1 / 37

RFID and Security

RFID and Security. Sanjay Sarma MIT and CTO of OATSystems. Everything is different with RFID. Power is limited Cost is an issue Bandwidth is limited Memory is a premium Data is fast but… fallible Tag connectivity is sporadic The range of applications is large

purity
Download Presentation

RFID and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RFID and Security Sanjay Sarma MIT and CTO of OATSystems

  2. Everything is different with RFID • Power is limited • Cost is an issue • Bandwidth is limited • Memory is a premium • Data is fast but… fallible • Tag connectivity is sporadic • The range of applications is large • The range of related technologies is huge 2

  3. History (See “Shrouds of Time The history of RFID,”Landt 2001) • 1948: Backscatter • Stockman, H. "Communication by Means of Reflected Power", Proceedings of the IRE, pp1196-1204, October 1948. • 1974: Automotive license plates • Sterzer, F., "An electronic license plate for motor vehicles", RCA Review, 1974, 35, (2) pp 167-175 • 1998: DISC, Auto-ID Center founded at MIT • 2001: First standards presented • 2002: Gillette orders 500,000,000 tags from Alien • 2003: Wal-Mart, DoD Mandates • EPCglobal launched, Center retired • HP sits on the board • 2004: More mandates • 2005: First bulk tagging • Emergence of Gen 2 • Multi-site deployments • Beginnings of value • 2006: Next Generation research 3

  4. History of the EPC • 1998-1999: DISC, Auto-ID Center founded at MIT • 2001: First standards presented • 2002: Gillette orders 500,000,000 tags from Alien • 2003: Wal-Mart, DoD Mandates • EPCglobal launched, Center retired • 2004: More mandates • 2005: First bulk tagging • Emergence of Gen 2 • Multi-site deployments • Beginnings of value 4

  5. handling cost die size/cost, cents Low cost RFID Silicon: 4c/mm2 20 15 10 5 time 5

  6. Company #1 ERP+RFIDSoftware Readers tags tags tags The stack ONS ONS + Blob Company #2 Company Software EPC-IS Savant Readerinterface Readers Reader Protocol Gen 1 air-interface Gen 2 air-interface tags tags tags 6

  7. RFID Systems • ID • Electronic product code: header:manufacturer:product:serial • Read-write extra memory/sensory data • Anti-collision • One reader can read many tags • Reader coordination • Make sure readers don’t interfere with each other • Middleware • Collect all the data and make sense of it 7

  8. How EPC Gen2 works Entire population • RF level • Multiple speeds • Dense-mode • Many dials for EU, Asia, US operation • Logic level • Generalized selection • Advanced sessions • Advanced payload etc. access Generalized Selection Thinned population Anti-collision (Query) Single tag identified Access of payload Payload from tag 8

  9. Passive No battery; chip runs on scavenged power Communication by backscatter only 10m range Semi-passive Battery to run the chip Communication by backscatter only 50m range Active Battery runs the chip Communication by transmission 100+m range My focus today • Forward bandwidth is low • Low compute cycles for power • Power limited range • Weak backscatter Classes of tags • Forward bandwidth is higher • Faster cycles for power • Strong backscatter • Wake-up circuit • Endless possibilities Do not confuse with near-field tags and smart-cards 9

  10. How RFID is used in the supply chain

  11. TIME LOCATION TAG EPC Inventory 11

  12. Theft!! TIME LOCATION TAG EPC The Trace Diversion! Counterfeit! 12

  13. TIME LOCATION TAG EPC The Flow RECALL!!! 13

  14. TIME LOCATION TAG EPC Supply Chain Problems Errors making plans less effective • RFID enables • Real-time detection of errors • Real-time correction • Run-to-run improvement • i.e., tactical, operational, strategic enhancement. 14

  15. On security of passive and semi passive tags

  16. Privacy: The very act of detection poses a challenge • Readers and tags cannot hide their very presence • Sniffing • The structured ID could be a problem • header:manufacturer:product:serial • Do I want people to know I am taking a Pfizer product? • Repeated unique numbers are a problem • Track based on repeated ID • Constellations of non-unique numbers are a problem • I may be the only person in Graz with a Titan watch and Docker pants 16

  17. Readers and tags cannot hide their very presence Sniffing The structured ID could be a problem header:manufacturer:product:serial Do I want people to know I am taking a Pfizer product? Repeated unique numbers are a problem Track based on repeated ID Constellations of non-unique numbers are a problem I may be the only person in Graz with a Titan watch and Docker pants Spread spectrum, etc. expensive. Non-structured numbers, special ONS for sorting them out Temporary ID by encrypting EPC|nonce Shared key, so key-management problem Some problems can be solved 17

  18. The fact of the matter is • Can’t do anything beyond hashes in passive RFID tags • Physics is our best friend • Can’t activate from afar • Can’t hear backscatter from afar • Consider backscatter channel a private channel • There is a physical zone of trust for privacy • Tag response audible a few meters • If you have worries, you can create further physical barriers • Shielding • Killing the tag • Famous EPC kill code • Reduced range mode of tags • Personalization of tags 18

  19. Some of the other issues • Privacy violation is a consequence of unauthorized reading • Other privacy protections • Detection of unauthorized readers • Eavesdropping • Using tags to prevent counterfeits • Skimming the tag and replaying • Tampering with the physical artifact • Prevent tag hijack 19

  20. Other issues in unauthorized reading • Perhaps require readers to announce themselves • What if reader announced its name, ID, and function • Tag detects this and chooses not to respond • Too expensive  • Too voluntary • The Sentinel Concept • Blocker Tag from Juels et. al. Logical jamming when readin some tags • The Watchdog Tag from Floerkemeier (upcoming PhD thesis) • Sarma’s vindictive Sentinel • All readers need to register with guardian • If a reader is not registered, Sentinel will jam the channel • No politeness 20

  21. Eavesdropping • A reader in Wal-Mart is readings its tags • Readers put out ~watts • A competitor is sitting outside listening to the reader • Can it infer the contents? • Tag response unlikely to be decipherable • Put secret information in tag response channel • The forward response is now XOR’ed with previous reverse channel secret • Blind-tree walking by [Weis 03] 21

  22. Eavesdropping is easier when Gen 2 Masking is used Entire population • You are listening from a distance • You hear the selection command • You see the number of responses that were received • You can detect the numbers of tags in a population • Solution is: • Use masking judiciously • Use chaff when necessary • Sentinel Tag generates chaff, notifies middleware • The Sentinel Tag again! Generalized Selection Thinned population Anti-collision (Query) Single tag identified Access of payload Payload from tag 22

  23. Counterfeit detection • Some secret on the tag which you can verify • Can do it by hash, symmetric or asymmetric crypto • Easier to do in near-field or semi-passive/active tags • Harder to do in RFID • Limited gates • Limited compute cycles • Ephemeral contact • Killer app for RFID • Counterfeit market worldwide is very large ($500B? See Staake’s work) • The very presence of an RFID tag is also a defense • The history of a serialized number is further defense 23

  24. Low-Cost Hash Design [Weis 2003] • Traditional: Many Gates, Few Cycles • Expensive • High-power • Low-Cost: Few Gates, Many Cycles • Slow • Cellular Automata • Cellhash, 1993. No major breaks (yet). • Very cheap, fast and scalable. • Non-Linear Feedback Shift Registers: • Relatively cheap and flexible. • Lots of classified work. 24

  25. The Digital Millennium Act • Can be used to stymie commodity replacements! • Tags on cartridges • Readers in printers • Some important content in tag: say colors • Non-copy-able 25

  26. The Pink Panther replay scenario • Imagine diamonds in a display (each diamond has passive tag) • Tags are being read continuously by reader • Pink Panther has a tag mimicking machine • Listens for the tags being read • Starts playing them back • While pink Panther steals the diamonds • One solution is a Sentinel Tag generating chaff • Mimicking machine cannot tell chaff from real content • Will replay chaff • The SentinelTag again 26

  27. Writing to tags • Enter Code and Lock • Kill • Write Issues: • Administering kill codes • Preventing mass killing of tags • Administering the other codes • Personalizing tags 27

  28. Preventing mass kill • If the codes are not all set to 1111, then you can’t kill the tags easily • Killing is not an RF function in EPC tags; it is an addressed, logical request • You can only kill at the rate of anti-collision • You can only kill from the passive distance • From that range, you have other options open to you • Sarma’s Sentinel Tag: when you see an unauthorized kill going on, jam the airwaves! • The real challenge is kill code management: how does it pass from owner to owner? 28

  29. A keyless approach to administration [Weis 03] Reader Tag metaID := hash(key) Who are you? metaID Store: (key,metaID) Store: metaID metaID key metaID == hash(key)? “Hi, my name is..” Querying a locked tag Unlocking a tag Locking a tag 29

  30. Personalizing tags: an opportunity • Say you go to a store and buy a product • The product has a tag • You now want to personalize that tag • You have a little PDA which talks to the store reader and personalizes your tag • Your PDA is a personalizing device which now talks to your back-end system at home • Tanenbaum et. al 05 • Foley 05 30

  31. The repeating themes • The backscatter distance is a zone of trust • No perfect, inexpensive solution beyond within that zone of trust for passive tags • Passive tags cry for a Sentinel Tag • Sentinel can aggregate security/defense/privacy functions which individual tags cannot afford • Turns out that there are several other 31

  32. The System

  33. Transfer of codes, Data, etc. Company #1 ERP+RFIDSoftware Readers tags tags tags The system ONS ONS + Blob Company #2 Company Software EPC-IS Savant Readerinterface Readers Reader Protocol Gen 1 air-interface Gen 2 air-interface tags tags tags 33

  34. Recent attacks

  35. Viruses and Worms Tanenbaum’s group • Researchers demonstrated a RFID virus: • Based on an “SQL injection” attack • Website: http://www.rfidvirus.org Shamir’s group • Side channel attack • Power analysis 35

  36. Conclusions

  37. Technology Tags Semiconductors Packaging Protocols Antennae Readers Middleware/Reader Middleware Databases Enterprise architecture Distributed systems Identity management Business process Applications Supply chain Retail Healthcare B2B Critical goods Logistics Travel/airports Defense Heavy industries Asset management Operations Factory DC/warehouse Institutions Maintenance Personal systems…. The opportunities Analysis • RF Systems • Communications • Security • System dynamics • Supply chain • Planning • Execution • Policy • Demand planning • Social/ethical • Business planning • Macroeconomics • Policy/frequency 37

More Related