A Privacy-Restoring Mechanism for Offline RFID Systems Gildas - - PowerPoint PPT Presentation

a privacy restoring mechanism for offline rfid systems
SMART_READER_LITE
LIVE PREVIEW

A Privacy-Restoring Mechanism for Offline RFID Systems Gildas - - PowerPoint PPT Presentation

Oct 25, 2023 645 likes •1.08k views

A Privacy-Restoring Mechanism for Offline RFID Systems Gildas Avoine Iwen Coisel Tania Martin Universit e catholique de Louvain Belgium April 16, 2012 [WiSec12, Tucson, AZ, USA] Goal of our Paper Authentication protocol that

slide-1
SLIDE 1

A Privacy-Restoring Mechanism for Offline RFID Systems

Gildas Avoine Iwen Coisel Tania Martin

Universit´ e catholique de Louvain Belgium

April 16, 2012

[WiSec’12, Tucson, AZ, USA]

slide-2
SLIDE 2

Goal of our Paper

Authentication protocol that restores privacy in case of compromised readers in offline RFID systems

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

2

slide-3
SLIDE 3

Offline RFID Systems

Online system Fixed readers Always connected to BE Readers do not store data to authenticate tags Offline system Handheld readers Operate without BE Readers must store all data to authenticate tags i.e. all tags’ secrets BE BE

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

3

slide-4
SLIDE 4

Compromised Readers in Offline RFID Systems

Tag corruption A steals secrets of the corrupted tag vs. Compromised reader in offline RFID systems A steals all tags’ secrets stored by reader

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

4

slide-5
SLIDE 5

Privacy in RFID

Malicious traceability An adversary A can distinguish two (challenge) tags over their different protocol executions

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

5

slide-6
SLIDE 6

Privacy in RFID

Malicious traceability An adversary A can distinguish two (challenge) tags over their different protocol executions Tag corruption We consider that tags do not share secrets A can trace this corrupted tag

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

5

slide-7
SLIDE 7

Privacy in RFID

Malicious traceability An adversary A can distinguish two (challenge) tags over their different protocol executions Tag corruption We consider that tags do not share secrets A can trace this corrupted tag Compromised readers in offline RFID systems A can trace all tags ⇒ More powerful attack than tag corruption

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

5

slide-8
SLIDE 8

Outline

1 Our Protocol 2 Privacy Analysis 3 Efficiency Analysis 4 Implementation

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

6

slide-9
SLIDE 9

Our Protocol: Principle

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

7

slide-10
SLIDE 10

Our Protocol: Principle

CORRUPT

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

7

slide-11
SLIDE 11

Our Protocol: Principle

CORRUPT

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

7

slide-12
SLIDE 12

Our Protocol: Principle

I can differentiate them!!!

Tag 3 Tag 2 Tag 1

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

7

slide-13
SLIDE 13

Our Protocol: Principle

What can we do against this problem of traceability? Solution Repair the compromised reader Spread this info of repaired reader via tags’ mobility

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

8

slide-14
SLIDE 14

Our Protocol: Design Choices

Challenge/response authentication protocol

  • Based on Needham-Schroeder [ACM-Comm-1978]

Public-key crypto

  • For authentication

− Cryptosystem (Enc/Dec) for T’s answer − Signature scheme (Sign/Verif) for R’s identity ⇒ via CR certificate

  • For privacy-restoring mechanism

− Signature scheme (Sign/Verif) for info about repaired readers ⇒ via NewCR/NewCT certificates

Secret-key crypto to personalize tags’ secrets

  • Unique secret key sTR by pair (T, R)
  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

9

slide-15
SLIDE 15

Our Protocol: Principle

REPAIR

  • (Pnew

R , Knew R )

  • Cnew

R , vnew R

  • Tabnew

R

= {∀T : (IDT, snew

TR )}

  • NewCnew

R

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-16
SLIDE 16

Our Protocol: Principle

REPAIR

  • (Pnew

R , Knew R )

  • Cnew

R , vnew R

  • Tabnew

R

= {∀T : (IDT, snew

TR )}

  • NewCnew

R

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-17
SLIDE 17

Our Protocol: Principle

  • Picks a nonce nR

CR, nR

− − − − − − − − →

  • Checks CR
  • sT R = MAC(kT ||IDR||vR)
  • E = EncPR(IDR||nR||sT R)
  • Sends NewCT

E

← − − − − − − − −

NewCT

  • IDR||nR||sT R = DecKR(E)
  • Authenticates T if sT R ∈ TabR
  • Checks NewCT

→ Updates its values

  • Sends NewCR if newer than NewCT

NewCR

− − − − − − − − →

  • Checks NewCR

→ Updates its values

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-18
SLIDE 18

Our Protocol: Principle

  • Picks a nonce nR

CR, nR

− − − − − − − − →

  • Checks CR
  • sT R = MAC(kT ||IDR||vR)
  • E = EncPR(IDR||nR||sT R)
  • Sends NewCT

E

← − − − − − − − −

NewCT

  • IDR||nR||sT R = DecKR(E)
  • Authenticates T if sT R ∈ TabR
  • Checks NewCT

→ Updates its values

  • Sends NewCR if newer than NewCT

NewCR

− − − − − − − − →

  • Checks NewCR

→ Updates its values

UPDATE

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-19
SLIDE 19

Our Protocol: Principle

  • Picks a nonce nR

CR, nR

− − − − − − − − →

  • Checks CR
  • sT R = MAC(kT ||IDR||vR)
  • E = EncPR(IDR||nR||sT R)
  • Sends NewCT

E

← − − − − − − − −

NewCT

  • IDR||nR||sT R = DecKR(E)
  • Authenticates T if sT R ∈ TabR
  • Checks NewCT

→ Updates its values

  • Sends NewCR if newer than NewCT

NewCR

− − − − − − − − →

  • Checks NewCR

→ Updates its values

UPDATE

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-20
SLIDE 20

Our Protocol: Principle

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-21
SLIDE 21

Our Protocol: Principle

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-22
SLIDE 22

Our Protocol: Principle

UPDATE

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-23
SLIDE 23

Our Protocol: Principle

UPDATE

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-24
SLIDE 24

Our Protocol: Principle

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-25
SLIDE 25

Our Protocol: Principle

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-26
SLIDE 26

Our Protocol: Principle

UPDATE UPDATE

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-27
SLIDE 27

Our Protocol: Principle

UPDATE UPDATE

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-28
SLIDE 28

Our Protocol: Principle

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-29
SLIDE 29

Our Protocol: Principle

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-30
SLIDE 30

Our Protocol: Principle

UPDATE

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-31
SLIDE 31

Our Protocol: Principle

UPDATE

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-32
SLIDE 32

Our Protocol: Principle

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-33
SLIDE 33

Our Protocol: Principle

?? ?? ??

I cannot differentiate them anymore!!!

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

10

slide-34
SLIDE 34

Outline

1 Our Protocol 2 Privacy Analysis 3 Efficiency Analysis 4 Implementation

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

11

slide-35
SLIDE 35

Privacy Analysis

Privacy experiment (from Juels and Weis’ model [Percom-2007])

1

The challenger C initializes the RFID system S.

2

A interacts with the whole system.

3

A chooses two challenge tags T and T ′, and gives them to C.

4

C chooses a random bit b, and assigns Tb = T and Tb⊕1 = T ′. Then C gives back Tb and Tb⊕1 to A.

5

A interacts with the whole system.

6

A outputs a guess bit b′. A wins if b = b′.

Adversary classes STANDARD [A can corrupt any tag (except challenge tags)] FORWARD [A can corrupt any tag] CORRUPT [A can corrupt any reader]

  • CORRUPT is composable with STANDARD and FORWARD

⇒ 4 possible adversaries

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

12

slide-36
SLIDE 36

Privacy Analysis

When the system is stable FORWARD-privacy CORRUPT-STANDARD-privacy During the system update We define the average probability τ(t) to trace 1 tag When t ր then τ(t) ց

τ(t) = “1 2 + ǫ(s) ”“u(t) n ”“u(t) − 1 n − 1 ” + “ 1 − u(t) n ”“ 1 − u(t) n − 1 ” + 2 “ u(t) n − 1 ”“ 1 − u(t) n ” where u(t) = number of updated tags at time t

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

13

slide-37
SLIDE 37

Outline

1 Our Protocol 2 Privacy Analysis 3 Efficiency Analysis 4 Implementation

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

14

slide-38
SLIDE 38

Case Study: 3-Day Automobile Race

Goal Analyze in practice our privacy-restoring mechanism Experimental conditions 55 readers spread all over the area 102 110 tags 1 reader has been compromised and repaired

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

15

slide-39
SLIDE 39

Case Study: Tracing 1 Tag During the Event

0.2 0.4 0.6 0.8 1 3rd day 2nd day 1st day Advantage to trace one tag Time t 1st day, 6AM 1st day, 12PM 2nd day, 6AM 2nd day, 12PM 3rd day, 6AM 3rd day, 12PM

Advantage = |2 τ(t) − 1| Curves depend on the update start time Influenced by the 1-day tickets

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

16

slide-40
SLIDE 40

Outline

1 Our Protocol 2 Privacy Analysis 3 Efficiency Analysis 4 Implementation

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

17

slide-41
SLIDE 41

Implementation

Consider the 3-day sport event data with

  • 55 readers
  • 10 compromised readers (at most)

Our Protocol ⇒ JavaCard EEPROM 0.8 KB ⇒ 72 KB Transmission 5953 bits ⇒ 68.04ms TOTAL Tag computation 1 PK encryption ⇒ 331.7ms ≈ + 2 certif verifs 400ms

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

18

slide-42
SLIDE 42

Conclusion

Privacy-restoring mechanism

  • Can face the problem of compromised readers in offline systems
  • Via tags’ mobility

Efficient protocol in a real case study

  • When attack detected at the beginning of the event

⇒ 99.5% of tags with a restored privacy

Protocol deployable in practice

  • Tested and operable on JavaCard
  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

19

slide-43
SLIDE 43

Conclusion

Privacy-restoring mechanism

  • Can face the problem of compromised readers in offline systems
  • Via tags’ mobility

Efficient protocol in a real case study

  • When attack detected at the beginning of the event

⇒ 99.5% of tags with a restored privacy

Protocol deployable in practice

  • Tested and operable on JavaCard

Thank You!

  • G. Avoine, I. Coisel, T. Martin – A Privacy-Restoring Mechanism for Offline RFID Systems

19