200 likes | 208 Views
In this article, David Wagner discusses the challenges and opportunities of privacy in pervasive computing, with a focus on RFID and identification systems. He explores protocols for private identification and proposes a novel approach using the "tree of secrets" concept. This article aims to inspire technologists to take privacy seriously in the era of pervasive computing.
E N D
Privacy in pervasive computingWhat can technologists do? David Wagner U.C. Berkeley In collaboration withDavid Molnar, Andrea Soppera, Ari Juels
The tide is turning... Pervasive computing is coming... It’s time to get serious about privacy.
Outline • RFID and identification systems • Protocols for private identification • The challenge of scalability; trees of secrets
Identification systems • Example applications: • Electronic passports • ID cards and badges • Proximity cards, building access control • Automatic payment systems (Fastrak, EZPass) • Item tagging & tracking, inventory management • Key technologies: • RFID • Contactless smart card Challenge: privacy (and security) for ID systems
Introduction to RFID RFID tags are passive, powered by reader, carry identity Privacy issues: Unwanted tracking of people and items Power Identity Reader Tag
RFID systems are resource-limited • Tags might lack writable non-volatile memory • Takes more energy to permanently write bits • Thus, state might only last as long as tag is powered • Cryptography is expensive • Public-key out of reach for all but priciest tags • AES within reach for mid-class tags? [Feldhofer] • Can’t take random number generation for granted • Readers might not be network-connected
RFID technologies vary widely ISO 14443 E-passports, ID cardsUS$5 3DES,RSA Computation ISO 15693Library booksUS$0.50 sym.-keycrypto EPCWalMartUS$0.20 no crypto 10cm 1m 3m Intended read range
Read range? normalreader(10cm / 3m) maliciousreader(50cm / 15m) eavesdropon tag(???) eavesdropon reader(50m / ???)
Simple trick:Defeating eavesdropping on forward link “go ahead” r m r wants tosend m picksrandom r Appears in EPC Gen II standards.
A first attempt at defeatingeavesdropping and unauthorized tag-reading Ek(r, ID) “pseudonym” k k • Problem: All tags and readers share the same key k • If any tag is compromised, all security is lost • If any reader is compromised, all security is lost • Risk: Massive data spills.
Take #2: Independently keyed tags (k1, ID1) :(kN, IDN) r, Fki(r) “pseudonym” Scans throughall keys to decode ki • Problem: Doesn’t scale. • Takes O(N) work to decode each pseudonym
Private identification protocols • Goal: a tag <-> reader protocol, providing: • Identification: Authorized reader learns tag’s identity • Privacy: Unauthorized readers learn nothing • Attacker cannot even link two sightings of same tag • Authentication: Tag identity cannot be spoofed • Scalability: Can be used with many tags A non-trivial technical challenge,with many possible applications.
A beautiful method for private identification :(ki, i) :(i, kij, IDij) : r, Fki(r), Fkij(r) pseudonym ki, kij Decodes i, then j • More scalable: O(√N) work to decode each pseudonym • First, scan all ki to learn i • Then, scan all kij to learn j and thus tag identity
k0 k00 k01 The tree of secrets k0 k1 k00 k01 k10 k11 Tag leaf of the tree. Each tag receives the keys on path from leaf to the root. Tag ij generates pseudonyms as (r, Fki(r), Fkij(r)). Reader can decode pseudonym using a depth-first search.
Analysis: tree of secrets • Generalizations: • Use any depth tree (e.g., lg N) • Use any branching factor (e.g., 210) • Use any other identification scheme (e.g., mutual auth) • TheoryA concrete example • Number of tags: N 220 tags • Tag storage: O(lg N) 128 bits • Tag work: O(lg N) 2 PRF invocations • Communications: O(lg N) 138 bits • Reader work: O(lg N) 2 210 PRF invocations • Privacy degrades gracefully if tags are compromised
Reducing trust in readers r, Fki(r), Fkij(r) r, Fki(r), Fkij(r) TrustedCenter ki, kij IDij Reader (kij, Policyij) If readers are online, Trusted Center can do decoding for them, and enforce a privacy policy for each tag.No keys stored at reader => less chance of privacy spills.
Reducing trust: Delegation IDij TrustedCenter kij (kij, Policyij) r, Fki(r), Fkij(r) kij ki, kij For offline or partially disconnected readers, can delegate power to decode pseudonyms for a single tag to designated readers. Reader workload: O(D) per pseudonym,where D = # of tags delegated to this reader.
Time-limited delegation IDij, L, R TrustedCenter {keys} pseudonym Only good for decodingL-th through R-thpseudonyms from tag IDij ctr, ki, kij Even less trust: Reader gets access to the next 100 pseudonyms from this tag (say), and nothing more.
Enabling time-limited delegation k0 k0 k1 k00 k00 k01 k01 k10 k11 k000 k001 Use GGM at lower levels: (ks0, ks1) = G(ks) Tag uses leaves sequentially Reader gets keys for a subset k0000 k0001 k0010 k0011
Conclusions • Identification systems: an exciting research area • Privacy is central • Many non-trivial technical challenges, many opportunities for clever solutions • There’s still time to have an impact on deployments • Research question: Private identification protocols • Tree schemes have useful properties • Can we do better? Can do without persistent state? • Recent work: Controlling readers with Trusted Computing (to appear at WPES’05)