370 likes | 540 Views
New Directions in Detection, Security and Privacy for RFID. Leonid Bolotnyy and Gabriel Robins Department of Computer Science, UVa. Thesis.
E N D
New Directions in Detection, Security and Privacy for RFID Leonid Bolotnyy and Gabriel Robins Department of Computer Science, UVa
Thesis Multi-tags, “yoking-proofs”, and physical unclonable functions can improve reliability, security, and privacy in radio frequency identification (RFID) systems.
Progress • L. Bolotnyy and G. Robins, Multi-Tag Radio Frequency Identification Systems, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 83-88, 2005 • L. Bolotnyy and G. Robins, Randomized Pseudo-Random Function Tree Walking Algorithm for Secure Radio Frequency Identification, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 43-48, 2005 • L. Bolotnyy and G. Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006 • L. Bolotnyy and G. Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007 • Several additional papers in progress • NSF Cyber Trust proposal (submitted January 2007) • Deutsche Telekom (largest in EU) offered to patent our multi-tags idea
passive semi-passive active signal signal Reader antenna Reader antenna Inductive coupling Backscatter coupling Introduction • RFID • Tags types: • Frequencies: Low (125KHz), High (13.56MHz), UHF (915MHz) • Coupling methods:
Radar invented - 1935 • EAS invented - early 1960’s • First RFID patent filed - 1973 • First RFID book published - 1999 • Auto-ID Center formed - 1999 • EPCglobal formed - 2004 • First RFID game marketed - 2006 History
Thesis Proposal • Improve tag detection • Improve security and privacy Auditing algorithms for RFID “Yoking-Proofs” Inter-tag communication Definition of privacy PUF-based security Algorithms PUF design
Why Multi-Tag RFID? • Bar-codes vs. RFID • line-of-sight • scanning rate • Unreliability of tag detection • radio noise is ubiquitous • liquids and metals are opaque to RF • milk, water, juice • metal-foil wrappers • Wal-Mart experiments (2005) • 90% tag detection at case level • 95% detection on conveyor belts • 66% detection of individual items inside fully loaded pallets • Our preliminary experiments support data above
B-field • Optimal Tag Placement: 4 β 3 2 1 The Power of an Angle • Inductive coupling: voltage ~ sin(β), distance ~ (power)1/6 • Far-field propagation: voltage ~ sin2(β), distance ~ (power)1/2
Benefits and Costs of Multi-Tags • PROS • increases expected induced voltage on tag • increases operational range of system • increases memory per object • improves availability • improves reliability • improves durability • provides potential security enhancement • new applications • CONS • increases system cost • modestly complicates manufacturing • potentially increases tags’ interrogation time
Experimental Apparatus and Experiments with Multi-Tags • Equipment • Experiments • Measure detection of ~20 multi-tagged objects • With/without metals and liquids • Rotate multi-tagged object mixes • 1, 2, 3, & 4 tags per object • Vary tag, reader, and antenna types • Vary distances, geometry, power • Multi-tags vs. multiple readers
2 Readers, 2 Tags 86.6% 1 Reader, 2 Tags 82.6% 1 Reader, 1 Tag 57.8% 2 Readers, 1 Tag 63.9% Δ= 4.0% Δ=22.7% Δ=18.7% Δ= 6.1% Δ=24.8% Preliminary Experimental Results 1 0.9 0.8 0.7 0.6 Average Detection Probability 0.5 0.4 0.3 0.2 0.1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Object Number
privacy Security and Privacy in RFID • Privacy A B C Alice was here: A, B, C
σ (m) m Security and Privacy in RFID • Privacy: difficult to track tags • Security • Secure Identification f(r, ID) f(c) • Tag Authentication c • Message Authentication • Ownership Transfer • Auditing
“Yoking-Proofs” • Yoking: joining together / simultaneous presence of multiple tags • Key Observation: Passive tags can communicate with each other through reader • Problem Statement: Generate proof that a group of passive tags were identified nearly-simultaneously • Applications – verify that: • medicine bottle sold together with instructions • tools sold together with safety devices • matching parts were delivered together • several forms of ID were presented • a group of people was present at a meeting
Assumptions and Goals • Assumptions • Tags are passive • Tags have limited computational abilities • Tags can compute a keyed hash function • Tags can maintain some state • Verifier is trusted and powerful • Solution Goals • Allow readers to be adversarial • Make valid proofs improbable to forge • Allow verifier to verify proofs off-line • Detect replays of valid proofs • Timer on-board a tag • FCC regulations: protocol termination < 400ms • Capacitor discharge can implement timeout
Generalized “Yoking-Proof” Protocol Idea: construct a chain of mutually dependent MACs 1 2 3 5 4 Anonymous Yoking: tags keep their identities private Speedup yoking protocols by splitting chain into arcs
Inter-Tag Communication in RFID • Idea: heterogeneity in ubiquitous computing • “Yoking proofs” • Battery-less sensing • Tags as mailboxes • Tags as proxies • Location access control • Tags partitioned into groups • Group leader in charge of authentication and access control • Subordinate reader-tag authentication
PUF-Based Security and Privacy • Digital crypto implementations require 1000’s of gates • Low-cost alternatives • Pseudonyms / one-time pads • Low complexity / power hash function designs • Hardware-based solutions • Definition of privacy that incorporates hardware attacks • PUF definition • Security is based on: • wire delays • gate delays • quantum mechanical fluctuations • PUF characteristics • uniqueness • reliability • unpredictability
Identification Sequence: ID, p(ID), …, pk(ID) • It is important to have • a reliable PUF • no loops in PUF chains • no identical PUF outputs • no impersonation attacks • Authentication Pairs: c1, p(c1), c2, p(c2), ..., cn, p(cn) • MAC based on PUF • Motivation: “yoking-proofs”, signing sensor data • large keys • cannot support arbitrary messages • Verify that at least the desired fraction of challenge-response pairs is correct • Large message set • Small message set PUF-Based Algorithms
PUF-Based Ownership Transfer • Ownership Transfer • To maintain privacy we need • ownership privacy • forward privacy • Physical security is especially important • Solutions • public key cryptography • knowledge of owners sequence • trusted authority • short period of privacy
algorithm # of gates MD4 MD5 SHA-256 AES Yuksel PUF 7350 8400 10868 3400 1701 545 Comparison of PUF With Digital Hash Functions • Reference PUF: 545 gates for 64-bit input • 6 to 8 gates for each input bit • 33 gates to measure the delay • Low gate count of PUF has a cost • probabilistic outputs • difficult to characterize analytically • non-unique computation • extra storage • Different attack target for adversaries • model building rather than key discovery • Physical security • hard to break tag and remain undetected
PUF Design • Attacks on PUF • impersonation • modeling • hardware tampering • side-channel • Weaknesses of existing PUF reliability • New PUF design • no oscillating circuit • sub-threshold voltage • Compare different non-linear delay approaches
Conclusion and Research Plan • Contributions • Multi-Tags • tag objects with multiple tags to improve detection • Security and Privacy • Yoking proofs • Inter-tag communication • Hardware-based security • PUFs • Plan for the next 5 months • finish multi-tag experiments • define privacy w.r.t. physical attacks • design / evaluate improved PUF circuits • publish more papers
Bolotnyy and Robins, Multi-Tag Radio Frequency Identification Systems,IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 83-88, 2005 • Bolotnyy and Robins, Randomized Tree Walking Algorithm for Secure RFID, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 43-48, 2005 • Bolotnyy and Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006 • Bolotnyy and Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007
Related Work on Multi-Tags • Two-antennas per tag to determine location • Four tags per object to determine movement direction • Multiple tags to increase reliability (for visually impaired) • Random placement of two tags on playing cards • Splitting tag ID into Class ID and Pure ID • Up to three tags to determine object-person interaction
Redundant Tags • Complimentary Tags • Dual-Tags • Own Memory Only • Shared Memory Only • Own and Shared Memory • Triple-Tags • n-Tags Types of Multi-Tags
Effects of Multi-Tags on Anti-Collision Algorithms Algorithm Redundant Tags Dual-Tags *If Dual-Tags communicate to form a single response **Assuming an object is tagged with two tags
Related Work on “Yoking-Proofs” • Juels [2004] • protocol is limited to two tags • no timely timer update (minor/crucial omission) • Saito and Sakurai [2005] • solution relies on timestamps generated by trusted database • violates original problem statement • one tag is assumed to be more powerful than the others • vulnerable to “future timestamp” attack • Piramuthu [2006] • discusses inapplicable replay-attack problem of Juels’ protocol • independently observes the problem with Saito/Sakurai protocol • proposed fix only works for a pair of tags • violates original problem statement
Speeding Up The Yoking Protocol Idea: split cycle into several sequences of dependent MACs starting / closing tags Requires • multiple readers or multiple antennas • anti-collision protocol
Related Work on PUF • Optical PUF [Ravikanth 2001] • Silicon PUF [Gassend et al 2002] • design, implementation, simulation, manufacturing • authentication algorithm • controlled PUF • PUF in RFID • off-line reader authentication using public key cryptography [Tuyls et al 2006]
GetID probv(n) ID GetResponse(c1) n n i μi(1-μ)n-i probv = 1 -∑ p(c1) i=t+1 . . . probf(n) GetResponse(cn) p(cn) n n j τj(1- τ)n-j probf = 1 -∑ j=t+1 α < probv ≤ 1 and probf ≤ β ≤ 1 0 ≤ t ≤ n-1 PUF-Based Authentication Reader Tag
PUF-Based Identification Algorithm • Tag stores its identifier: ID • Database stores: ID, p(ID), …, pk(ID) • Upon reader’s query, the tag • responds with p(ID) • updates its ID with p(ID) • It is important to have • a reliable PUF • no loops in PUF chains • no identical PUF outputs • Assumptions • passive adversaries (otherwise, denial of service possible) • physical compromise of tags not possible • reliable PUF
valid signature σ: υ (M, σ) = 1 K • forged signature σ’ : υ (M’, σ’) = 1, M = M’ K • Large message set σ (m) =c, r1, ..., rn, pc(r1, m), ..., pc(rn, m) • Small message set σ (m) =c, pc(1)(m), ..., pc(n)(m), ..., c+q-1, pc+q-1(1)(m), pc+q-1(n)(m) PUF-Based MAC Algorithms • MAC = (K, τ, υ) • Need to protect against replay attacks • MAC based on PUF • large keys • cannot support arbitrary messages • Motivational example: buyer/seller
s1,2 s2,4 s2,5 s3,8 s3,9 s3,10 Using PUF to Detect and Restore Privacy of Compromised System s1,0 s1,1 s2,0 s2,1 s2,2 s2,3 s3,0 s3,1 s3,2 s3,3 s3,4 s3,5 s3,6 s3,7 • Detect potential tag compromise • Update secrets of affected tags