introduction to rfid security and privacy ari juels chief scientist rsa, the security division of...
TRANSCRIPT
Introduction to RFID Security and
Privacy
Ari Juels
Chief Scientist
RSA, The Security Division of EMC
RFIDSec 2011 Tutorial
All slides © 2011, RSA Laboratories
Part II: RFID Privacy
There are two types of RFID privacy
1. Tracking privacy: Protection against physical tracking via unique identifiers
2. Content privacy: Protection against unauthorized scanning of data stored on tag
Why physical considerations say we should forget about
tracking privacy…
Ms. Smith and her privacy-preserving RFID tag
“87D6CAA7F”
= “Ms. Smith”
Ms. Smith and her privacy-preserving RFID tag
What about PET(Privacy Enhancing Technologies) for pets?
Ms. Smith and her privacy-preserving RFID tag
What about Ms. Smith’s face?
Ms. Smith and her privacy-preserving RFID tag
What about Ms. Smith’s mobile phone?
Ms. Smith and her privacy-preserving RFID tag
Are we still worried aboutthis circle???
Well, suppose we are still worried…
We can change identifiers, right?
“87D6CAA7F”
“5ED6CF4C8”
“9816F271BB”
“D7612A873C”
Changing identifiers won’t work
• Physical-Layer Identification of RFID Devices– Danev, Heydt-Benjamin, and Capkun– USENIX Security ’09
• Extract hardware “fingerprint” based on power modulation
• Show that it is possible to identify RFID tags over the air with > 2% at ERR– This will improve, of course
Logical Layer(data,
crypto protocols)
Physical Layer(power
modulation)
r
s, fx(r,s)
• What does this mean for the dozens of paper on anti-tracking privacy?
• I’d argue that we should give up on anonymity– Not just in RFID
• Emphasis on content privacy makes more sense
Logical Layer(data,
crypto protocols)
Physical Layer(power
modulation)
r
s, fx(r,s)
Serial #878SBE871
“Oxycontin, 160 mg”
Changing identifiers won’t work
Content Privacy via “Blocker” Tags
The “Blocker” Tag
“Blocker” TagBlocker simulates all (billions of) possible tag serial numbers!!
1,2,3, …, 2023 pairs of sneakers and…1800 books and a washing machine and…(reading fails)…
“Tree-walking” anti-collision protocol for RFID tags
000 001 010 011 100 101 110 111
00 01 10 11
0 1
?
In a nutshell• “Tree-walking” protocol for identifying tags
recursively asks question:– “What is your next bit?”
• Blocker tag always says both ‘0’ and ‘1’! – Makes it seem like all possible tags are present– Reader cannot figure out which tags are actually
present– Number of possible tags is huge (at least a billion
billion), so reader stalls
Two bottlesof Merlot#458790
Blocker tag system should protect privacy but stillavoid blocking unpurchased items
Consumer privacy + commercial security
• Blocker tag can be selective:– Privacy zones: Only block certain ranges of RFID-
tag serial numbers – Zone mobility: Allow shops to move items into
privacy zone upon purchase• Example:
– Blocker blocks all identifiers with leading ‘1’ bit– Items in supermarket carry leading ‘0’ bit– On checkout, leading bit is flipped from ‘0’ to ‘1’
• PIN required, as for “kill” operation
Blocking with privacy zones
000 001 010 011 100 101 110 111
00 01 10 11
0 1
Transfer to privacy zoneon purchase of item
Privacy zone
Polite blocking• We want reader to scan privacy zone when
blocker is not present– Aim of blocker is to keep functionality active – when
desired by owner
• But if reader attempts to scan when blocker is present, it will stall!
Your humble servant requests that you not scan the privacy zone
• Polite blocking: Blocker informs reader of its presence
More about blocker tags
• Blocker tag can be cheap–Essentially just a “yes” tag and
“no” tag with a little extra logic–Can be embedded in shopping
bags, etc.• With multiple privacy zones,
sophisticated, e.g., graduated policies are possible
An Example: The RXA Pharmacy
RFID-tagged bottle + “Blocker” bag
RFID-tagged bottle + “Blocker” bag
“Soft” Blocking
• Idea: Implement polite blocking only – no hardware blocking– A little like P3P…
• External audit possible: Can detect if readers scanning privacy zone
• Advantages:– “Soft blocker” tag is an ordinary RFID tag– Flexible policy:
• “Opt-in” now possible• e.g., “Medical deblocker” now possible
• Weaker privacy, but can combine with “hard” blocker
Smart blocking approach: Personal Simulator or Proxy for
RFID• Those phones with NFC could someday
get more general-purpose radios…• We might imagine a simulation lifecycle:
– Mobile phone “acquires” tag when in proximity– Mobile phone simulates tags to readers,
enforcing user privacy policy– Mobile phone “releases” tags when tags
about to exit range
Content Privacy via Dispersion
Keeping the customer satisfied…
• “I want a rock-solid encryption algorithm… with 20-bit keys.”
• “I want my retail stores to be able to read RFID-tagged items… but I want tags to be unreadable after sale… and I don’t want to have to kill or rewrite or block them…
EPC tags and privacy• Recall that EPC tags have no true
cryptographic functionality• One true, explicit EPC privacy feature: Kill
– On receiving tag-specific PIN, tag self-destructs– Tag is “dead in the Biblical sense” (S. Sarma)
• But commercial RFID users say:– They do not want to manage kill PINs– They have no channel to communicate secret
keys downstream in supply chain– Key transport is a big problem!!!
Our approach: Put the secret keys on the tags
• Encrypt tag data under secret key • Apply secret sharing to spread key across tags in crate
– E.g., (s1, s2,, s3)
E (m1) s1
E (m2) s2
E (m3) s3
• Encrypt tag data under secret key • Apply secret sharing to spread key across tags in crate
– E.g., (s1, s2,, s3)
E (m1) s1
E (m2) s2
E (m3) s3
Our approach: Put the secret keys on the tags
Supersteroids 500mg; 100 countSerial #87263YHGMfg: ABC Inc.Exp: 6 Mar 2010
Privacy through dispersion
Privacy through dispersion E (m1) s1
E (m2) s2
E (m3) s3
Individual shares / small sets reveal no information about medication!
(Super-Steroids)
(Super-Steroids)
(Super-Steroids)
Use case: Privacy protection on medications
Step 1: Receive crateat pharmacy
Step 2: Pharmacy readstags, gets keys, decryptsdata
Step 3: Tags and dataare dispersed
Data
Some challenges1. Storage is at a premium in EPC, but no secret-sharing
literature on “tiny” shares• “Short” shares are 128 bits, but we may want 16 bits or less!
2. Scanning errors• We need robustness in our secret-sharing scheme
Some challenges3. In-store key harvesting
• Preventive idea: Add “chaff,” i.e., bogus or “noise” shares• If secret-sharing scheme for crate can tolerate d errors, then add
2d/3 bogus shares per crate• Can recover from d/3 errors in single crate• Hard to reconstruct secrets for two crates mixed together, as we
have 4d/3 > d errors• “Overinformed” adversary