a privacy restoring mechanism for offline rfid systems
play

A Privacy-Restoring Mechanism for Offline RFID Systems Gildas - PowerPoint PPT Presentation

A Privacy-Restoring Mechanism for Offline RFID Systems Gildas Avoine Iwen Coisel Tania Martin Universit e catholique de Louvain Belgium April 16, 2012 [WiSec12, Tucson, AZ, USA] Goal of our Paper Authentication protocol that


  1. A Privacy-Restoring Mechanism for Offline RFID Systems Gildas Avoine Iwen Coisel Tania Martin Universit´ e catholique de Louvain Belgium April 16, 2012 [WiSec’12, Tucson, AZ, USA]

  2. Goal of our Paper Authentication protocol that restores privacy in case of compromised readers in offline RFID systems G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 2

  3. Offline RFID Systems Online system Offline system Fixed readers Handheld readers Always connected to BE Operate without BE Readers do not store data Readers must store all to authenticate tags data to authenticate tags i.e. all tags’ secrets BE BE G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 3

  4. Compromised Readers in Offline RFID Systems Tag corruption A steals secrets of the corrupted tag vs. Compromised reader in offline RFID systems A steals all tags’ secrets stored by reader G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 4

  5. Privacy in RFID Malicious traceability An adversary A can distinguish two (challenge) tags over their different protocol executions G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 5

  6. Privacy in RFID Malicious traceability An adversary A can distinguish two (challenge) tags over their different protocol executions Tag corruption We consider that tags do not share secrets A can trace this corrupted tag G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 5

  7. Privacy in RFID Malicious traceability An adversary A can distinguish two (challenge) tags over their different protocol executions Tag corruption We consider that tags do not share secrets A can trace this corrupted tag Compromised readers in offline RFID systems A can trace all tags ⇒ More powerful attack than tag corruption G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 5

  8. Outline 1 Our Protocol 2 Privacy Analysis 3 Efficiency Analysis 4 Implementation G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 6

  9. Our Protocol: Principle G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 7

  10. Our Protocol: Principle CORRUPT G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 7

  11. Our Protocol: Principle CORRUPT G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 7

  12. Our Protocol: Principle I can differentiate them!!! Tag 1 Tag 2 Tag 3 G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 7

  13. Our Protocol: Principle What can we do against this problem of traceability? Solution Repair the compromised reader Spread this info of repaired reader via tags’ mobility G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 8

  14. Our Protocol: Design Choices Challenge/response authentication protocol • Based on Needham-Schroeder [ACM-Comm-1978] Public-key crypto • For authentication − Cryptosystem (Enc/Dec) for T ’s answer − Signature scheme (Sign/Verif) for R ’s identity ⇒ via C R certificate • For privacy-restoring mechanism − Signature scheme (Sign/Verif) for info about repaired readers ⇒ via NewC R / NewC T certificates Secret-key crypto to personalize tags’ secrets • Unique secret key s TR by pair ( T , R ) G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 9

  15. Our Protocol: Principle REPAIR • ( P new R , K new R ) • C new R , v new R • Tab new = {∀ T : ( ID T , s new TR ) } R • NewC new R G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  16. Our Protocol: Principle REPAIR • ( P new R , K new R ) • C new R , v new R • Tab new = {∀ T : ( ID T , s new TR ) } R • NewC new R G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  17. Our Protocol: Principle • Picks a nonce n R C R , n R − − − − − − − − → • Checks C R • s T R = MAC( k T || ID R || v R ) • E = Enc P R ( ID R || n R || s T R ) • Sends NewC T E ← − − − − − − − − NewC T • ID R || n R || s T R = Dec K R ( E ) • Authenticates T if s T R ∈ Tab R • Checks NewC T → Updates its values • Sends NewC R if newer than NewC T NewC R − − − − − − − − → • Checks NewC R → Updates its values G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  18. Our Protocol: Principle UPDATE • Picks a nonce n R C R , n R − − − − − − − − → • Checks C R • s T R = MAC( k T || ID R || v R ) • E = Enc P R ( ID R || n R || s T R ) • Sends NewC T E ← − − − − − − − − NewC T • ID R || n R || s T R = Dec K R ( E ) • Authenticates T if s T R ∈ Tab R • Checks NewC T → Updates its values • Sends NewC R if newer than NewC T NewC R − − − − − − − − → • Checks NewC R → Updates its values G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  19. Our Protocol: Principle UPDATE • Picks a nonce n R C R , n R − − − − − − − − → • Checks C R • s T R = MAC( k T || ID R || v R ) • E = Enc P R ( ID R || n R || s T R ) • Sends NewC T E ← − − − − − − − − NewC T • ID R || n R || s T R = Dec K R ( E ) • Authenticates T if s T R ∈ Tab R • Checks NewC T → Updates its values • Sends NewC R if newer than NewC T NewC R − − − − − − − − → • Checks NewC R → Updates its values G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  20. Our Protocol: Principle G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  21. Our Protocol: Principle G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  22. Our Protocol: Principle UPDATE G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  23. Our Protocol: Principle UPDATE G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  24. Our Protocol: Principle G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  25. Our Protocol: Principle G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  26. Our Protocol: Principle UPDATE UPDATE G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  27. Our Protocol: Principle UPDATE UPDATE G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  28. Our Protocol: Principle G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  29. Our Protocol: Principle G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  30. Our Protocol: Principle UPDATE G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  31. Our Protocol: Principle UPDATE G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  32. Our Protocol: Principle G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  33. Our Protocol: Principle I cannot differentiate them anymore!!! ?? ?? ?? G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 10

  34. Outline 1 Our Protocol 2 Privacy Analysis 3 Efficiency Analysis 4 Implementation G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 11

  35. Privacy Analysis Privacy experiment (from Juels and Weis’ model [Percom-2007]) 1 The challenger C initializes the RFID system S . 2 A interacts with the whole system. A chooses two challenge tags T and T ′ , and gives them to C . 3 C chooses a random bit b , and assigns T b = T and T b ⊕ 1 = T ′ . 4 Then C gives back T b and T b ⊕ 1 to A . A interacts with the whole system. 5 A outputs a guess bit b ′ . 6 A wins if b = b ′ . Adversary classes STANDARD [ A can corrupt any tag (except challenge tags)] FORWARD [ A can corrupt any tag] CORRUPT [ A can corrupt any reader] • CORRUPT is composable with STANDARD and FORWARD ⇒ 4 possible adversaries G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 12

  36. Privacy Analysis When the system is stable FORWARD-privacy CORRUPT-STANDARD-privacy During the system update We define the average probability τ ( t ) to trace 1 tag When t ր then τ ( t ) ց “ 1 ”“ u ( t ) ”“ u ( t ) − 1 ” τ ( t ) = 2 + ǫ ( s ) n n − 1 “ u ( t ) 1 − u ( t ) 1 − u ( t ) 1 − u ( t ) “ ”“ ” ”“ ” + + 2 n − 1 n − 1 n n where u ( t ) = number of updated tags at time t G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 13

  37. Outline 1 Our Protocol 2 Privacy Analysis 3 Efficiency Analysis 4 Implementation G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems 14

Recommend


More recommend