1 / 20

RFID SECURITY

RFID SECURITY. How Does RFID Work?. 02.3DFEX4.78AF51. EasyToll card #816. Radio signal (contactless) Range: from 3-5 inches to 3 yards. Tags (transponders) Attached to objects, call out their (unique) name and/or static data on a special radio frequency. Reader (transceiver)

myron
Download Presentation

RFID SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RFID SECURITY

  2. How Does RFID Work? 02.3DFEX4.78AF51 EasyToll card #816 Radio signal (contactless) Range: from 3-5 inches to 3 yards Tags (transponders) Attached to objects, call out their (unique) name and/or static data on a special radio frequency Reader (transceiver) Reads data off the tags without direct contact Database Matches tag IDs to physical objects

  3. Asymmetric channels Range of Reader (Forward Channel) ~100 m READER TAG EAVESDROPPER ~5 m Tag’s Range (Backward Channel)

  4. Applications • Tracking/Identification • Library Books • Children • Pets • Auto Parts • Inventory management in a Supply Chain • Contactless Smart Cards

  5. Retailers Wholesalers Manufacturers Supply web (retail customers not shown) Suppliers goods, invoices Purchase orders, payments A Generic Supply Chain

  6. Key Decisions • When to order • How much to order • As order quantity increases, holding cost increases • As order quantity decreases, stockout cost increases • From whom to order

  7. The Problem - Motivation • Basic problem with RFID tags • Can be remotely scanned • Respond to query by any reader • This leads to security and privacy risk • Resource constraints • Limited power and computing resources • Hence classical cryptographic mechanisms not feasible • The RFID security challenge • How to obtain maximum security with almost no resources?

  8. The Problems of Privacy and Security • RFID privacy concerns the problem of misbehaving readers harvesting information from well-behaving tags. Risks : • Leakage of personal information (prescriptions, brand/size of clothes etc.). • Location privacy: Tracking the physical location of individuals by their RFID tags. • RFID authentication concerns the problem of well behaving readers receiving information from misbehaving tags, particularly counterfeit ones. Risks: • Forgery • Sabotage

  9. Cost and capability • The strength and flavor of proposed security solutions will depend on the allowed tag cost for different applications • 50+ cent tags. Low-end tags will be 10 cent, 5 cent and 2 cent in about 5 years

  10. Challenge • Tens of research ideas have been proposed in the past two years • Propose improvements over the existing privacy enhancing protocols for the extremely resource constrained RFID systems

  11. Security Attacks • Spoofing • Imitating the behavior of a genuine tag • Denial of Service • Man in the middle attack • Modify the response of the tag to the reader or vice versa • Replay Attack • Eavesdrop message from the tag (reader) & re-transmit the message to the legitimate reader (tag). • Traffic Analysis • Monitoring of comm. between reader & tag allows adversary to perform traffic analysis & generate statistical data.

  12. Security and Privacy Requirements • Anonymity • Tag output should not give idea about ID • Untraceability • Tag output should be varying • Indistinguishibility • Tag output should be truly random, i.e. variation should not be predictable • Forward Security • Adversary should not be able to associate the current output with past output • Mutual Authentication • Tag-to-reader and reader-to-tag authentication

  13. Backend Requirements • Efficiency and scalability • Order of computation/precomputation required as a function of number of tags • Flexibility • Changes required with addition/removal of tags

  14. “Who are you?” metaID key “My real ID is…” Hash Lock [Rivest, Weis, Sharma, Engels] Goal: Authenticate reader to the RFID tag Reader RFID tag Compute hash(key) and compare with stored metaID Stores metaID=hash(key) Stores key; hash(key) for any tag Unique key for each tag

  15. Hash Lock Analysis PROS • Relatively cheap to implement : Tag has to store hash function implementation and metaID • Security based on weak collision-resistance of hash function • Scalable due to low key look-up overhead CONS • Constant tag output – enables traceability • Motivates Randomization • Too many messages/rounds • Requires reader to know all keys

  16. “Who are you?” R, hash(R,IDk) “You must be IDk” Randomized Hash Lock [Weis et al.] Goal: Authenticate reader to the RFID tag Reader RFID tag Generate random R Compute hash(R,IDi) for every known IDi and compare Stores its own IDk Stores all IDs: ID1, … ,IDn

  17. Randomized Hash Lock Analysis PROS • Randomized response prevents tracking • Tag needs to store hash implementation and pseudo-random number generator CONS • Inefficient brute force key look-up • No Forward security • Motivates updating tag ID on each read • Security Flaw - Adversary can impersonate tag by learning a valid tag response.

  18. OSK Scheme [Ohkubo, Suzuki and Kinoshita] Goal: Enable reader to identify the RFID tag, change tag identifier on each read Database Reader Tag Query Ai=G(Si) Ai=G(Si) Compute Hash Chain Si+1=H(Si) Tag ID

  19. OSK Analysis PROS • Different random like values on every read operation prevents tracking • Forward Security ensured due to one way hash property • Tag needs to store only 2 hash implementations, hence low cost • Minimal number of transmissions CONS • Not scalable for large scale applications due to brute force search • Motivates reducing computation time at reader/backend • Susceptible to DoS attacks • May lead to problem due to hash collisions.

  20. Summary • RFIDs have many useful applications related to tracking and identification • But there are some important issues of security and privacy • Small number of gates for S/P makes the design of such protocols challenging • Tens of schemes proposed for security/privacy but subtle drawbacks with many of them. Much more work needed in this area

More Related