490 likes | 634 Views
RFID Security and Privacy. Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790. 1. 2. 3. 4. 5. Roadmap. Background RFID Risks Privacy: Simple Solutions Privacy: More Involved Solutions Authentication: Some Solutions Conclusion. 1. 2. 3. 4. 5. What is RFID?.
E N D
RFID Security and Privacy Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790
1 2 3 4 5 Roadmap • Background • RFID Risks • Privacy: Simple Solutions • Privacy: More Involved Solutions • Authentication: Some Solutions • Conclusion
1 2 3 4 5 What is RFID? • Radio-Frequency Identification Tag Antenna • Sticker containing microchip and antenna • Gains power from wireless signal received from tag reader • Tag-reader communication with range of up to half a meter • Tag returns its unique number and static data Chip
1 2 3 4 5 How Does RFID System Work? • Tags consists of antenna and a microchip • Readers consists of a transmitter, receiver, 1+ antennas • Management system • Communication protocol • Computer Networks EasyToll card #816 Radio signal (contactless) Range: from 3-5 inches to 3 meters 02.3DFEX4.78AF51 Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Reader (transceiver) Reads data off the tags without direct contact Database Matches tag IDs to physical objects
1 2 3 4 5 RFID Advantages Barcode RFID Fast, automated scanning (object doesn’t have to leave pocket, shelf or container) • Reading by radio contact • Reader can be anywhere within range • Line-of-sight reading • Reader must be looking at the barcode • Specifies object type • E.g., “I am a pack of Juicy Fruit” • Specifies unique object id • E.g., “I am a pack of Juicy Fruit #86715-A” Can look up this object in the database (provides pointer)
1 2 3 4 5 RFID Tag Power Sources • Passive • inactive until the reader’s interrogation signal “wakes” them up • Cheap, but short range only • Semi-passive • On-board battery, but cannot initiate communication • More expensive, longer range • Active • On-board battery, can initiate communication
1 2 3 4 5 RFID Types • Inductive Coupling • Backscatter (radiative) Coupling
1 2 3 4 5 Closer look
1 2 3 4 5 RFID examples • Pervasive Devices • Low memory, few gates • Low power, no clock, little state • Low computational power • You may own a few. • Billions on the way.
1 2 3 4 5 Current Applications • Public Transport and Ticketing • Access Control • Logistics • Animal identification • Anti-theft system • Real time measurements in sports • Inventory Control in supermarkets • Electronic payments • Industry automation • Medical • Banknotes, casino chips
1 2 3 4 5 Futuristic Applications • “Smart” appliances • Refrigerators that automatically create shopping lists • Closets that tell you what clothes you have available, and search the Web for advice on current styles, etc. • Ovens that know how to cook pre-packaged food • “Smart” products • Clothing, appliances, CDs, etc. tagged for store returns • “Smart” paper • Airline tickets that indicate your location in the airport • Library books • Business cards • Recycling • Plastics that sort themselves
1 2 3 4 5 RFID Risks • Mr. Jones pays with a credit card; his RFID tags now linked to his identity • Mr. Jones attends a political rally; law enforcement scans his RFID tags • Mr. Jones wins Turing Award; physically tracked by paparazzi via RFID
1 2 3 4 5 Why RFID Risks Arise Three technical aspects of today’s RFID tags create potential problems: • They are promiscuous • they talk to any compatible reader. • They are remotely readable: • they can be read at a distance through materials like cardboard, cloth, and plastic. • They are stealthy • not only are the tags inconspicuous, you don't know when they are transmitting information or to whom. In short, the personal information
1 2 3 4 5 Risks: Privacy • Personal privacy • Clandestine inventory and tracking • Unsanctioned readers • Customer profiling • Tracking personal activities (e.g., purchase habits, travel) • Big brother • Illicit or inappropriate use of personal data • Data cross contamination • Inventory tags plus personal info • Corporate espionage • Track your competitor’s inventory • Military espionage • Harvesting RFID communication to make inferences
1 2 3 4 5 Risks: Eavesdropping • Read ranges • nominal read range • max distance at which a normally operating reader can reliably scan tags • rogue scanning range • rogue reader can emit stronger signal and read tags from a larger distance than the nominal range • tag-to-reader eavesdropping range • read-range limitations result from the requirement that the reader powers the tag • however, one reader can power the tag, while another one can monitor its emission (eavesdrop) • reader-to-tag eavesdropping range • readers transmit at much higher power than tags • readers can be eavesdropped form much further • readers may reveal tag specific information
1 2 3 4 5 Risks: Counterfeits • Comes down to authentication • How can be accomplished • Replaying (RF “tape-recorder”) • Tag cloning • Back-engineering • A few examples from real life (easy to break) • Speed passes • Ignition keys • Physical coercion and attack • In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric-enabled Mercedes • What would happen if the VeriChip were used to access ATM machines and secure facilities? • Perhaps it is better then if tags can be cloned and are not used for authentication—only for identification
1 2 3 4 5 RFID capabilities • Little power • Receives power from reader • Range a few meters • Little memory • Static 64-to-128-bit identifier • Hundreds of bits soon • Little computational power • A few thousand gates • No cryptographic functions available • Static keys for read/write permission • In terms of computational power can be divided into • BASIC tags • SYMMETRIC KEY tags
1 2 3 4 5 Privacy protection approaches • standard tags • jamming • “kill” command • “sleep” command • Renaming • Blocking • crypto enabled tags • synchronization approach • hash chain based approach • tree-approach
1 2 3 4 5 Easiest solution • Keep it close to your body • Liquids are not penetrable by microwave frequencies • Faraday cage • Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies • Shoplifters are already known to use foil-lined bags • Maybe works for a wallet, but huge hassle in general • Active jamming • Disables all RFID, including legitimate applications • All kinds of the above protections can be purchased now days • protective sleevers for passports, wallets, ids, etc.
1 2 3 4 5 Dead tags tell no tales • Idea: permanently disable tags with a special “kill” command • part of the EPC specification • Advantages: • Simple and effective • Disadvantages: • eliminates all post-purchase benefits of RFID for the consumer and for society • no return of items without receipt • no smart house-hold appliances • cannot be applied in some applications • library, e-passports, banknotes • Similar approaches: • put RFID tags into price tags or packaging which are removed and discarded
1 2 3 4 5 Don’t kill the tag, put it to sleep • Idea: instead of killing the tag put it in sleep mode • tag can be re-activated if needed • Advantages: • Simple • effective • Disadvantages: • difficult to manage in practice • tag re-activation must be password protected • how the consumers will manage hundreds of passwords for their tags? • passwords can be printed on tags, but then they need to be scanned optically or typed in by the consumer
1 2 3 4 5 Partial destruction • Renaming • In simplest case renaming to gibberish • No intrinsic meaning • Still can be tracked • Backscatter from antennas • Hypothesize manufacturer type may be learnable • Do tags possess uniquely detectable RF fingerprints? (Device signatures a staple of electronic warfare) • Relabelings • Retain only product ID for later use • Destroy unique ID at the time of purchase • Splitting identifiers across two tags • Peel off one at time of purchase
1 2 3 4 5 Distance Measuring • Signal-to-noise ratio of the reader signal in an RFID system provides a rough metric of the distance between a reader and a tag. • With some additional, low-cost circuitry a tag might achieve rough measurement of the distance of an interrogating reader. • Distance can serve as a metric for trust. • Release general information (“I am attached to a bottle of water”) when scanned at a distance • Release more specific information (ID), only at close range.
1 2 3 4 5 Proxying • Proxying • Consumers carry their own privacy-enforcing devices (Higher-powered intermediaries like mobile phones) • Watch dog • Observer observing the observer: monitor if someone scans you • Selectively jams tag replies as needed • RFID guardian • Talk to the guardian first • Communication is released through a fortified intermediate
Please show reader certificate and privileges 1 2 3 4 5 Proxying • Problems • Change of ownership: how to release control • Impersonating the guardian itself • Cannot suppress tag replies entirely, only jam • Cannot suppress reader commands
1 2 3 4 5 Renaming • Idea: avoid using real Ids, change Identifiers across the reads • get rid of fixed names (identifiers). Pseudonyms stored on tag (limited storage, i.e. 10 or so), tag cycles through pseudonyms • use random pseudonyms and change them frequently • Requirements: • only authorized readers should be able to determine the real identifier behind a pseudonym • standard tags cannot perform computations -> next pseudonym to be used must be set by an authorized reader • A possible implementation • pseudonym = {R|ID}K • R is a random number • K is a key shared by all authorized readers • authorized readers can decrypt pseudonyms and determine real ID • authorized readers can generate new pseudonyms • for unauthorized readers, pseudonyms look like random bit strings • Potential problems • tracking is still possible between two renaming operations • if someone can eavesdrop during the renaming operation, then she may be able to link the new pseudonym to the old one • no reader authentication -> rogue reader can overwrite pseudonyms in tags (tags will be erroneously identified by authorized readers)
Random Bits No Connect V 1 2 3 4 5 Example of RNG The voltage signal is amplified, disturbed, stretched, and sampled, resulting in random bits.
1 2 3 4 5 Renaming (re-encryption) • A public key based implementation: • El Gamal scheme: • Inputs are ciphertexts • Outputs are a re-encryption of the inputs. • Anyone can encrypt without the public key E • Those who know the secret key D can also decrypt messages encrypted with different keys are indistinguishable
1 2 3 4 5 Renaming (re-encryption) • El Gamal Encryption Parameters • Public parameters: • q is a prime • p = 2kq+1 is a prime • g generator of Gp, i.e. efficient description of a cyclic group of order q with generator g (I know only one generator which is relatively prime) • Secret key of RFID tag: x (where 0 < x < q) • Public key of RFID tag : y = gx mod p • Encryption for message (plaintext) m • Pick a number k randomly from [0…q-1] • Compute a = yk .m mod p and b = gk mod p • Output (a,b)
1 2 3 4 5 Renaming (re-encryption) • Decryption • Compute m as a / bx (= yk. m/ (gk)x = gxk. m/ gkx = m) • One can re-encrypt a ciphertext (a, b) without decryption:Input: a ciphertext (a,b) and public key y • Pick a number a randomly from [0…q-1] • Compute a’ = ya . a mod p and b’ = ga . b mod p • Output (a’, b’) • Same decryption technique • Compute m a’ / b’x (= yk. ya. m/ (gk . ga ) x = gx (k+a). m/ gx (k+a) = m) • Properties: • new tag pseudonyms can be computed by readers that know the public key • real tag ID can be computed only by readers that know the private key • Semantic security: Cannot distinguish between C = EPK,r [Alice] and C’ = EPK,r’ [Bob] • An attacker who intercepts C and C’ cannot tell if they come from the same chip, that is the attacker cannot identify or track Alice
1 2 3 4 5 Blocking • When the reader sends a signal, more than one RFID tag may respond: this is a collision • typical commercial application, such as scanning a bag of groceries, potentially hundreds of tags might be within range of the reader. • Reader must engage in a special singulation protocol to talk to each tag separately • Singulation is used by an RFID reader only when necessary to identify a specific tag (and its ID) from a number of tags in the field • Tree-walking is a common singulation method • Used by 915 Mhz tags, the most common type in the U.S. • Slotted aloha is used for LF tags
1 2 3 4 5 Anti-collision • "Tree Walking" • Recursive depth-first search • Requirement: Reader is able to detect bit position of a collision • Example: 1 Reader, 3 Transponder, 3-bit ID • Example: 1 Reader, 3 Transponder, 3-bit ID • Synchronized by reader • Example: 1 Reader, 5 Tags, 8-bit ID
1 2 3 4 5 Tree Walking prefix=0 prefix=1 Reader broadcasts current prefix Each tag with this prefix responds with its next bit prefix=00 prefix=01 prefix=10 prefix=11 If responses don’t collide, reader adds 1 bit to current prefix, otherwise tries both possibilities 000 001 010 011 100 101 110 111 Every tag has a k-bit identifier This takes O(k number of tags)
1 2 3 4 5 Tree-Walking • Tree-walking” protocol for identifying tags recursively asks question: • “What is your next bit?” • Something along the lines of: “Will all tags with 1 as their first digit raise their hand”. “Will all tags with 1 as their first digit, and 0 as their second....” • Blocker tag always says both ‘0’ and ‘1’! • Makes it seem like all possible tags are present by making an RFID tag misbehave, and answers yes to every question.
1 2 3 4 5 Blocker Tag • A form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader • Guarantees collision no matter what tags are present • To talk to a tag, reader must traverse every tree path • With 128-bit IDs, reader must try 2128 values – infeasible! • To prevent illegitimate blocking, make blocker tag selective (block only certain ID ranges) • Blocker tag can be selective:
Blocker Tag • privacy zone • tree is divided into two zones • privacy zone: all IDs starting with 1 • upon purchase of a product, its tag is transferred into the privacy zone by setting the leading bit • the blocker tag • when the prefix in the reader’s query starts with 1, it simulates a collision • when the blocker tag is not present, everything works normally • Alternative: polite blocking (notify the reader)
1 2 3 4 5 Hash Locks • Locked tag transmit only metaID • Similar to the proximity approach • Unlocked tag can do all operations • Locking mechanism: • Reader R selects a nonce and computes metaID = hash(key) • R writes metaID to tag T • T enters locked state • R stores the pair (metaID, key). • Unlocking • Reader R queries tag T for its metaID • R looks up (metaID, key) • R sends key to T • If (hash(key) == metaID), T unlocks itself
1 2 3 4 5 Hash locks • Cheap to implement on tags: • A hash function and storage for metaID. • Security based on hardness of hash. • Hash output has nice random properties. • Low key look-up overhead. • Tags respond predictably; allows tracking. • Motivates randomization. • Requires reader to know all keys
“Who are you?” R, hash(R,IDk) “You must be IDk” 1 2 3 4 5 Randomized Hash Locks Goal: authenticate reader to the RFID tag Reader RFID tag Generate random R Compute hash(R,IDi) for every known IDi and compare Stores its own IDk Stores all IDs: ID1, … ,IDn
1 2 3 4 5 Randomized Hash Locks • Tag must store hash implementation and pseudo-random number generator • Low-cost RNGs exist; can use physical randomness • Secure against tracking because tag response is different each time • Reader must perform brute-force ID search • Effectively, reader must stage a mini-dictionary attack to unlock the tag • Alternative: better searching • Tree approach • Synchronization approach
1 2 3 4 5 Avoiding brute force synch • c is a counter, H and G are one-way hash functions • reader maintains • synchronized state with tags • operation of tag: • state is si • when queried, the tag responds with the current pseudonym pi=G(si) and computes its new state si+1 = H(si) • operation of the reader: • reader must approximately know the current counter value of each tag • for each tag, it maintains a table with the most likely current counters and corresponding pseudonyms • Operation of the reader • when a tag responds with a pseudonym p, it finds p in any of its tables, identifies the tag, and updates the table corresponding to the tag • one-wayness of the hash ensures that current counter value cannot be computed from observed pseudonym
1 2 3 4 5 Avoiding brute force (tree of secrets) • Tag == leaf of the tree. • Each tag receives the keys on path from leaf to the root. • Tag ij generates pseudonyms as (Key1(r), Key2(r), …, Fkij (r)). • Reader can decode pseudonym using a depth-first search. • In the worst case, the reader searches through db keys, where d is the depth of the tree, and b is the branching factor • compare this to bd, which is the total number of tags
1 2 3 4 5 Authentication Workarounds • No explicit counterfeiting measures whatsoever • Possible solutions: • Repurpose the kill function for limited counterfeit • Yoking • cryptographic proof that two tags have been scanned simultaneously and evidence (although not proof) that the tags were scanned in physical proximity to one another. • Usable only in certain circumstances (pharmacy, aircraft safety) • Physical markers • Similar to explosive markers • Special dyes and packaging
1 2 3 4 5 HB Protocol • Created by Nicholas Hopper and Manuel Blum as a tool for secure authentication and identification of unassisted humans to computers. • Juels and Weis realized that this protocol was actually a natural protocol for the authentication of RFID tags to readers. • The security of the HB Protocol is based on the underlining hardness of the Learning Parity with Noise (LPN) problem.
1 2 3 4 5 HB Protocol Definitions • The secret x is a k length binary string (tag ID). • The tag needs to prove to the reader that it knows one of the S's on the reader's list of acceptable secrets. • The tag only has one secret, but the reader generally has many. • A query q is also a k length binary string. • Produced by the reader. • One query is produced for each iteration of the protocol • Epsilon is a probability, ranging from 0 to Ѕ that the response calculated by the tag will be flipped • if the correct response was 1, the tag will send back 0, and vice versa. • Nu equals 1 with probability epsilon. • Delta is an error factor, • ranges from 0 to Ѕ • defines how close the tag's actual flipping of responses must be to epsilon in order to be accepted.
k-bit random value a (ax)v 1 2 3 4 5 Crypto RFID: authentication (HB Protocol) Goal: authenticate RFID tag to the reader Reader RFID tag Generate random v: 1 with prob. , else 0 Response correct if it is equal to (ax) chance that response is incorrect Knows secret x; parameter Knows secret x; parameter repeat r times RFID tag is authenticated if fewer than r responses are incorrect
k-bit random value a blinding value b (ax)(by)v 1 2 3 4 5 Crypto RFID: authentication (HB+ Protocol) Goal: authenticate RFID tag to the reader Reader RFID tag Generate random v: 1 with prob. , else 0 Response correct if it is equal to (ax)(by) Knows secrets x,y; parameter Knows secrets x,y; parameter repeat r times RFID tag is authenticated if fewer than r responses are incorrect
Wrapping it up • Some basic trends are apparent: • Pressure to build a smaller, cheaper tags without cryptography • reverse-engineering a cheap RFID tag unlikely to be hard… • Urgent need for cheaper hardware for primitives • “Security through obscurity” doesn’t work • Simple static identifiers are the most naïve • How about encrypting ID? • How about creating new static identifiers, i.e., “meta-ID” • How about a law-enforcement access key? • Tag-specific keys require initial release of identity • Universal keys subject to interception • Special properties: • RFID tags are close and personal giving privacy a special dimension • RFID tags change ownership frequently • Key management will be a major problem • Think for a moment after this talk about distribution of kill passwords… • Are there good hardware approaches to key distribution, e.g., proximity as measure of trust • Some privacy is clearly better than for naive approaches
Future Work Find New and Improve Existing Algorithms Authentication algorithms with human protocols Tag identification with delegation, ownership transfer Efficient cloning-resistant identification algorithms New and emerging problems