Document

Download Report

Transcript Document 

All slides © 2006 RSA Laboratories
RFID (Radio-Frequency IDentication)
takes many forms…
“RFID” really denotes a
spectrum of devices
Basic
“smart
label”
Toll payment
plaque
passive
semi-passive
passive
no crypto
no crypto
some crypto
few cm to
few meters
range
several meters
range
several cm
range
Automobile
ignition key
Mobile phone
“Smart labels”:
EPC (Electronic Product Code) tags
Barcode
EPC tag
Fast, automated
scanning
Line-of-sight
Specifies object type
Radio contact
Uniquely specifies object
Provides pointer
to database entry
for every object,
i.e., unique,
detailed history
2030: Week in the life of a milk carton
•
30 April: RFID-tagged cow “Bessie” produces milk
•
30 April: Milk transferred to RFID-tagged tank
–
•
1 May: RFID portal on truck records loading of refrigeration tanks
–
•
Cow identity and milking time recorded in tank-tag database
Truck also has active RFID (+GPS) to track geographical location and RFID
transponder to pay tolls
2 May: Chemical-treatment record written to database record for milk barrel
–
Bessie’s herd recorded to have consumed mustard grass; compensatory sugars added
to milk
•
3 May: Milk packaged in RFID-tagged carton; milk pedigree recorded in
database associated with carton tag
•
•
•
•
4 May: RFID portal at supermarket loading dock records arrival of carton
5 May: “Smart” shelf records arrival of carton in customer area
5 May 0930h: “Smart” shelf records removal of milk
5 May 0953h: Point-of-sale terminal records sale of milk (to Alice)
2030: Week in the life of a milk carton
•
6 May 0953h: Supermarket transfers carton tag ownership to Alice’s smart
home
•
•
6 May 1103h: Alice’s refrigerator records arrival of milk
6 May 1405h: Alice’s refrigerator records removal of milk; refrigerator looks up
database-recorded pedigree and displays: “Woodstock, Vermont, Grade A, light
pasturization, artisanal, USDA organic, breed: Jersey, genetic design #81726”
•
6 May 1807h: Alice’s “smart” home warns domestic robot that milk has been left
out of refrigerator for more than four hours
6 May 1809h: Alice’s refrigerator records replacement of milk
•
•
7 May 0530h: Domestic robot uses RFID tag to locate milk in refrigerator; refills
baby bottle
2030: Week in the life of a milk carton
•
6 May 0953h: Supermarket transfers carton tag ownership to Alice’s smart
home
•
•
6 May 1103h: Alice’s refrigerator records arrival of milk
6 May 1405h: Alice’s refrigerator records removal of milk; refrigerator looks up
database-recorded pedigree and displays: “Woodstock, Vermont, Grade A, light
pasturization, artisanal, USDA organic, breed: Jersey, genetic design #81726”
•
6 May 1807h: Alice’s “smart” home warns domestic robot that milk has been left
out of refrigerator for more than four hours
6 May 1809h: Alice’s refrigerator records replacement of milk
•
•
•
•
7 May 0530h: Domestic robot uses RFID tag to locate milk in refrigerator; refills
baby bottle
7 May 0531h: Robot discards carton; “Smart” refrigerator notes absence of milk;
transfers order to Alice’s PDA/phone/portable server grocery list
7 May 2357h: Recycling center scans RFID tag on carton; directs carton to
paper-brick recycling substation
RFID Today: IN Your POcket
Note: Often just emit static identifiers, i.e., they are just smart labels!
Proximity cards
in your pocket
RFID helps secure hundreds of millions of automobiles
•Cryptographic challenge-response
•Philips claims more than 90% reduction in car theft thanks to RFID!
•Note: some devices, e.g., Texas Instruments DST, are weak…
f
Automobile ignition keys
in your pocket
•ExxonMobil SpeedpassTM
•RFID now offered in all major credit cards in U.S.…
Payment devices
in ANIMALs
• Cattle
• Housepets
50 million+
“Not Really Mad”
The cat came back,
the very next day…
on People
•
•
•
•
Schools
Amusement parks
Hospitals
In the same vein: mobile phones with GPS…
In PAssports
• Dozens of countries issuing or soon to issue
RFID-enabled passports
• Other identity documents, e.g., drivers’
licenses, to follow
In Mobile phones
NFC (Near-Field Consortium)
Showtimes:
16.00, 19.00
• Also, ticket purchases, payments, comparison shopping
Phone can act as reader or tag
• NFC is a general-purpose protocol
• Already available in some models
In Currency?
• Talk in 2003-4 of planting RFID tags in 10,000 Yen
banknotes and Euro banknotes
• Talk has dissipated
• Main interest: anti-counterfeiting
In pharmaceuticals
• Anti-counterfeiting: Better supply-chain
visibility means less fraud
– U.S. govt. urging RFID to combat counterfeiting of drugs
• Medical compliance: Greater independence
(and privacy!), particularly for elderly
The consumer privacy problem
Here’s
Mr. Jones
in 2020…
Wig
Replacement hip
model #4456
medical part #459382
(cheap
polyester)
Das Kapital and
Communistparty handbook
1500 Euros
in wallet
30 items
of lingerie
Serial numbers:
597387,389473
…
…and the tracking problem
Wig
serial #A817TS8
• Mr. Jones pays with a credit card; his RFID tags now linked to
his identity; determines level of customer service
– Think of car dealerships using drivers’ licenses to run credit
checks…
• Mr. Jones attends a political rally; law enforcement scans his
RFID tags
• Mr. Jones wins Turing Award; physically tracked by paparazzi
via RFID
Suica
Image courtesy of Kevin Fu
Suica
Images courtesy of Kevin Fu
What data are vulnerable?
CURRENT BALANCE
Travel history:
visited stations
and dates
Details of
merchandise
purchase
Image courtesy of Kevin Fu
RFID privacy
Only definitive way to achieve privacy is:
– Emit an identifier only
– Change identifier across reads
Wig serial
#A817TS8u
RFID privacy
Only definitive way to achieve privacy is:
– Emit only an identifier
– Change identifier across reads
#A817TS8u
RFID privacy
Only definitive way to achieve privacy is:
– Emit only an identifier
– Change identifier across reads
#Z87d68aK
The authentication problem
Good readers, bad tags
Mr. Jones in 2020
Counterfeit!
Replacement hip
medical part #459382
Mr. Jones’s car is stolen!
1500 Euros
in wallet
Mad-cow
hamburger
lunch
Counterfeit!
Serial numbers:
597387,389473
…
Won’t crypto solve our problems?
Side-channel countermeasures
AES
We can do:
• Challenge-response for
authentication
• Mutual authentication
and/or encryption for
privacy
But:
1. Moore’s Law vs. pricing
pressure
2. Beyond simple
“terrestrial” problems,
basic cryptography may
not be enough…
This is the theme of our talk!
Simple authentication:
Possession is the law
• How does Alice’s refrigerator get read/write privileges for
the history for the milk carton bearing tag T?
• The straightforward approach:
– A central registry R shares symmetric key k with the tag T
– Alice’s refrigerator acts as authentication proxy between R and T
– Tag T authenticates via challenge-response
c
k
Registry R
r = fk(c)
c
r = fk(c)
k
Simple authentication:
Possession is the law
• But what if the tag is on Alice’s
wristwatch?
– Should any nearby reader be able to read tag
history?
– Should any nearby reader be able to modify
tag history?
• What if registry R is unavailable?
– Will the tag carry information on board?
– If so, who can access it?
– Does Alice’s baby get its milk?
The VeriChipTM
+
= ???
Human-implantable RFID
The VeriChipTM
• Proposed for medical-patient identification
• Also proposed and used as an authenticator for
physical access control, a “prosthetic biometric”
– E.g., Mexican attorney general purportedly used for
access to secure facility
+
=
• What kind of cryptography does it have?
– None: It can be easily cloned
• So shouldn’t we add a challenge-response
protocol?
Human-implantable RFID
• Cloning may actually be a good thing
The VeriChipTM
• Physical coercion and attack
– In 2005, a man in Malaysia had his fingertip cut off by
thieves stealing his biometric-enabled Mercedes
– What would happen if the VeriChip were used to
access ATM machines and secure facilities?
• Perhaps it is better then if tags can be cloned
and are not used for authentication—only for
identification
• But if a tag is cloneable, and used for
identification, does that mean that privacy is
impossible?
– I.e., does cloneability imply an ability to track?
Private identification
• A very simple scheme allows for
simultaneous cloneability and privacy
• El Gamal public-key cryptosystem:
– Randomized scheme: C = EPK,r [m]
– Semantic security: Cannot distinguish between
ciphertexts C and C’ on known plaintexts without
knowledge of SK
• Adversary cannot distinguish between
C = EPK,r [Alice] and C’ = EPK,r’ [Bob]
Private identification
Our simple scheme:
Officer
Alice
SK
“Proceed to
authenticate
Officer Alice”
Private identification
Take two:
Officer
Alice
SK
“Proceed to
authenticate
Officer Alice”
Private identification
• Semantic security → An attacker who intercepts C
and C’ cannot tell if they come from the same chip
– Attacker cannot identify or track Alice
• But attacker can still clone Alice’s chip!
• El Gamal re-encryption (homomorphism):
– Let U = EPK,r [1] have uniformly random r
– Then given C = EPK,r’ [m], the distribution CxU is uniform
over ciphertexts on m
• Clone chip selects U and outputs CxU
• Clone chip is indistinguishable from Alice’s!
Attacker’s perspective
Alice’s
chip
Attacker’s perspective
Attacker can simulate Alice’s chip, but…
•He cannot track Alice
•He may not even know whose chip he’s cloned!
“Proceed to
authenticate
Officer Alice”
The covert-channel problem
Suppose there is a secret sensor…
Officer
Alice
SK
“Officer Alice
has low blood
pressure and
high blood-alcohol”
The covert-channel problem
Suppose there is a secret sensor…
Officer
Alice
SK
“Officer Alice
recently passed near
the RFID reader of a
casino”
The covert-channel problem
Suppose there is a secret sensor…
Officer
Alice
SK
“Mercury switch
indicates that Officer
Alice took a nap
this afternoon.”
How can we ensure no covert
channels?
• Must make outputs deterministic
• Can also, e.g., give PRNG keys to Alice
• But can we:
– Allow Alice to verify covert-freeness without
exposing secret keys to her?
– Enable a third party to verify covert-freeness?
• It turns out that privacy and such verifiable
covert-freeness are contradictory!
Covert-freeness detector
A
A’
“No covert
channel”
“Yes, covert
channel
suspected”
Here’s a covert channel!
1. Create identifier for Bob
•
Bob need not actually own a chip
2. Alice’s chip does following:
•
•
If no nap, output ciphertexts A, A’, A’’,
etc. with Alice’s identity
If Alice has taken a nap, output
ciphertexts B,B’,B’’, etc. with Bob’s
identity
Suppose we detect
the covert channel…
A
“No covert
channel”
A’
Suppose we detect
the covert channel…
A
“Yes, covert
channel
B
suspected”
Then we can distinguish between
Alice and Bob: Privacy is broken!
A
“Yes, covert
channel
B
suspected”
Then we can distinguish between
Alice and Bob: Privacy is broken!
A
“A and B
B
represent
different
people”
Covert-freeness and privacy?
• Let’s change (relax) the definition of privacy!
• If non-sequential tag outputs are checked,
detector learns nothing…
READ EVENTS
“?????”
Covert-freeness and privacy?
• Detector can do pairwise check only…
• Achievable “efficiently” with pairings-based cryptography
(ECC)
READ EVENTS
“Covert-free pair”
Covert-freeness and privacy?
• Privacy is largely preserved because of locality
• Covert-freeness checkable probabilistically, i.e.,
with spot checks
READ EVENTS
“Covert-free pair”
Returning to basic issue of privacy:
Kill codes
•
EPC tags have a “kill” function
•
•
•
Developed for EPC to protect consumers
after point of sale
•
•
•
On receiving password, tag self-destructs
Tag is permanently inoperative
“Dead tags tell no tales”
Privacy is preserved
Simple and categorical, but not a wholly
satisfying solution…
Problem 1:
Post-consumer uses of tags
k
Dead tags perhaps not harmful, but certainly
not beneficial…
Problem 2: RF signatures
•
Y. Oren and A. Shamir attacked EPC kill passwords via over-theair power analysis
Found that dead tags are detectable!
•
–
•
Backscatter from antennas
Hypothesize manufacturer type may be learnable
•3 type A tags (merchandise)
•2 type B tags (medication)
•10 type C tags (500-Euro banknotes)
•
•
Probably of limited significance, but still bears on privacy
Do tags possess uniquely detectable RF fingerprints?
–
•
Device signatures a staple of electronic warfare
Cryptography would not help here!
So what might solve our problems?
• The fact that privacy is not RFID specific
• Laws and policy
• RFID security as a database problem
– Reduces problem to access control, but:
– Accept tracking of identifiers
– Create further dependence on network
connectivity
So what might solve our problems?
• Higher-powered intermediaries like mobile
phones
– RFID “Guardian” and RFID REP
Please show reader
certificate and
privileges
So what might solve our problems?
• Cryptography!
– Urgent need for cheaper hardware for primitives and better sidechannel defenses
• Some of talk really in outer limits, but basic caveats are
important:
– Pressure to build a smaller, cheaper tags without cryptography
– RFID tags are close and personal, giving privacy a special
dimension
– RFID tags change ownership frequently
– Key management will be a major problem
• Think for a moment after this talk about distribution of kill
passwords…
• Are there good hardware approaches to key distribution, e.g.,
proximity as measure of trust
To learn more
• Largely collaborative work within RFID CUSP
– www.rfid-cusp.org
– Papers available on publications page
• Papers:
– “RFID security and privacy: a research survey”
– “The security implications of VeriChipTM cloning,”
• Joint work with J. Halamka, A. Stubblefield, and J. Westhues
– “Covert channels in privacy-preserving identification systems”
• Forthcoming joint work with Dan Bailey
– “Power analysis of RFID tags” (on Internet; not RFID-CUSP)
• Y. Oren and A. Shamir