New Directions in Reliability, Security and Privacy in Radio Frequency Identification Systems

1. New Directions in Reliability, Security and Privacyin Radio Frequency Identification Systems Leonid Bolotnyylbol@cs.virginia.edu www.cs.virginia.edu/~lb9xk Gabriel Robinsrobins@cs.virginia.edu www.cs.virginia.edu/robins Department of Computer ScienceUniversity of Virginia

2. Talk Outline • Introduction to RFID • Reliable Object Identification • Multi-Tag RFID Systems • Physical Security and Privacy • PUF-Based Algorithms • Inter-Tag Communication • Generalized Yoking-Proofs • Common Themes and Conclusion

3. Talk Outline • Introduction to RFID • Reliable Object Identification • Multi-Tag RFID Systems • Physical Security and Privacy • PUF-Based Algorithms • Inter-Tag Communication • Generalized Yoking-Proofs • Common Themes and Conclusion

4. Tags Local Server Reader Tag ID Tag ID General RFID System

5. Tags types: passive semi-passive active • Coupling methods: signal signal reader antenna Inductive coupling Backscatter coupling Introduction to RFID • Frequencies: Low (125KHz), High (13.56MHz), UHF (915MHz)

6. 1935 1973 1960 1999 2004 1999 2006 RFID History What’s next?

7. Talk Outline • Introduction to RFID • Reliable Object Identification • Multi-tag RFID Systems • Physical Security and Privacy • PUF-Based Algorithms • Inter-Tag Communication • Generalized Yoking-Proofs • Common Themes and Conclusion

8. Obstacles of Reliable Identification • Bar-codes vs. RFID • line-of-sight • scanning rate • Object detection obstacles • radio noise is ubiquitous • liquids and metals are opaque to RF • milk, water, juice • metal-foil wrappers • temperature and humidity • objects/readers moving speed • object occlusion • number of objects grouped together • tag variability and receptivity • tag aging

9. Case Studies • Defense Logistics Agency trials (2001) • 3% of moving objects did not reach destination • 20% of tags recorded at every checkpoint • 2% of a tag type detected at 1 checkpoint • some tags registered on arrival but not departure • Wal-Mart experiments (2005) • 90% tag detection at case level • 95% detection on conveyor belts • 66% detection inside fully loaded pallets

10. Multi-Tag RFID UseMultiple tags per object to increase reliability of object detection/identification

11. B-field • Optimal Tag Placement: 4 β power ~ sin2(β) 3 2 1 The Power of an Angle • Inductive coupling: distance ~ (power)1/6 • Far-field propagation: distance ~ (power)1/2

12. Equipment and Setup • Equipment x4 x1 x8 x1 x100’s x100’s • Setup • empty room • 20 solid non-metallic & 20 metallic and liquid objects • tags positioned perpendicular to each other • tags spaced apart • software drivers

13. Experiments • Read all tags in reader’s field • Randomly shuffle objects • Compute average detection rates • Variables • reader type • antenna type • tag type • antenna power • object type • number of objects • number of tags per object • tags’ orientation • tags’ receptivity

14. 1Tag: 58% 2Tags: 79% 3Tags: 89% 4Tags: 93% Linear Antennas

15. 1Tag: 75% 2Tags: 94% 3Tags: 98% 4Tags: 100% Circular Antennas

16. Power = 31.6dBm 1 0.9 0.8 0.7 0.6 0.5 Detection Probability 0.4 0.3 Δ= 5.2% Δ=14.4% Δ=19.8% 0.2 0.1 Δ= 6.9% Δ=21.3% 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Object Number Linear Antennas vs. Multi-tags 2 Readers, 2 Tags 84.5% 1 Reader, 2 Tags 79.3% 2 Readers, 1 Tag 64.9% 1 Reader, 1 Tag 58.0%

17. 21% -7% 12% 25% Importance of Tag Orientation

18. Circular Antenna 1 0.9 0.8 0.7 0.6 Detection Probability 0.5 0.4 0.3 0.2 0.1 0 1 2 3 4 Number of Tags Power=31.6dBm, No Liquids/Metals Power=31.6dBm, With Liquids/Metals Power=27.6dBm, No Liquids/Metals Power=27.6dBm, With Liquids/Metals Detection in Presence of Metals & Liquids • Decrease in solid/non-liquid object detection • Significant at low power • Similar results for linear antennas

19. Metals & Liquids ∆ : 3%-13% Varying Number of Objects Experiment 1: 15 solid non-metallic & 15 liquids and metals Experiment 2: 20 solid non-metallic & 20 liquids and metals

20. Reliability Availability Localization Safety Applications of Multi-Tags

21. Security Theft Prevention Tagging Bulk Materials Packaging More Applications

22. Year Cost Economics of Multi-Tags • Rapid decrease in passive tag cost • 5 cent tag expected in 2008 • 1 penny tag in a few years

23. Cost Trends Time

24. $1.00 Historical Cost Prediction Cost $0.80 $0.60 $0.40 $0.20 $0.00 2001 2002 2003 2004 2005 2006 2007 2008 2011 Multi-Tag Conclusion • Unreliability of object detection • radio noise is ubiquitous • liquids and metals are opaque to RF • milk, water, juice • metal-foil wrappers • temperature and humidity • objects/readers moving speed • object occlusion • number of objects grouped together • tag variability and receptivity • tag aging • Many useful applications • Favorable economics

25. Talk Outline • Introduction to RFID • Reliable Object Identification • Multi-tag RFID Systems • Physical Security and Privacy • PUF-Based Algorithms • Inter-Tag Communication • Generalized Yoking-Proofs • Common Themes and Conclusion

26. algorithm # of gates MD4 MD5 SHA-256 AES Yuksel 7350 8400 10868 3400 1701 Motivation • Digital crypto implementations require 1000’s of gates • Low-cost alternatives • Pseudonyms / one-time pads • Low complexity / power hash function designs • Hardware-based solutions

27. PUF-Based Security • Physical Unclonable Function [Gassend et al 2002] • PUF security is based on • wire delays • gate delays • quantum mechanical fluctuations • PUF characteristics • uniqueness • reliability • unpredictability • PUF assumptions • Infeasible to accurately model PUF • Pair-wise PUF output-collision probability is constant • Physical tampering will modify PUF

28. privacy Individual Privacy in RFID • Privacy A B C Alice was here: A, B, C

29. read-proof tamper-proof Hardware Tampering Privacy Models Allow adversary to tamper with tag’s memory Cannot provide privacy without restricting adversary - simple secret overwrite allows tag tracking • Restrict memory tampering functions • - allow bit flips 2. Purely physical privacy - no digital secrets 3. Detect privacy compromise - detect PUF modification

30. Database ID1, p(ID1), p2(ID1), …, pk(ID1) ... IDn, pn(IDn), pn2(IDn), …, pnk(IDn) ID Request Private Identification Algorithm ID p(ID) • It is important to have • a reliable PUF • no loops in PUF chains • no identical PUF outputs • Assumptions • no denial of service attacks (e.g., passive adversaries, DoS detection/prevention mechanisms) • physical compromise of tags not possible

31. PUF-Based Ownership Transfer • Ownership Transfer • To maintain privacy we need • ownership privacy • forward privacy • Physical security is especially important • Solutions • public key cryptography (expensive) • knowledge of owners sequence • short period of privacy • trusted authority

32. valid signature σ: υ (M, σ) = 1 K • forged signature σ’ : υ (M’, σ’) = 1, M = M’ K PUF-Based MAC Algorithms • MAC = (K, τ, υ) • MAC based on PUF • Motivation: “yoking-proofs”, signing sensor data • large keys (PUF is the key) • cannot support arbitrary messages • Assumptions • adversary can adaptively learn poly-many (m, σ) pairs • signature verifiers are off-line • tag can store a counter (to timestamp signatures)

33. Large Message Space Assumption: tag can generate good random numbers (can be PUF-based) Key: PUF σ (m) =c, r1, ..., rn, pc(r1, m), ..., pc(rn, m) • Signature verification • requires tag’s presence • password-based or in radio-protected environment (Faraday Cage) • learn pc(ri, m), 1 ≤ i ≤ n • verify that the desired fraction of PUF computations is correct • To protect against hardware tampering • authenticate tag before MAC verification • store verification password underneath PUF

34. message counter PUF Key[p, mi, c] = c, pc(1)(mi), ..., pc(n) (mi) σ(m) =c, pc(1)(m), ..., pc(n)(m), ..., c+q-1, pc+q-1(1)(m), pc+q-1(n)(m) sub-signature Small Message Space Assumption: small and known a priori message space PUF reliability is again crucial Verify that the desired number of sub-signatures are valid

35. original clone • Impersonation attacks • manufacture an identical tag • obtain (steal) existing PUFs • Modeling attacks • build a PUF model to predict PUF’s outputs • Side-channel attacks • algorithm timing • power consumption • Hardware-tampering attacks • physically probe wires to learn the PUF • physically read-off/alter keys/passwords Attacks on MAC Protocols

36. Conclusions and Future Work Hardware primitive for RFID security Identification, MAC, Ownership Transfer, and Tag Authentication Algorithms • Properties: • Physical keys • Protect tags from physical attacks • New attack models • Future Work: • Design new PUF • Manufacture and test PUF • Develop PUF theory • New attack models

37. Talk Outline • Introduction to RFID • Reliable Object Identification • Multi-tag RFID Systems • Physical Security and Privacy • PUF-Based Algorithms • Inter-Tag Communication • Generalized Yoking-Proofs • Common Themes and Conclusion

38. Inter-Tag Communication in RFID • Idea: Heterogeneity in ubiquitous computing • Applications:

39. “Yoking-Proofs” • Yoking: joining together / simultaneous presence of multiple tags • Key Observation: Passive tags can communicate with each other through reader • Problem Statement: Generate proof that a group of passive tags were identified nearly-simultaneously • Applications – verify that: • medicine bottle sold together with instructions • tools sold together with safety devices • matching parts were delivered together • several forms of ID were presented

40. Assumptions and Goals • Assumptions • Tags are passive • Tags have limited computational abilities • Tags can compute a keyed hash function • Tags can maintain some state • Verifier is trusted and powerful • Solution Goals • Allow readers to be adversarial • Make valid proofs improbable to forge • Allow verifier to verify proofs off-line • Detect replays of valid proofs • Timer on-board a tag • Capacitor discharge can implement timeout

41. Generalized “Yoking-Proof” Protocol Idea: construct a chain of mutually dependent MACs 1 2 3 5 4 Anonymous Yoking: tags keep their identities private

42. Related Work on “Yoking-Proofs” • Juels [2004] • protocol is limited to two tags • no timely timer update (minor/crucial omission) • Saito and Sakurai [2005] • solution relies on timestamps generated by trusted database • violates original problem statement • one tag is assumed to be more powerful than the others • vulnerable to “future timestamp” attack • Piramuthu [2006] • discusses inapplicable replay-attack problem of Juels’ protocol • independently observes the problem with Saito/Sakurai protocol • proposed fix only works for a pair of tags • violates original problem statement

43. Talk Outline • Introduction to RFID • Reliable Object Identification • Multi-tag RFID Systems • Physical Security and Privacy • PUF-Based Algorithms • Inter-Tag Communication • Generalized Yoking-Proofs • Common Themes and Conclusion

44. Multi-Tags RFID PUF-BasedSecurity and Privacy Generalized “Yoking-Proofs” Common Themes

45. Conclusion and Future Research • Contributions • Future Research • More multi-tag tests • Object localization using multi-tags • Split tag functionality between tags • Prevent adversarial merchandize inventorization • PUF design • More examples of inter-tag communication • Applications of RFID

46. Publications • L. Bolotnyy and G. Robins, Multi-tag Radio Frequency Identification Systems, IEEE Workshop on Automatic Identification Advanced Technologies (Auto-ID), Oct. 2005. • L. Bolotnyy and G. Robins, Randomized Pseudo-Random Function Tree Walking Algorithm for Secure Radio-Frequency Identification, IEEE Workshop on Automatic Identification Advanced Technologies (Auto-ID), Oct. 2005. • L. Bolotnyy and G. Robins, Generalized “Yoking Proofs” for a Group of Radio Frequency Identification Tags, International Conference on Mobile and Ubiquitous Systems (Mobiquitous), San Jose, CA, July 2006. • L. Bolotnyy and G. Robins, Physically Unclonable Function -Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing and Communications (PerCom), New York, March 2007. • L. Bolotnyy, S. Krize, and G. Robins, The Practicality of Multi-Tag RFID Systems, International Workshop on RFID Technology - Concepts, Applications, Challenges (IWRT), Madeira, Portugal, June 2007. • L. Bolotnyy and G. Robins, The Case for Multi-Tag RFID Systems, International Conference on Wireless Algorithms, Systems and Applications (WASA), Chicago, Aug. 2007. • L. Bolotnyy and G. Robins, Multi-Tag RFID Systems, International Journal of Internet and Protocol Technology, Special issue on RFID: Technologies, Applications, and Trends, 2(3/4), 2007. • 1 conference and 1 journal paper in submission • 2 invited book chapters in preparationSecurity in RFID and Sensor Networks, to be published by Auerbach Publications, CRC Press, Taylor&Francis Group

47. More Successes • Deutsche Telekom (largest in EU) offered to patent our multi-tags idea. • Received $450,000 NSF Cyber Trust grant, 2007 (PI: Gabriel Robins). • Technical Program Committee member:International Workshop on RFID Technology - Concepts, Applications, Challenges (IWRT), Barcelona, Spain, June 2008. • Our papers and presentation slides used in lecture-based undergraduate/graduate courses (e.g., Rice University, George Washington University).

49. Thank You! Dissertation Committee: Gabriel Robins (advisor), Dave Evans, Paul Reynolds, Nina Mishra, and Ben Calhoun Stephen Wilson, Blaise Gassend, Daihyun Lim, Karsten Nohl, Patrick Graydon, and Scott Krize Questions? lbol@cs.virginia.edu www.cs.virginia.edu/~lb9xk

50. BACK UP SLIDESNOT USED DURING PRESENTATION