470 likes | 591 Views
Leonid Boloynyy and Gabriel Robins Department of Computer Science University of Virginia Presented by Jeffery Barton. Physically Unclonable Function-based Security And Privacy In RFID Systems. Outline. Introduction Related Work PUF-Based Tag Identification Algorithm
E N D
Leonid Boloynyy and Gabriel Robins Department of Computer Science University of Virginia Presented by Jeffery Barton Physically Unclonable Function-based Security And Privacy In RFID Systems
Outline • Introduction • Related Work • PUF-Based Tag Identification Algorithm • PUF-Based MAC Protocols • PUF Vs. Digital Hash Functions • Building PUFs • Conclusion
Purpose • What problem are we solving? • Privacy and Security in RFID Systems • Current cryptographic solutions are too expensive • Privacy-preserving tag identification • Secure message authentication codes • Comparisons • Directions for future research Introduction
Introduction A Familiar Subject… • What is RFID? • <Insert last two presentations here> • In general uses radio signals for identity verification • Low-cost Analogous to sensor networks • PICTURE • What is a PUF? • Remember “not easy to find random generator”??
Physically Unclonable Functions • “Random number function that can only be evaluated by a specific instance of the underlying hardware” • Hardware based function • Easy evaluation • Hard characterization • Reliable and unpredictable • What makes it unclonable? Introduction
Unclonability • Physical • Inherent random components • Wire/gate delays, manufacturing variations • Hard to define Even with identical hardware • Challenges mapped to responses = Unpredictable • Mathematical • Hard to compute responses given exactparameters/CRPs • Response = Complex interactions of random components • Modeling with known random values Oodles of computational effort • Combination of the two = extremely unclonable Introduction - PUFs
Related Work • Physical one-Way Functions [16] • Origination – optical PUFs • Controlled Physical Random Functions [7] & Extracting Secret Keys From Integrated Circuits [12] • Silicon prototype • Reliable, can tolerate varying environmental conditions • Variability PUF circuits across multiple chips • Accurate model difficult (w/polynomially-many i/o pairs) • RFID-Tags for Anti-Counterfeiting [17] • Off-line reader authentication algorithm based on PUFs using public key cryptography • Still too much for low-cost RFID tags Related Work
More Related Work • Security and Privacy: Modest Proposals for Low-Cost RFID Systems [15] • Identification/authentication algo based on Silicon Physical Random Functions [8] • No state maintenance/random responses = easy tracking • No access control = easy identification by adversaries • Abundant challenges more ID time/power consumption • Therefore • Only use challenge-response algos for authentication • Send ID to reader first less communication & query more challenges • Tag tracking still possible Related Work
Assumptions • Cannot recover PUF model given polynomial # of i/o pairs • τ is constant and independent of the # of identical responses from other tags • Hardware tampering = new function • Secure against side-channel attacks • Random function Assumptions
PUF-Based Tag Identification Algorithm • Single-use 1-step identification algo to maintain privacy in face of passive adversaries • Pseudonyms and one-time-pads • Privacy-preserving PUF-Based Tag Id Algo
Other Tag ID Algorithms • “Minimalist” approach • Uses readers to generate pseudonyms • Using PUFs requires fewer updates • Hash-chains • Tags must compute 2 expensive cryptographic hash functions • PUF = only 1 PUF-Based Tag Id Algo
Database ID1, p(ID1), p2(ID1), …, pk(ID1) ... IDn, pn(IDn), pn2(IDn), …, pnk(IDn) Authors’ Tag ID Algorithm ID ID • Interrogation by reader response with ID from tag tag updates ID with p(ID) • Back-end keeps list of ID values i.e. • Pseudonyms exhausted new seed ID • Multiple executions and Parallel PUFs • Why? p(ID) Request PUF-Based Tag Id Algo
Multiple Executions & Parallel PUFs • Reason increase reliability of output • Parallel PUFs each produces sub-signature • Sub-signatures contain n PUF compositions • Early invalid results reflect heavily on later compositions • PUF is run several times for each input in each sub-signature • Number of valid sub-signatures must be above a threshold
Multiple Executions • Averages values for greater reliability • R Reliability of last value where: • μ = .02 probability of unreliable value • k = 100 compositions • Nexecutions at each stage • For 1 execution, R= .49 • For 5 executions, R= .992268 PUF-Based Tag Id Algo – Author’s
Parallel PUFs • Tuple response, any one accepted, also increases reliability • S Successful consecutive identifications where: • q tuple size • For q = 2, S ≈ 73 • For q = 3, S ≈ 90 • More PUFs = few gates • One PUF can simulate many • Combination possible PUF-Based Tag Id Algo – Author’s
Tag ID Specific Assumptions and Requirements • No DOS attacks (only passive) • ID not overwritable by adversary w/o altering PUF circuits • Back-end must contain significantly more i/o values than # of tags • PUF must be able to produce many unique IDs • Tags should not yield same outputs • If ID repeats, new ID is sent along with power to perform write operations PUF-Based Tag Id Algo – Author’s
Adversarial Model • Observe reader communication with multiple tags, single out two of them • Randomly select one and runs ID algo • Adversary is successful if they can determine which tag was selected with much greater accuracy than ½ (better than guessing) PUF-Based Tag Id Algo – Author’s
Theorem 3.1 • **Given a random oracle assumption for PUFs, and adversary has no advantage in attempting to compromise a tag’s privacy • Proof sketch: • Observe output of two tags • Obtain next output from one • Adversary cannot determine which tag it came from b/c PUF is assumed to be random PUF-Based Tag Id Algo – Author’s
PUF-Based MAC Protocols • Three-tuple (K, T, V) • K = generation algo generates key used in T and V • T = tagging algo takes input message m and outputs signature σ • V = verification algo verifies signature σ for message m is authentic • Secure if resistant to forgeries • Adversary is successful if they can determine signature from message PUF-Based MAC Protocols
Other MAC Protocols • Various implementations: • Standard cryptographic hash function • Block cipher • One-time signature scheme • list of secrets that are 0 or 1 • Oodles of memory usage • “Minimalistic” approach • Each secret is a single bit • Longer message size and shorter message space PUF-Based MAC Protocols
Authors’ MAC Protocols • PUF acts like a public key: • PUF computation algo (schematic) is known • Private key (PUF’s i/o behavior) remains unknown • Seller possesses a tag, but cannot predict PUF computations • Resistant to forgery even when verifier is offline • Defense against hardware alterations • Physically locating tag’s verification password storage circuitry under PUF’s circuitry/wires • Multiple executions/Parallel PUFs can be used PUF-Based MAC Protocols
Comparisons • Vs. tag authentication • Tag signs/authenticates message instead of reader • Signed message is input, output is signature/MAC • Key used to sign is PUF itself • Vs. standard cryptographic MAC algos • Keys are larger • Physical presence of tag required • Cannot sign arbitrary messages • Back-end computation keeps tag costs down PUF-Based MAC Protocols – Author’s
Components of the Protocol • Key Generation • Verifier creates table of values • Occurs before deployment • Can be disabled/passworded • Large key required for verification w/o tag presence • Tagging algo signs message • Verification algo verifies signature PUF-Based MAC Protocols – Author’s
Key GenerationAlgorithm • Input: Message set M; tag/PUF identifiers set P; # of needed signatures k; # of sub-signatures q for each PUF p ∈ Pdo for i = 1 to |M| do for c = 1 to k · qdo Key[p,mi, c] = {c, pc(mi), . . . , p(n)c(mi)} end end end PUF-Based MAC Protocols – Author’s - Components
Tagging Algorithm • Input: Message m; # of sub-signatures q • Side effect: c = c + q PUF-Based MAC Protocols – Author’s - Components
Verification Algorithm • Input: Key K; PUF p; # of needed signatures k; # of sub-signatures q; allowed number t of incorrect PUF responses; verify that 1 ≤ c ≤ k ∙ q v = 0 for each sub-signature σcdo σ* = K[p, m, c] if σc agrees with σ* in at least n − t terms then v = v + 1 if v ≥ threshold then accept else reject PUF-Based MAC Protocols – Author’s - Components
Large Message Spaces • Signature verification only possible when tag is in range • b/c of size of key • Unique token c (counter) • Substitute for timestamp in passive tags • Natural total ordering • Info leak possible tells state of tag • Multiple executions forgery resistance PUF-Based MAC Protocols – Author’s
Quantifying Auth. Reliability and Forgery Difficulty • probv valid signature detection probability • probf forgery non-recognition probability • τ = .4 PUF1 output = PUF2 output probability • µ = .02 output deviation probability • n = 30 # of responses • t = 3 # of deviations allowed • probv = .997107 • probf = .000313 • Tweak n and t to get better results if necessary PUF-Based MAC Protocols – Author’s – Large Msg Spaces
Theorem 4.1 • Given a random oracle assumption for PUF p, the probability that an adversary can forge a signature σ for a message m is bounded from above by β. • Proof sketch: • To forge a signature: • Find n distinct numbers r1, . . . , rn • Find unused counter value c • Compute correct PUF values pc(ri ,m) for at least n – tof them • p is assumed to be random and c was never inputted into p adversary must rely on the tag(s) in their possession PUF-Based MAC Protocols – Author’s
Small Message Spaces • Outputs can be computed ahead of time • Can verify signature w/o tag’s presence • Tokens generated on tag ≠ random • Counters can be used just like large MS PUF-Based MAC Protocols – Author’s
Theorem 4.2 • Given a random oracle assumption for a PUF p, the probability that an adversary could forge a signature σfor a message m is bounded from above by q · β. • Proof sketch: • Adversary finds next counter value c • PUF is random accurate modeling not possible • Must use other tags for impersonation • Success of forging a sub-signature bounded by β • Success of forging whole signature bounded by q · β PUF-Based MAC Protocols – Author’s
Attacks on MAC Protocols - Impersonation original clone • Manufacture tag duplicate forge signatures • Obtain multiple tags use responses to impersonate • PUF = random duplicating or selecting equivalent tag = improbable (“unclonable”) • Tweaking n and t • Raise valid signature detection probability probv • Lower forgery non-recognition probability probf • Makes impersonation more improbable PUF-Based MAC Protocols - Attacks
Attacks on MAC Protocols - Modeling • Attempt to model PUF using signature/message pairs • PUFs determined by unreliable factors modeling is very difficult • Attempt to measure wire delays • This in itself will alter wire delays • Likely disrupt/damage overlying circuitry • Alters functionality of PUF PUF-Based MAC Protocols - Attacks
Attacks on MAC Protocols – Side-channel • Attempt to learn secret info using timing and power analyses attacks • PUF-based secrets are difficult to represent correctly in digital form • Therefore hard to model PUF-Based MAC Protocols - Attacks
Attacks on MAC Protocols – Hardware Tampering • Attempt to physically probe wires • High risk of altering/destroying PUF’s behavior • Attempt to physically read-off or alter digital key/password • Likely damage overlying wires and alter tag behavior • Detection is possible by precompiling information about tag PUF-Based MAC Protocols - Attacks
algorithm # of gates MD4 MD5 SHA-256 AES Yuksel PUF 7350 8400 10868 3400 1701 545 PUF Vs. Digital Hash Functions • Much less hardware required • Drawbacks to low hardware complexity: • Probabilistic consistency with expected output • Tag copies = similar computational behavior • Back-end must store all challenge/response pairs for each tag PUF Vs. Digital Hash Functions
More Comparisons to DHF • Modeling PUF vs. determining key • Difficult to represent accurately in concise form • Difficult to model random components • More resistant to side-channel attacks/physical tampering • Even with physical measurements, PUF is difficult to duplicate • Reliance upon physical characteristics makes security difficult to guarantee/characterize analytically PUF Vs. Digital Hash Functions
Building PUFs • First prototype of silicon PUF: • Silicon Physical Random Functions • B. Gassend, D. Clarke, M. van Dijk, and S. Devadas • Oscillating counter circuit used to measure intrinsic delays • Slow counting mechanism slowed manufacturing process increased overall cost Building PUFs
More Building of PUFs • Delay values for different challenges tend towards Gaussian distribution • Certain challenges should be avoided • Identical/similar outputs even when signals travel different paths • Filtered out of database at creation • Response reliability is low • More computation rounds • Still risking producing noise Building PUFs
Avoiding Drawbacks • Use sub-threshold voltage techniques to compare gate polarizations • Fast w/o using oscillating counter • Separates PUF values better and avoids highly skewed distributions of responses • Still preserves reliability/unpredictability • Variable non-linear delays can be added to keep modeling difficult Building PUFs
Future Research • Characterization of security of PUFs • Thorough testing of RFID tags with PUFs satisfying current RFID standards • Sub-threshold voltage-based PUFs • Conditional testing environmental and operational • Behavior testing under varying levels of motion, acceleration, vibration, temperature, noise, etc. • τ and μ should be characterized as functions of operational environment Conclusion - Future Research
More Future Research • Adaptations for various applications • Multi-tag regimes • Ownership transfer algos • Tree-based identification protocols • PUFs in readers can be used to combat rogue readers Conclusion - Future Research
Conclusion • Full-fledged cryptographic security mechanisms are too costly for low-cost RFID tags enter PUF approach • Exponential # of keys no key distribution problem • Protects from cloning, even with physical access to tags and circuit schematics • Valuable in access control and authenticity verification • MAC protocols require few hardware resources keeps tag costs down • Comparison to digital counterparts • Possible improvements in PUF design • Outline of future research Conclusion
Questions? Are you still reading these?
GO HOME!! Seriously, go home