1 ch. 17: security of rfid slide 1. 2 roles of rfid applications slide 2 tagsreaderserver(database)...
TRANSCRIPT
1
Ch. 17:Ch. 17:Security of RFIDSecurity of RFID
•slide 1
2
Roles of RFID applicationsRoles of RFID applications
•slide 2
Tags Reader Server(Database)
Secure
channel
Slides modified from presentation by Prof. HM
Sun
3
Security Problems of RFIDSecurity Problems of RFID
EavesdroppingHot-listing
◦Attacker has special interests in certain items
Replay attackCloningTracingData forgingDenial of Service
•slide 3
Fundamental problem:
Lack of mutual authentication
4
Physical Solutions for RFIDPhysical Solutions for RFID
•slide 4
5
Physical SolutionsPhysical Solutions
Kill tag after purchaseFaraday cageActive jamming
◦Disables all RFID, including legitimate applications
◦GuardianBlocker Tag
•slide 5
6
Special command permanently de-activates tag after the product is purchased
Disables many futuristic applications
Killing approachKilling approach
•slide 6
Referencewww.rsa.com/rsalabs/staff/bios/ajuels/
7
Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies◦ Shoplifters are already known to use foil-lined bags
Maybe works for a wallet, but huge hassle in general
Faraday CageFaraday Cage
•slide 7
Referencewww.rsa.com/rsalabs/staff/bios/ajuels/
8
Blocker Tag Blocker Tag (The R(The RXXA Pharmacy)A Pharmacy)
•slide 8
Referencehttp:// www.rfidjournal.com
9
Active Jamming Active Jamming (Guardian)(Guardian)A mobile battery-powered device
that offers personal RFID security and privacy management.
•slide 9
Referencehttp:// www.rfidguardian.org
10
How Does the Reader Read a Tag?How Does the Reader Read a Tag?
When the reader sends a signal, more than one RFID tag may respond: this is a collision◦ Reader cannot accurately read information from more
than one tag at a timeReader must engage in a special singulation
protocol to talk to each tag separatelyTree-walking is a common singulation method
◦ Used by 915 Mhz tags, expected to be the most common type in the U.S.
•slide 10
Referencewww.cs.utexas.edu/~shmat/
11
Blocker Tag : Tree WalkingBlocker Tag : Tree Walking
•slide 11
000 001 010 011 100 101 110 111
Every tag has a k-bit identifier
prefix=0
prefix=00 prefix=01
prefix=10 prefix=11
prefix=1Reader broadcastscurrent prefix
Each tag with this prefixresponds with its next bit
If responses don’t collide,reader adds 1 bit to currentprefix, otherwise tries both possibilities
This takes O(k number of tags)
Referencewww.cs.utexas.edu/
~shmat/
12
Blocker Tag : ExampleBlocker Tag : Example
•slide 12
000 001 010 011 100 101 110 111
prefix=0
prefix=00 prefix=01
prefix=10 prefix=11
prefix=1
1. Prefix=“empty”
Next=0Next=1
Next=1
Collision!
1a. Prefix=0
Next=0
No collision
2. Prefix=00
1b. Prefix=1
2. Prefix=11
No collision
Next=1
3. ID=001
Talk to tag 001
No collision
Next=1
Next=1
Collision!
Next=1
Next=0
3a. ID=110
Talk to tag 110
3b. ID=111
Talk to tag 111
Referencewww.cs.utexas.edu/
~shmat/
13
Blocker TagBlocker Tag
A form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader◦Guarantees collision no matter what tags are
presentTo prevent illegitimate blocking, make
blocker tag selective (block only certain ID ranges)◦E.g., blocker tag blocks all IDs with first bit=1◦ Items on supermarket shelves have first bit=0
Can’t block tags on unpurchased items (anti-shoplifting)◦After purchase, flip first bit on the tag from 0 to
1•slide 13
[Rivest, Juels, Szydlo]
Referencewww.cs.utexas.edu/
~shmat/
1414
行動票券之安全議題
* slides modified from presentation by 何煒華
高鐵車票
1515
安全議題
竄改偽造盜用複製、重複使用移轉 (vs. 複製 )
16
Summary
Security Concerns of RFIDSecurity Concerns of 行動票券