Some Recent Development Some Recent Development in RFID Privacy - PowerPoint PPT Presentation

Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of Information Systems y Singapore Management University 2010/12/6 1

Introduction • RFID tags are low-cost electronic devices, from which stored info can be collected by an RFID reader efficiently stored info can be collected by an RFID reader efficiently and at a distance without line of sight • RFID has found numerous applications, from warehouse inventory control, supermarket checkout counters, e- ticket to e-passport ticket, to e passport Read / Update Tag Tag Reader Reader 2 2010/12/6

RFID Triggered Significant Concerns on Security & Privacy Security & Privacy • Perfect working condition for attackers – Tags can be read or traced by malicious readers from a distance w/o its owner’s awareness • Security – Tag authentication: ensure data collected not from fake tag & prevent database pollution – Reader authentication: prevent unauthorized access to/or Reader authentication: prevent unauthorized access to/or tampering with tag data • Privacy • Anonymity: Confidentiality of the tag identity A it C fid ti lit f th t id tit • Untraceability: Unlinkability of the tag’s transactions 3 2010/12/6

Cryptographic Protocols for RFID Privacy Privacy • Numerous lightweight RFID protocols for low-cost tags h have been proposed b d – Use simple operations (XOR, bit inner product, CRC, etc) • Most of them have been broken – T. van Deursen and S. Radomirovic: Attacks on RFID Protocols, ePrint Archive: Report 2008/310 ePrint Archive: Report 2008/310 • Need to investigate formal RFID security and privacy g y p y models which are fundamental to the design and analysis of robust RFID systems 4 2010/12/6

Assumptions Secure connection • S = {T 1 ,…,T n } - polynomial-size group of tags • R/D - Reader/Database have secure connection • Adversary A has complete control over communications between reader and tags 5 2010/12/6

Canonical RFID Protocol  Tag T Reader R c r f (optional) • Shorthand notation: (c r f) ←  (R T) • Shorthand notation: (c, r, f) ←  (R, T) 6 2010/12/6

Adversary • Interactions between A and protocol parties R and T occur through 4 oracles ti R d T th h 4 l – O 1 - Launch(): return a session id sid and the 1 st message c message c – O 2 - SendTag(sid, c, T): return r, the response of tag T tag T – O 3 - SendReader(sid, r): return f, the response of Reader – O 4 - Corrupt(T): return the secret information and state of tag T 7 2010/12/6

Ind-Privacy : Indistinguishability of two tags JW06 JW06 (Jules & Weis, PerCom 2007) Experiment: Experiment: A 1 not allowed to query O 4  {T i , T j } ← A 1 O1,O2,O3,O4 (R, S ); on T i and T j  b ∈ {0, 1}; { , };  If b = 0 then T c = T i , else T c = T j ;  S’ S’ = S S ‐ {T i , T j }; A 2 not allowed to query O 4 A 2 not allowed to query O 4  b’ ← A 2 O1,O2,O3,O4 (R, S’ S’ , T c ). on T c • The advantage of adversary A = |Pr[b'=b] ‐ 1/2| • No protocol has been directly proven to satisfy Ind ‐ Privacy Privacy 8 2010/12/6

Unp*-Privacy ( Ha, Moon, Zhou & Ha, ESORICS 2008; Lai, Deng, Li, ACNS 2010 ) ; , g, , ) Experiment: T T c ← A 1 A O1 O2 O3 O4 (R S ); O1,O2,O3,O4 (R, S );    b ∈ {0, 1};  When A 2 makes queries to O 1 , O 2 , O 3 on T q 1 , 2 , 3 c c 2  If b = 0, return oracles’ responses  Else (b = 1) A 1 & A 2 not allowed to return c  R C if query O 1 q y • R 1 query O 4 on T return r  R R if query O 2 • c Return f  R F if query O 3 •   b’ ← A b ← A 3 • The advantage of adversary A = |Pr[b'=b]-1/2| • Some protocols have been proven to satisfy Unp*- S t l h b t ti f U * privacy 9 2010/12/6

Relationships (Ma, Li, Deng, Li, CCS09) • Ind-privacy  Unp*-privacy – Assume that (c, r, f)   (R, T) satisfies Ind-privacy ( f) ( ) f – Let (c, r|r, f)   ’(R,T) –  (R,T) also satisfies Ind-privacy, but it does not satisfy  ’(R T) also satisfies Ind privacy but it does not satisfy Unp*-privacy • Ind privacy   • Ind-privacy   Unp* privacy Unp -privacy • Minimal requirement for RFID systems to achieve RFID system privacy achieve RFID system privacy – Unp*-privacy   PRF 10 2010/12/6

RFID Privacy Preserving Authentication Protocol Design Tag T Reader R c r f (optional)  Privacy requirements • Anonymity: Confidentiality of the tag identity Anonymity: Confidentiality of the tag identity • Untraceability: Unlinkability of the tag’s transactions 11 2010/12/6

Symmetric Key Crypto Based Solution Solution Tag T (ID T , K T ) Reader R Database D Tag ID Tag Secret ID T1 K T1 ID T2 ID K K T2 c … … ID Tn K Tn r = prf( K T | c …), ID T Exhaustive research to find a matching K T and then I D T f (optional) 12 2010/12/6

Symmetric Key Crypto & Counter Based Solution Based Solution Tag T (K T , Ctr) Reader R Database D I D’ I D Secret Ctr ID’ T1 ID T1 K T1 Ctr T1 ID T2 ID T2 ID’ ID K T2 K c … … ID Tn ID’ Tn K Tn Ctr Tn ID T = h(K T , Ctr) ID’ = h(K Ctr) ID’ T , … Ctr  Ctr + 1 Use I D’ T as index to the database f (optional) f (optional) Must be able to recover from disynchronization attack u b ab o o o d y o a o a a 13 2010/12/6

Public Key Crypto Based Solution Tag T Database D (ID T , K T , P R ) Reader R (S R ) Tag ID Tag Secret ID T1 K T1 ID T2 ID T2 K T2 K T2 c c … … ID Tn K Tn r = PK R ( K T | ID T | c …) Use I D T as index to look for K T f (optional) f (optional) PKC based protocols do not satisfy Unp*-privacy! PKC based protocols do not satisfy Unp privacy! 14 2010/12/6

Summary • Ind-Privacy and Unp*-Privacy models • No protocol has been directly proven to satisfy Ind • No protocol has been directly proven to satisfy Ind- Privacy • Symmetric key based protocols can be designed to satisfy Unp*-privacy, but not public key based protocols • ZK-privacy model (Deng, Li, Yung, Zhao, ESORICS 2010) – Output of real world experiment and output of O t t f l ld i t d t t f simulated world experiment are indistinguishable – Both symmetric key and public key protocols can be Both symmetric key and public key protocols can be designed to satisfy zk-privacy 15 2010/12/6

Acknowledgement Junzuo LAI 1 Tieyan LI 2 Yingjiu LI 1 Changshe MA 3 Yunlei Zhao 4 1. Singapore Management University 2. 2 Institute for Infocomm Research Singapore Institute for Infocomm Research, Singapore 3. South China Normal University 4. Fudan University y 16 2010/12/6

17 Thank You! Thank You! 2010/12/6