Some Recent Development Some Recent Development in RFID Privacy - - PowerPoint PPT Presentation

some recent development some recent development in rfid
SMART_READER_LITE
LIVE PREVIEW

Some Recent Development Some Recent Development in RFID Privacy - - PowerPoint PPT Presentation

Sep 16, 2022 364 likes •548 views

Some Recent Development Some Recent Development in RFID Privacy Models Robert H. Deng School of Information Systems y Singapore Management University 2010/12/6 1 Introduction RFID tags are low-cost electronic devices, from which

slide-1
SLIDE 1

Some Recent Development Some Recent Development in RFID Privacy Models

Robert H. Deng School of Information Systems y

Singapore Management University

2010/12/6

1

slide-2
SLIDE 2

Introduction

  • RFID tags are low-cost electronic devices, from which

stored info can be collected by an RFID reader efficiently stored info can be collected by an RFID reader efficiently and at a distance without line of sight

  • RFID has found numerous applications, from warehouse

inventory control, supermarket checkout counters, e- ticket to e-passport ticket, to e passport

Read / Update

Tag Reader

2010/12/6 2

Tag Reader

slide-3
SLIDE 3

RFID Triggered Significant Concerns on Security & Privacy Security & Privacy

  • Perfect working condition for attackers

– Tags can be read or traced by malicious readers from a distance w/o its owner’s awareness

  • Security

– Tag authentication: ensure data collected not from fake tag & prevent database pollution – Reader authentication: prevent unauthorized access to/or Reader authentication: prevent unauthorized access to/or tampering with tag data

  • Privacy

A it C fid ti lit f th t id tit

  • Anonymity: Confidentiality of the tag identity
  • Untraceability: Unlinkability of the tag’s transactions

2010/12/6 3

slide-4
SLIDE 4

Cryptographic Protocols for RFID Privacy Privacy

  • Numerous lightweight RFID protocols for low-cost tags

h b d have been proposed

– Use simple operations (XOR, bit inner product, CRC, etc)

  • Most of them have been broken

– T. van Deursen and S. Radomirovic: Attacks on RFID Protocols, ePrint Archive: Report 2008/310 ePrint Archive: Report 2008/310

  • Need to investigate formal RFID security and privacy

g y p y models which are fundamental to the design and analysis of robust RFID systems

2010/12/6 4

slide-5
SLIDE 5

Assumptions

Secure connection

  • S = {T1,…,Tn} - polynomial-size group of tags
  • R/D - Reader/Database have secure connection
  • Adversary A has complete control over communications

between reader and tags

2010/12/6 5

slide-6
SLIDE 6

Canonical RFID Protocol 

Reader R Tag T c r

(optional)

f

  • Shorthand notation: (c r f) ← (R T)
  • Shorthand notation: (c, r, f) ← (R, T)

2010/12/6 6

slide-7
SLIDE 7

Adversary

  • Interactions between A and protocol

ti R d T th h 4 l parties R and T occur through 4 oracles

– O1 - Launch(): return a session id sid and the 1st message c message c – O2 - SendTag(sid, c, T): return r, the response of tag T tag T – O3 - SendReader(sid, r): return f, the response

  • f Reader

– O4 - Corrupt(T): return the secret information and state of tag T

2010/12/6 7

slide-8
SLIDE 8

Ind-Privacy: Indistinguishability of two tags

JW06 JW06 (Jules & Weis, PerCom 2007)

Experiment: Experiment:

  • {Ti, Tj} ← A1

O1,O2,O3,O4(R, S);

  • b∈{0, 1};

A1 not allowed to query O4

  • n Ti and Tj

{ , };

  • If b = 0 then Tc = Ti, else Tc= Tj;
  • S’

S’ = S S ‐ {Ti, Tj};

A2 not allowed to query O4

  • b’ ←A2

O1,O2,O3,O4(R, S’

S’, Tc).

A2 not allowed to query O4

  • n Tc
  • The advantage of adversary A = |Pr[b'=b]‐1/2|
  • No protocol has been directly proven to satisfy Ind‐

Privacy

2010/12/6 8

Privacy

slide-9
SLIDE 9

Unp*-Privacy (Ha, Moon, Zhou & Ha, ESORICS

2008; Lai, Deng, Li, ACNS 2010) ; , g, , )

Experiment:

  • T

A O1 O2 O3 O4(R S);

  • T

c ← A1 O1,O2,O3,O4(R, S);

  • b∈ {0, 1};
  • When A2 makes queries to O1, O2, O3 on T

c 2

q

1, 2, 3 c

  • If b = 0, return oracles’ responses
  • Else (b = 1)
  • return c R C if query O1

A1 & A2 not allowed to

R

q y

1

  • return r R R if query O2
  • Return f R F if query O3
  • b’ ← A

query O4 on T

c

  • b ← A3
  • The advantage of adversary A = |Pr[b'=b]-1/2|

S t l h b t ti f U *

2010/12/6 9

  • Some protocols have been proven to satisfy Unp*-

privacy

slide-10
SLIDE 10

Relationships (Ma, Li, Deng, Li, CCS09)

  • Ind-privacy  Unp*-privacy

( f) ( ) f – Assume that (c, r, f) (R, T) satisfies Ind-privacy – Let (c, r|r, f)  ’(R,T) ’(R T) also satisfies Ind privacy but it does not satisfy –  (R,T) also satisfies Ind-privacy, but it does not satisfy Unp*-privacy

  • Ind privacy 

Unp* privacy

  • Ind-privacy 

Unp -privacy

  • Minimal requirement for RFID systems to

achieve RFID system privacy achieve RFID system privacy

– Unp*-privacy  PRF

2010/12/6 10

slide-11
SLIDE 11

RFID Privacy Preserving Authentication Protocol Design

Reader R Tag T c r

(optional)

f

  • Privacy requirements
  • Anonymity: Confidentiality of the tag identity

Anonymity: Confidentiality of the tag identity

  • Untraceability: Unlinkability of the tag’s

transactions

2010/12/6 11

slide-12
SLIDE 12

Symmetric Key Crypto Based Solution Solution

Reader R Tag T

Database D

(IDT, KT)

Tag ID Tag Secret IDT1 KT1 ID K IDT2 KT2 … … IDTn KTn

c r = prf(KT | c …), IDT

Exhaustive research to find a matching KT and then I DT

f (optional)

2010/12/6 12

slide-13
SLIDE 13

Symmetric Key Crypto & Counter Based Solution Based Solution

Reader R Tag T (KT, Ctr)

Database D

I D’ I D Secret Ctr

ID’T1 IDT1 KT1 CtrT1 ID’ ID K

c

ID T2 IDT2 KT2 … … IDTn ID’Tn KTn CtrTn ID’ = h(K Ctr)

Use I D’T as index to the database

f (optional)

ID’T, … ID T = h(KT, Ctr) Ctr  Ctr + 1

f (optional)

Must be able to recover from disynchronization attack

2010/12/6 13

u b ab

  • d y
  • a o

a a

slide-14
SLIDE 14

Public Key Crypto Based Solution

Reader R Tag T

Database D

(IDT, KT, PR) (SR)

Tag ID Tag Secret IDT1 KT1 IDT2 KT2

c

IDT2 KT2 … … IDTn KTn

c r = PKR(KT | IDT | c …) Use I DT as index to look for KT f (optional) f (optional)

PKC based protocols do not satisfy Unp*-privacy!

2010/12/6 14

PKC based protocols do not satisfy Unp privacy!

slide-15
SLIDE 15

Summary

  • Ind-Privacy and Unp*-Privacy models
  • No protocol has been directly proven to satisfy Ind
  • No protocol has been directly proven to satisfy Ind-

Privacy

  • Symmetric key based protocols can be designed to

satisfy Unp*-privacy, but not public key based protocols

  • ZK-privacy model (Deng, Li, Yung, Zhao, ESORICS 2010)

O t t f l ld i t d t t f – Output of real world experiment and output of simulated world experiment are indistinguishable – Both symmetric key and public key protocols can be Both symmetric key and public key protocols can be designed to satisfy zk-privacy

2010/12/6 15

slide-16
SLIDE 16

Acknowledgement

Junzuo LAI1 Tieyan LI2 Yingjiu LI1 Changshe MA3 Yunlei Zhao4

1. Singapore Management University 2 Institute for Infocomm Research Singapore 2. Institute for Infocomm Research, Singapore 3. South China Normal University 4. Fudan University

2010/12/6 16

y

slide-17
SLIDE 17

Thank You! Thank You!

2010/12/6

17