Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of...
-
Upload
angelina-blair -
Category
Documents
-
view
215 -
download
0
Transcript of Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of...
![Page 1: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/1.jpg)
Introduction to RFID Security and
Privacy
Ari Juels
Chief Scientist
RSA, The Security Division of EMC
RFIDSec 2011 Tutorial
All slides © 2011, RSA Laboratories
![Page 2: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/2.jpg)
Part II: RFID Privacy
![Page 3: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/3.jpg)
There are two types of RFID privacy
1. Tracking privacy: Protection against physical tracking via unique identifiers
2. Content privacy: Protection against unauthorized scanning of data stored on tag
![Page 4: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/4.jpg)
Why physical considerations say we should forget about
tracking privacy…
![Page 5: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/5.jpg)
Ms. Smith and her privacy-preserving RFID tag
“87D6CAA7F”
= “Ms. Smith”
![Page 6: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/6.jpg)
Ms. Smith and her privacy-preserving RFID tag
What about PET(Privacy Enhancing Technologies) for pets?
![Page 7: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/7.jpg)
Ms. Smith and her privacy-preserving RFID tag
What about Ms. Smith’s face?
![Page 8: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/8.jpg)
Ms. Smith and her privacy-preserving RFID tag
What about Ms. Smith’s mobile phone?
![Page 9: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/9.jpg)
Ms. Smith and her privacy-preserving RFID tag
Are we still worried aboutthis circle???
![Page 10: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/10.jpg)
Well, suppose we are still worried…
We can change identifiers, right?
“87D6CAA7F”
“5ED6CF4C8”
“9816F271BB”
“D7612A873C”
![Page 11: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/11.jpg)
Changing identifiers won’t work
• Physical-Layer Identification of RFID Devices– Danev, Heydt-Benjamin, and Capkun– USENIX Security ’09
• Extract hardware “fingerprint” based on power modulation
• Show that it is possible to identify RFID tags over the air with > 2% at ERR– This will improve, of course
Logical Layer(data,
crypto protocols)
Physical Layer(power
modulation)
r
s, fx(r,s)
![Page 12: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/12.jpg)
• What does this mean for the dozens of paper on anti-tracking privacy?
• I’d argue that we should give up on anonymity– Not just in RFID
• Emphasis on content privacy makes more sense
Logical Layer(data,
crypto protocols)
Physical Layer(power
modulation)
r
s, fx(r,s)
Serial #878SBE871
“Oxycontin, 160 mg”
Changing identifiers won’t work
![Page 13: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/13.jpg)
Content Privacy via “Blocker” Tags
![Page 14: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/14.jpg)
The “Blocker” Tag
![Page 15: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/15.jpg)
“Blocker” TagBlocker simulates all (billions of) possible tag serial numbers!!
1,2,3, …, 2023 pairs of sneakers and…1800 books and a washing machine and…(reading fails)…
![Page 16: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/16.jpg)
“Tree-walking” anti-collision protocol for RFID tags
000 001 010 011 100 101 110 111
00 01 10 11
0 1
?
![Page 17: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/17.jpg)
In a nutshell• “Tree-walking” protocol for identifying tags
recursively asks question:– “What is your next bit?”
• Blocker tag always says both ‘0’ and ‘1’! – Makes it seem like all possible tags are present– Reader cannot figure out which tags are actually
present– Number of possible tags is huge (at least a billion
billion), so reader stalls
![Page 18: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/18.jpg)
Two bottlesof Merlot#458790
Blocker tag system should protect privacy but stillavoid blocking unpurchased items
![Page 19: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/19.jpg)
Consumer privacy + commercial security
• Blocker tag can be selective:– Privacy zones: Only block certain ranges of RFID-
tag serial numbers – Zone mobility: Allow shops to move items into
privacy zone upon purchase• Example:
– Blocker blocks all identifiers with leading ‘1’ bit– Items in supermarket carry leading ‘0’ bit– On checkout, leading bit is flipped from ‘0’ to ‘1’
• PIN required, as for “kill” operation
![Page 20: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/20.jpg)
Blocking with privacy zones
000 001 010 011 100 101 110 111
00 01 10 11
0 1
Transfer to privacy zoneon purchase of item
Privacy zone
![Page 21: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/21.jpg)
Polite blocking• We want reader to scan privacy zone when
blocker is not present– Aim of blocker is to keep functionality active – when
desired by owner
• But if reader attempts to scan when blocker is present, it will stall!
Your humble servant requests that you not scan the privacy zone
• Polite blocking: Blocker informs reader of its presence
![Page 22: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/22.jpg)
More about blocker tags
• Blocker tag can be cheap–Essentially just a “yes” tag and
“no” tag with a little extra logic–Can be embedded in shopping
bags, etc.• With multiple privacy zones,
sophisticated, e.g., graduated policies are possible
![Page 23: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/23.jpg)
An Example: The RXA Pharmacy
![Page 24: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/24.jpg)
RFID-tagged bottle + “Blocker” bag
![Page 25: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/25.jpg)
RFID-tagged bottle + “Blocker” bag
![Page 26: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/26.jpg)
“Soft” Blocking
• Idea: Implement polite blocking only – no hardware blocking– A little like P3P…
• External audit possible: Can detect if readers scanning privacy zone
• Advantages:– “Soft blocker” tag is an ordinary RFID tag– Flexible policy:
• “Opt-in” now possible• e.g., “Medical deblocker” now possible
• Weaker privacy, but can combine with “hard” blocker
![Page 27: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/27.jpg)
Smart blocking approach: Personal Simulator or Proxy for
RFID• Those phones with NFC could someday
get more general-purpose radios…• We might imagine a simulation lifecycle:
– Mobile phone “acquires” tag when in proximity– Mobile phone simulates tags to readers,
enforcing user privacy policy– Mobile phone “releases” tags when tags
about to exit range
![Page 28: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/28.jpg)
Content Privacy via Dispersion
![Page 29: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/29.jpg)
Keeping the customer satisfied…
• “I want a rock-solid encryption algorithm… with 20-bit keys.”
• “I want my retail stores to be able to read RFID-tagged items… but I want tags to be unreadable after sale… and I don’t want to have to kill or rewrite or block them…
![Page 30: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/30.jpg)
EPC tags and privacy• Recall that EPC tags have no true
cryptographic functionality• One true, explicit EPC privacy feature: Kill
– On receiving tag-specific PIN, tag self-destructs– Tag is “dead in the Biblical sense” (S. Sarma)
• But commercial RFID users say:– They do not want to manage kill PINs– They have no channel to communicate secret
keys downstream in supply chain– Key transport is a big problem!!!
![Page 31: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/31.jpg)
Our approach: Put the secret keys on the tags
• Encrypt tag data under secret key • Apply secret sharing to spread key across tags in crate
– E.g., (s1, s2,, s3)
E (m1) s1
E (m2) s2
E (m3) s3
![Page 32: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/32.jpg)
• Encrypt tag data under secret key • Apply secret sharing to spread key across tags in crate
– E.g., (s1, s2,, s3)
E (m1) s1
E (m2) s2
E (m3) s3
Our approach: Put the secret keys on the tags
Supersteroids 500mg; 100 countSerial #87263YHGMfg: ABC Inc.Exp: 6 Mar 2010
![Page 33: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/33.jpg)
Privacy through dispersion
![Page 34: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/34.jpg)
Privacy through dispersion E (m1) s1
E (m2) s2
E (m3) s3
Individual shares / small sets reveal no information about medication!
(Super-Steroids)
(Super-Steroids)
(Super-Steroids)
![Page 35: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/35.jpg)
Use case: Privacy protection on medications
Step 1: Receive crateat pharmacy
Step 2: Pharmacy readstags, gets keys, decryptsdata
Step 3: Tags and dataare dispersed
Data
![Page 36: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/36.jpg)
Some challenges1. Storage is at a premium in EPC, but no secret-sharing
literature on “tiny” shares• “Short” shares are 128 bits, but we may want 16 bits or less!
2. Scanning errors• We need robustness in our secret-sharing scheme
![Page 37: Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.](https://reader038.fdocuments.us/reader038/viewer/2022110402/56649e2c5503460f94b1b748/html5/thumbnails/37.jpg)
Some challenges3. In-store key harvesting
• Preventive idea: Add “chaff,” i.e., bogus or “noise” shares• If secret-sharing scheme for crate can tolerate d errors, then add
2d/3 bogus shares per crate• Can recover from d/3 errors in single crate• Hard to reconstruct secrets for two crates mixed together, as we
have 4d/3 > d errors• “Overinformed” adversary