.

  13. A beautiful method for private identification :(ki, i) :(i, kij, IDij) : r, Fki(r), Fkij(r) pseudonym ki, kij Decodes i, then j • More scalable: O(√N) work to decode each pseudonym • First, scan all ki to learn i • Then, scan all kij to learn j and thus tag identity

  14. k0 k00 k01 The tree of secrets k0 k1 k00 k01 k10 k11 Tag  leaf of the tree. Each tag receives the keys on path from leaf to the root. Tag ij generates pseudonyms as (r, Fki(r), Fkij(r)). Reader can decode pseudonym using a depth-first search.

  15. Analysis: tree of secrets • Generalizations: • Use any depth tree (e.g., lg N) • Use any branching factor (e.g., 210) • Use any other identification scheme (e.g., mutual auth) • TheoryA concrete example • Number of tags: N 220 tags • Tag storage: O(lg N) 128 bits • Tag work: O(lg N) 2 PRF invocations • Communications: O(lg N) 138 bits • Reader work: O(lg N) 2  210 PRF invocations • Privacy degrades gracefully if tags are compromised

  16. Reducing trust in readers r, Fki(r), Fkij(r) r, Fki(r), Fkij(r) TrustedCenter ki, kij IDij Reader  (kij, Policyij)  If readers are online, Trusted Center can do decoding for them, and enforce a privacy policy for each tag.No keys stored at reader => less chance of privacy spills.

  17. Reducing trust: Delegation IDij TrustedCenter kij  (kij, Policyij)  r, Fki(r), Fkij(r) kij ki, kij For offline or partially disconnected readers, can delegate power to decode pseudonyms for a single tag to designated readers. Reader workload: O(D) per pseudonym,where D = # of tags delegated to this reader.

  18. Time-limited delegation IDij, L, R TrustedCenter {keys} pseudonym Only good for decodingL-th through R-thpseudonyms from tag IDij ctr, ki, kij Even less trust: Reader gets access to the next 100 pseudonyms from this tag (say), and nothing more.

  19. Enabling time-limited delegation k0 k0 k1 k00 k00 k01 k01 k10 k11 k000 k001 Use GGM at lower levels: (ks0, ks1) = G(ks) Tag uses leaves sequentially Reader gets keys for a subset k0000 k0001 k0010 k0011

  20. Conclusions • Identification systems: an exciting research area • Privacy is central • Many non-trivial technical challenges, many opportunities for clever solutions • There’s still time to have an impact on deployments • Research question: Private identification protocols • Tree schemes have useful properties • Can we do better? Can do without persistent state? • Recent work: Controlling readers with Trusted Computing (to appear at WPES’05)