time measurement threatens privacy friendly rfid
play

Time Measurement Threatens Privacy-Friendly RFID Authentication - PowerPoint PPT Presentation

Dec 04, 2023 •362 likes •605 views

Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols Gildas Avoine 1 , Iwen Coisel 2 and Tania Martin 1 1: Information Security Group - Universit e Catholique de Louvain 2: Crypto Group - Universit e Catholique de

  1. Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols Gildas Avoine 1 , Iwen Coisel 2 and Tania Martin 1 1: Information Security Group - Universit´ e Catholique de Louvain 2: Crypto Group - Universit´ e Catholique de Louvain RFIDSec 2010 UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 1 Microelectronics Laboratory

  2. The Privacy of an RFID Authentication Scheme ◮ Interest relative to the application ◮ not really necessary in inventory management ◮ essential in passport context to protect user’s identity and also to prevent anybody to trace him ◮ Lots of sensitive applications ◮ medical supplies ◮ transport cards ◮ luxury items ◮ ... ⇒ Real necessity of a privacy analysis We here focus on traceability UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 2 Microelectronics Laboratory

  3. Privacy vs Time Measurement Several privacy models exist [A05,JW07,LBM07,V07,CCG10] ◮ Juels and Weis : possible to know the result of a protocol ◮ Vaudenay : tags are not necessary in the adversary’s field How long it takes to a reader to identify a tag ? None of them It’s not (only) an implementation issue UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 3 Microelectronics Laboratory

  4. Privacy vs Time Measurement Several privacy models exist [A05,JW07,LBM07,V07,CCG10] ◮ Juels and Weis : possible to know the result of a protocol ◮ Vaudenay : tags are not necessary in the adversary’s field How long it takes to a reader to identify a tag ? None of them It’s not (only) an implementation issue Contributions : ◮ Point out this threatens ◮ Formalize it ◮ Attacks some protocols ◮ Present some countermeasures UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 3 Microelectronics Laboratory

  5. Outline 1 � Modelling Privacy 2 � Time-Attack on Some Existing Schemes 3 � Countermeasures 4 � Conclusion UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 4 Microelectronics Laboratory

  6. Outline 1 � Modelling Privacy 2 � Time-Attack on Some Existing Schemes 3 � Countermeasures 4 � Conclusion UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 5 Microelectronics Laboratory

  7. Vaudenay’s Model [Vau07] List of oracles given to an adversary A ◮ CreateTag : adds a new legitimate tag. ◮ DrawTag : tag enters in the adversary’s field ◮ Free : tags goes out of the adversary’s field ◮ Execute : returns transcripts. ◮ Launch ◮ SendTag ◮ SendReader ◮ Result ◮ Corrupt : returns tag’s key set. UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 6 Microelectronics Laboratory

  8. Vaudenay’s Model [Vau07] Considering the Corrupt oracle, 3 adversary’s ability : ◮ WEAK : no Corrupt allowed ◮ FORWARD : Corrupt “stops” the system ◮ STRONG : Corrupt has no effect Considering the Result oracle, 2 adversary’s ability : ◮ NARROW : no Result allowed Adversary classes ordered by power P STRONG ⇒ FORWARD ⇒ WEAK ⇓ ⇓ ⇓ N-STRONG ⇒ N-FORWARD ⇒ N-WEAK UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 7 Microelectronics Laboratory

  9. Vaudenay’s Model [Vau07] Experiment of A 1. A interacts with the whole system 2. A submits an hypothesis 3. A obtains Tab and returns 0/1 The protocol is said P -private if A sim has the same success probability as A : | Pr [ A → 1] − Pr [ A sim → 1] | < ǫ ( k ) STRONG ⇒ FORWARD ⇒ WEAK ⇓ ⇓ ⇓ N-STRONG ⇒ N-FORWARD ⇒ N-WEAK UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 8 Microelectronics Laboratory

  10. Time-Privacy To capture the time notion in an authentication protocol ◮ Timer : outputs the time δ taken by the reader for its overall computations during a given protocol instance Possible to define the TIMEFUL-Privacy ◮ Adds a new ability ⇒ more powerful ◮ At each level X ∈ { STRONG, FORWARD, WEAK } : TIMEFUL- X ⇒ X ⇓ ⇓ TIMEFUL-NARROW- X ⇒ NARROW- X UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 9 Microelectronics Laboratory

  11. Outline 1 � Modelling Privacy 2 � Time-Attack on Some Existing Schemes 3 � Countermeasures 4 � Conclusion UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 10 Microelectronics Laboratory

  12. Context of the Study Several key infrastructures possible secret-key public-key master X Yes particular Yes Yes Considering Vaudenay’s generic scheme [Vau07] ◮ Authentication : encryption of ID|| K || a ◮ Verification : decryption of the message + authenticity of K ⇒ constant-time authentication Particular secret-key infrastructure ◮ Each tag owns a particular secret-key ◮ The reader does not know which key to use ⇒ SearchID procedure UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 11 Microelectronics Laboratory

  13. WSRE Protocol Protocol proposed by Weis, Sarma, Rivest and Engels [WSRE03] ◮ Each tag owns a secret key sk ID ; ◮ f is a pseudo-random function ; SearchID procedure : brute-force search UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 12 Microelectronics Laboratory

  14. WSRE Protocol Protocol proposed by Weis, Sarma, Rivest and Engels [WSRE03] ◮ Each tag owns a secret key sk ID ; ◮ f is a pseudo-random function ; SearchID procedure : brute-force search ◮ Best case : 1 computation ◮ Average : n / 2 computations ◮ Worst case : n computations UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 12 Microelectronics Laboratory

  15. WSRE Protocol A time-attack on WSRE ◮ A creates 2 legitimate tags and affects them : t 1 and t 2 ◮ A calls Execute (t 1 ) and Execute (t 2 ) : ( π 1 , tr 1 ), ( π 2 , tr 2 ) ◮ A calls Timer ( π 1 ) and Timer ( π 2 ) : δ 1 and δ 2 ◮ A frees both tags, and reaffects only one of them : t 3 ◮ A calls Execute (t 3 ) : ( π 3 , tr 3 ) ◮ A calls Timer ( π 3 ) : δ 3 ◮ If δ 3 = δ 1 , then t 1 = t 3 , else t 2 = t 3 ⇒ Pr [ A → 1] = 1 UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 13 Microelectronics Laboratory

  16. WSRE Protocol A time-attack on WSRE ◮ A creates 2 legitimate tags and affects them : t 1 and t 2 ◮ A calls Execute (t 1 ) and Execute (t 2 ) : ( π 1 , tr 1 ), ( π 2 , tr 2 ) ◮ A calls Timer ( π 1 ) and Timer ( π 2 ) : δ 1 and δ 2 ◮ A frees both tags, and reaffects only one of them : t 3 ◮ A calls Execute (t 3 ) : ( π 3 , tr 3 ) ◮ A calls Timer ( π 3 ) : δ 3 ◮ If δ 3 = δ 1 , then t 1 = t 3 , else t 2 = t 3 ⇒ Pr [ A → 1] = 1 For the simulation, the output of Timer ( π 3 ) is guessed ⇒ Pr [ A Sim → 1] = 1 / 2 WSRE is NOT TIMEFUL-WEAK-private. UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 13 Microelectronics Laboratory

  17. Several Attacks Ohkubo, Suzuki and Kinoshita [OSK03] ◮ NARROW-FORWARD private ◮ Not TIMEFUL-WEAK private ◮ Desynchronisation helps to distinguish two tags Undesynchronizable schemes [D05, LBM07, CC08, ...] ◮ Only one possible desynchronization ◮ WEAK private ◮ Not TIMEFUL-WEAK private UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 14 Microelectronics Laboratory

  18. Outline 1 � Modelling Privacy 2 � Time-Attack on Some Existing Schemes 3 � Countermeasures 4 � Conclusion UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 15 Microelectronics Laboratory

  19. Presentation Major concern = SearchID procedure Example for WSRE ◮ Always waiting until the worst case ( n computations) ◮ “Always” applicable ◮ Not efficient ◮ Random SearchID instead of a linear one ◮ More efficient : n / 2 computations in average for each tag Countermeasures ◮ Not possible to link a time length to a tag ◮ Optimally : time length independent of n UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 16 Microelectronics Laboratory

  20. Undesynchronizable Schemes Tags can be desynchronized once ⇒ 2 possible keys per legitimate tag ◮ Worst case : 2 n computations (instead of n ) ◮ Random Search ◮ Synchronized tag : n / 2 computations ◮ Desynchronized tag : 3 n / 2 computations ⇒ A can distinguish 2 tags ◮ New Random Search ◮ Random among the whole set of keys (current and old/next ones) ◮ Average time for all tags : n computations UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 17 Microelectronics Laboratory

  21. Precomputation Solution No random values in OSK ⇒ Precomputation of “all” answers possible : n . m answers ◮ Balanced Binary Search ◮ SearchID efficient : O (log n ) ◮ really dynamic : tags can be added infinitely ◮ Rainbow Table [AO05,ADO05] ◮ Database size reduced ◮ Efficiency of SearchID depends on the time-memory trade-off ◮ But not dynamic ◮ But requires database update (instead of tag update) UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 18 Microelectronics Laboratory

  22. Outline 1 � Modelling Privacy 2 � Time-Attack on Some Existing Schemes 3 � Countermeasures 4 � Conclusion UCL Crypto Group Avoine - Coisel - Martin Time Measurement - RFIDSec 2010 19 Microelectronics Laboratory

Recommend

Interaction of RFID Technology and Public Policy Presentation at RFID Privacy Workshop @ MIT

Interaction of RFID Technology and Public Policy Presentation at RFID Privacy Workshop @ MIT

Interaction of RFID Technology and Public Policy Presentation at RFID Privacy Workshop @ MIT 15 TH November 2003 By Rakesh Kumar Wipro Technologies India Privacy Consumers Perspective Privacy can be defined as customers ability to

284 views • 17 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de

Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de

Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de Louvain Belgium SUMMARY Background about RFID Privacy: Information Leakage Privacy: Malicious Traceability Is Privacy a Research Challenge?

343 views • 32 slides
Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Mobile Networks - Module H2 Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; privacy preserving routing in ad hoc networks; Slides adapted from Security and

909 views • 55 slides
RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011, Corua, Spain RFID Primer RFID Primer Definition Radio frequency identification'' (RFID) means the use of electromagnetic radiating waves

729 views • 47 slides
RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011, Rennes, France Summary RFID Primer. Examples. Capabilities. Particularities. Authentication in RFID. Theory. Practical

934 views • 64 slides
29.09.2007 No Shortage of Public Fears RFID and Privacy The risk [RFID] poses to humanity

29.09.2007 No Shortage of Public Fears RFID and Privacy The risk [RFID] poses to humanity

29.09.2007 No Shortage of Public Fears RFID and Privacy The risk [RFID] poses to humanity is on Marc Langheinrich Institute for Pervasive Computing a par with nuclear weapons. Dr. Katherine Albrecht Katherine Albrecht,

315 views • 4 slides
A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010

A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010

A New Framework for RFID Privacy Robert H. Deng, Yingjiu Li, Moti Yung, Yunlei Zhao ESORICS 2010 Outline Introduction. Model of RFID Systems. Adaptive Completeness and Mutual Authentication. zk-Privacy: Formulation, Clarifications

456 views • 35 slides
Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of

Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of

Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of Information Systems y Singapore Management University 2010/12/6 1 Introduction RFID tags are low-cost electronic devices, from which

547 views • 17 slides
The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy Ari Juels Ron Rivest

The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy Ari Juels Ron Rivest

The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy Ari Juels Ron Rivest Mike Szydlo MIT CSAIL RSA Laboratories RSA Laboratories What is a R adio- F requency Id entification (RFID) tag? In terms of appearance Chip

678 views • 26 slides
Privacy and RFID Irreconcilable Differences? Marc Langheinrich Institute for Pervasive Computing

Privacy and RFID Irreconcilable Differences? Marc Langheinrich Institute for Pervasive Computing

T Labs Usability Colloquium June 25, 2007 Privacy and RFID Irreconcilable Differences? Marc Langheinrich Institute for Pervasive Computing ETH Zurich, Switzerland C.A.S.P.I.A.N. Consumers against supermarket privacy invasions and

451 views • 25 slides
RFID Technologies: Emerging Issues, Challenges, Policy Options A study by TNO and Telecom Italia

RFID Technologies: Emerging Issues, Challenges, Policy Options A study by TNO and Telecom Italia

RFID Technologies: Emerging Issues, Challenges, Policy Options A study by TNO and Telecom Italia for IPTS IFIP/FIDIS Summerschool Karlstad - 2007 Overview RFID Technologies RFID Markets RFID Privacy issues Conclusions 2

734 views • 19 slides
Privacy Challenges in RFID-Systems Marc Langheinrich ETH Zurich, Switzerland

Privacy Challenges in RFID-Systems Marc Langheinrich ETH Zurich, Switzerland

Privacy Challenges in RFID-Systems Marc Langheinrich ETH Zurich, Switzerland http://www.inf.ethz.ch/~langhein/ joint work with Chris Floerkemeier and Roland Schneider The Ubicomp Vision DIMACS WUPSS The most profound technologies are

177 views • 17 slides
15-213 The course that gives CMU its Zip! Time Measurement Time Measurement Oct. 24, 2002

15-213 The course that gives CMU its Zip! Time Measurement Time Measurement Oct. 24, 2002

15-213 The course that gives CMU its Zip! Time Measurement Time Measurement Oct. 24, 2002 Oct. 24, 2002 Topics Topics n Time scales n Interval counting n Cycle counters n K-best measurement scheme class18.ppt Computer Time Scales

576 views • 31 slides
Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues

Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues

Simone Fischer-Hbner Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues (LBS, RFID,...) IV. European Privacy Legislation/ Directives I. Definition Warren &amp; Brandeis 1890 The right to

694 views • 30 slides
Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c

Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c

Insider attacks and RFID Privacy models Ton van Deursen and Saa Radomirovi c {ton.vandeursen, sasa.radomirovic}@uni.lu University of Luxembourg Financial support received from the Fonds National de la Recherche (Luxembourg) Ton van Deursen

144 views • 12 slides
Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and

Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and

Data Synchronization in Privacy-Preserving RFID Authentication Schemes S ebastien CANARD and Iwen COISEL Orange Labs R&amp;D - Caen - France RFIDSec 08 - 10 th July 2008 Outline 1 General Context 2 A synchronization problem 3 A

714 views • 33 slides
RFID Privacy Using Spatially Distributed y g p y Shared Secrets Marc Langheinrich Marc

RFID Privacy Using Spatially Distributed y g p y Shared Secrets Marc Langheinrich Marc

RFID Privacy Using Spatially Distributed y g p y Shared Secrets Marc Langheinrich Marc Langheinrich Remo Marti Remo Marti Inst. for Pervasive Computing Ergon Informatik AG ETH Zurich Zurich Switzerland Switzerland 11/26/2007 RFID

535 views • 27 slides
Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

March 2, 2014 Monte Jade's RFID Seminar Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight RFID 4. Current Airport RFID Deployments 5. Atlanta International Airport Activity with IATA RFID

912 views • 35 slides
IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing Tag Oslo, 28 November 2007 IntelliSense RFID Workshop IntelliSense RFID RESEARCH PROJECT FOR TECHNOLOGY DEVELOPMENT WITHIN THE FIELDS OF RFID

788 views • 13 slides
The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio Frequency Identification Modern RFID Applications VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips

628 views • 29 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A

Where are we at - Topic overview Lecture 1A: Security requirements/features Lecture 7A Threatens Privacy Threatens Try to achieve Lecture 2B: Network threats Lecture 3A: Attacks on Lecture 6A: Security Protocols Web servers, malware

381 views • 25 slides
How to prevent sabotage and ensure consumer privacy with RAIN RFID Tjibbe van der Laan 2

How to prevent sabotage and ensure consumer privacy with RAIN RFID Tjibbe van der Laan 2

How to prevent sabotage and ensure consumer privacy with RAIN RFID Tjibbe van der Laan 2 Hardware independent 3 780 stores 4 countries project start in 2017, roll-out in 2018 4 280 stores United Kingdom, some other countries

187 views • 16 slides

More recommend