RFID Traceability: A Multilayer Problem Gildas Avoine and Philippe - - PowerPoint PPT Presentation

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Financial Cryptography 2005

RFID Traceability: A Multilayer Problem

Gildas Avoine and Philippe Oechslin

EPFL, Lausanne, Switzerland

ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Outline

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Introduction and Motivation

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Goals Radio Frequency Identification Identify objects remotely by embedding in these objects tiny devices (tags) capable of transmitting data.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

RFID Systems

reader tag tag tag tag reader database

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Emergence of the RFID Technology The RFID technology is not new, e.g., contactless smartcards were already RFID devices (public transport, tollways). The boom which RFID technology is enjoying today relies essen- tially on the willingness to develop small and cheap RFID tags.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

RFID Characteristics Extremely limited storage and computation capabilities Not tamper-resistant No battery Reader-to-Tag channel: up to 100 meters Tag-to-Reader channel: up to a few meters

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Applications RFID tags could replace the bar-codes in the near future and could

• pen the door to new applications.

Management of stocks (Wal-Mart, Gillette, etc.) Speed up the checkouts in the shops Libraries (Santa Clara Library, University of Nevada, etc.) Recycling Pets identification Anti-counterfeiting Sensor networks (Michelin, etc.) Localization of people

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Threats on the Tag’s Bearers Privacy

• ✠

❅ ❅ ❘

Information Traceability leakage Information leakage: The tag reveals some information related to the object holder. Traceability: An adversary could track the tag, and therefore its bearer.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Examples of traceability Tracking of employees by the boss, tracking of children in an amusement park, tracking of military troops, etc. Several companies suffer from boycott campaigns led by powerful organizations. Easier to track people using the RFID technology than other technologies (e.g. video, credit cards, GSM) because tags can- not be switched-off, tags can be almost invisible, easy to an- alyze the logs of the readers (e.g. data mining), increasing of the communication distance.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Solutions Physical solutions e.g. Faraday cages, blocker tags, kill the tag Software solutions based on Cryptographic protocols How designing an RFID protocol such that an autho- rized party only is able to identify a tag while an ad- versary is not able to track it?

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Relationship Between Traceability and Communication Model

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Privacy and Communication Model

physical application session network data link presentation transport transport application internet physical physical application communication OSI TCP / IP RFID

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Privacy vs Classical Properties The main concepts of cryptography, i.e, confidentiality, integrity, and authentication, are treated without any practical considerations. If one of these properties is theoretically ensured, it remains ensured in practice whatever the layer we choose to implement the protocol. Privacy needs to be ensured at each layer. All efforts to prevent traceability in the application layer may be useless if no care is taken at the lower layers.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

RFID Model Application layer: The identification protocol itself. Communication layer: The medium access protocol (Collision avoidance). Physical layer: Air interface (frequency, modulation, etc.)

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Diversity of Standards Signals from tags using different standards are easy to distinguish. A problem arises when we consider sets of tags rather than a single tag. If several standards are in use, each person in a few years may have a set of tags with a characteristic mix of standards which may allow a person to be traced.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Radio Fingerprints Even if the tags follow the same standard, there will be several manufacturers in the market and their tags will have different radio fingerprints. It will thus be possible to trace a person by a characteristic mix of tags from different manufacturers. Preventing traceability through radio fingerprints seems quite diffi- cult because there is no benefit for the manufacturers in producing tags that use exactly the same technology, producing the same radio fingerprint.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

RFID Model Application layer: The identification protocol itself. Communication layer: The medium access protocol (Collision avoidance). Physical layer: Air interface (frequency, modulation, etc.) → The physical signals exchanged between a tag and a reader can allow an adversary to recognize a tag or a set of tags. Threats due to the diversity of standards Threats due to radio-fingerprints → Conclusion quite pessimistic but such attacks require strong means.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Focus on the Communication Layer

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Collision Avoidance

Andrew Moti Ari Jacques David Noise Are there any questions?

But, with RFID tags... The computational power of the tags is very limited and they are unable to communicate with each other. The reader must deal with the collision avoidance itself.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Standards Collision avoidance protocols are often (non-open source) proprietary algorithms. Standards appear: ISO and EPC. Two large families: deterministic protocols and probabilistic protocols. Potential threats: lack of randomness and uncompleted ses- sions.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Deterministic Protocols Deterministic protocols are based on a binary tree search which represents the (unique) static identifiers (of length ℓ) of the tags. A node at depth d in this tree can be uniquely identified by a binary prefix b1b2...bd. The reader starts at the root of the tree and performs a re- cursive search: at node b1b2...bd, the reader queries all tags whose serial numbers bear this prefix, the others remain silent. The tags reply with the d + 1-st bit of their serial number. If there is a collision, the reader restarts from the child of the prefix. When the algorithm reaches a leaf, it has detected a tag.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Probabilistic Protocols The access to the communication channel is split into time slots (slotted Aloha). The number of slots is chosen by the reader which informs the tags they will have n slots to answer. Each tag randomly chooses one slot among the n and responds when its slot arrives. If n is not sufficiently large, then some collisions occur. In order to recover the missing information, the reader interro- gates the tags one more time. It can mute the tags which have not brought out collisions by indicating the time slots during which they transmitted.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Lack of Randomness With probabilistic protocols, the attacker can track the tag if it always answers during the same time slot. → A cryptographically secure PRNG initialized with a different value for every tag is needed for avoiding traceability. With deterministic protocols, the attacker can track the tag because the identifier is static. The straightforward solution is to renew the identifier (of the communication layer) each time the tag is identified by a reader. → A cryptographically secure PRNG initialized with a different value for every tag is needed for avoiding traceability.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Practical Example 1: EPC draft The EPC draft “specification for a 900 mhz class 0 radio frequency identification tag” proposes to use short identifiers (used during the deterministic collision avoidance process) which are refreshed using a PRNG. The used identifiers are short for efficiency reasons since there are usually only few tags in a given field. If the number of tags in the field is large, the reader can impose to use additional static identifiers, available in the tag, set by the manufacturer! The benefit of using PRNG is therefore totally null and void.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Practical Example 2: Philips Collision avoidance protocol proposed by Philips for its tag ICode1 Label IC. Although the tag does not have a PRNG, the implemented protocol is probabilistic! The tag contains a 64 bit identifier of which only 32 are used for the collision avoidance process, denoted by b1...b32. The choice of the time slot depends on this identifier of the tag and data sent by the reader. When the reader queries a tag, it sends the number n of slots which the tags can use and a value h ∈ 0, ..., 25. The selection

• f the time slot si is done as follows:

si := CRC8(bh+1...bh+8 ⊕ prev) ⊕ n where prev is the output of the previous CRC8, initialized with 0x01 when the tag enters the field of a reader.

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Practical Example 2: Philips (cont) An adversary who sends always the same values h and n can easily track a tag according to the slot chosen by the tag. Still worse, in the particular case of the ICode1 tag, where the CRC8 is applied on a 8-bit word, we can actually recover 8 bits

• f the identifier by sending only one request! Therefore, by

sending 4 requests with respectively h = 0, h = 8, h = 16, and h = 24, the adversary is able to recover the 32 bits of the tag’s identifier!

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Conclusion

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem

Introduction and Motivation Relationship Between Traceability and Communication Model Focus on the Communication Layer

Conclusion Designing an RFID protocol suited to the application layer is a good thing but... Some people think we can avoid using cryptographic functions in order to design RFID protocols but... The actual dilemma is: either the cryptographers design only strong (in terms of privacy) but expensive RFID protocols but they will not be implemented in practice, or they design weak (in terms of privacy) but cheap RFID protocols and manu- facturers will agree to implement them. Where is the good trade-off?

http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Traceability: A Multilayer Problem