Security and privacy in RFID

Transcription

1 Security and privacy in RFID Jihoon Cho ISG PhD Student Seminar 8 November 2007

2 Outline 1 RFID Primer 2 Passive RFID tags 3 Issues on Security and Privacy 4 Basic Tags 5 Symmetric-key Tags 6 Conclusion

4 Radio Frequency Identification RFID is a family of emerging technologies for automated identification of objects and people, and the system components are 1 RFID tag 2 RFID reader attached/embedded to/into items to be identified transmits data over the air in response to interrogation by an RFID reader consists of coupling element for communications (and also possibly power supply) and microchip forms the radio interface to tags provides high-level interface to a host computer system to transmit the captured tag data 3 Back-end Server maintains relevant information for identification process

5 Radio Frequency Identification RFID is a family of emerging technologies for automated identification of objects and people, and the system components are 1 RFID tag 2 RFID reader attached/embedded to/into items to be identified transmits data over the air in response to interrogation by an RFID reader consists of coupling element for communications (and also possibly power supply) and microchip forms the radio interface to tags provides high-level interface to a host computer system to transmit the captured tag data 3 Back-end Server maintains relevant information for identification process

6 RFID tags

7 Active vs. Passive Active tags Passive tags Power Source battery powered powered by radio waves Life limited by battery unlimited Range up to hundreds of meters up to 3-5m Cost $ $

8 Current RFID applications 1 Supply-chain/inventory management Electronic Product Code (EPC) tags (under development) containers and crates/pallets tracking 2 Asset-tracking system health-care information system (partly currently used) (drug/medicine identification and staff/patient tracking) e-passport (under development) children and animal (pet) tracking library baggage handling in airport 3 Access control proximity card car immobiliser 4 Contactless payment system SpeedPass TM, American Express ExpressPay TM, Mastercard PayPass TM

9 RFID becomes ubiquitous Advantages of RFID RFID has been originally suggested as a successor to the optical barcode 1 Automation - no line-of-sight contact with readers and no human intervention 2 Unique identification - not only a generic product identifier but an individual serial number What s behind RFID 1 Efforts of large organisations such as WalMart, US DoD, and etc 2 Tag cost dropping and RFID standardisation 3 Development of EPC technologies

12 Electronic Product Code & EPCglobal 1 EPC tag is a Barcode-type RFID device 2 EPCgolbal : an organization set up to achieve world-wide adoption and standardization of EPC technology 3 EPCglobal is currently working on reader and tag communication protocols middleware between reader and enterprise systems Object Name Service (ONS) with VeriSign EPC Information Service (EPC-IS) and EPC Discovery Service (EPC-DS)

13 RFID Standards 1 Standards for logistic applications ISO/IEC ISO/IEC ISO/IEC Standards for automatic livestock identification ISO ISO Standards for vicinity coupling cards ISO/IEC ISO/IEC ISO/IEC ISO/IEC Supply-chain management EPC (under development)

15 Issues on passive tags 1 Passive tags with very limited memory and logical gates will be mostly deployed in mass market 2 Most of current privacy concerns focus on applications using passive tags, and those include smart check-out in supermarket RFID-enabled banknote medical drugs and luxury goods human identification through tag injection under skin 3 Active tags are assumed to provide strong security and privacy protection with strong cryptographic primitives

16 Coupling and Frequencies 1 Frequency bands LF (Low Frequency): khz HF (High Frequency): MHz UHF (Ultra High Frequency): 868/915 MHz MW (Microwave): 2.45 and 5.8 GHz 2 Due to process known coupling Inductive coupling within the near field region Electromagnetic coupling in the far field

18 Read range issues 1 Nominal read range maximum distance at which a normally operating reader (with ordinary antenna and ordinary power output) can reliably scan tag data ex. ISO : 10cm 2 Rogue read range a determined attacker might still achieve longer distances using larger antenna and/or higher signal transmission power ex. ISO : 50cm 3 Tag-to-reader eavesdropping read range once a tag is powered, a second reader can monitor resulting tag emissions without itself outputting signal might be longer than rogue read range 4 Reader-to-tag eavesdropping read range this signal can be received hundreds of meters away

19 Privacy

20 Privacy (I) Tags respond to reader interrogation without alerting their owners or bears, and most tags emit unique identifiers 1 Location privacy pooled several clandestine scans reveals a tag bearer s whereabout along a tag reading infrastructure 2 Data privacy certain tags such as EPC tags carry information about items EPC tag bearers are subject to clandestine inventorying Privacy, however, is not just consumer concerns - ex. military or company supply-chain management

23 Privacy (II) 1 Euro banknote in 2001, European Central Bank planed to embed RFID tags into banknote as anti-counterfeiting measure it seems increasingly implausible due to technical difficulties 2 Human-implantable chips VeriChip TM for health-care information system flamed the passion of privacy advocates 3 E-passport ICAO (International Civil Aviation Organisation) promulgated the guideline for RFID-enabled passport the US has mandated the adoption of these standards by VISA-waiver countries delayed due to technical challenges

24 Authentication 1 Privacy concerns that bad readers harvest information from good tags, but authentication concerns that good readers detect bad tags 2 EPC tags are vulnerable to simple counterfeiting attacks 3 Detect cloning by consistent and centralised data collection, but not always possible 4 Various countermeasures but permit limited solutions

25 Adversary Model 1 RFID system is secure and private for what? formal model that characterises the capabilities of potential adversaries - as form of a game in cryptography 2 We need formulation of weakened security models that accurately reflects real-world threat and real-world tag capabilities 3 Multiple communication layers in RFID systems cryptographic security models captures top-layer communication protocols between tags and readers need to consider low layer and physical levels of communications 4 Security models in literatures Okubo, Szuki, and Kinoshita ( 03) (symmetric-tags) Juels ( 04) - Minimalist security model (basic tags) Juels and Weis ( 06) - Strong privacy model (symmetric-key tags) Avoine ( 05) Zhang and King ( 08)

27 Killing 1 Dead tags cannot talk - Kill the TAG 2 Currently in EPC Class-1 Gen-2 tags 3 When an EPC tag receives a kill command from a reader, it renders itself permanently inoperative 4 Kill command is PIN-protected 5 It eliminates all of the post-purchase benefits of RFID

28 Re-naming approaches : Minimalist 1 Tags contain small collection of pseudonyms and release a different one upon each reader inquiry 2 Throttle tag replies to prevent rogue readers rapidly reading out all available pseudonyms of tags in a single sweep, it slows down response for quick interrogations

29 Re-naming approaches : re-encryption (I) 1 Juels and Pappu ( 03) proposed public key re-encryption scheme to enhance consumer privacy for RFID-enabled banknote 2 Scheme law enforcement holds private/public key pair (x, y) of ElGamal encryption scheme banknote serial number s encrypted to c = E y (s) to prevent malicious tracing, c is periodically re-encrypted to c to prevent malicious writing, keyed writing by optical-scanning the banknote 3 They introduced the principle that cryptography can enhance tag privacy, even when tags themselves cannot perform cryptographic operations

30 Re-naming approaches : re-encryption (II) 1 What about if we have multiple key pairs? 2 Including a public key in tags, however, permits certain degree of malicious tracking and profiling 3 Universal re-encryption permits re-encryption without knowledge of the corresponding public key in public-key encryption schemes 4 Golle et al. ( 04) proposed ElGamal-based universal re-encryption 5 It suffers from serious attacks, since it does not preserve integrity

31 Re-naming approaches: re-encryption (III) 1 Ateniese, Camenisch, and de Medeiros ( 05) 2 Insubvertible encryption scheme which also permits universal re-encrpytion 3 Ciphertext is digitally singed by a CA and permits anyone to verify the authenticity of the ciphertext 4 To prevent malicious tracing, the ciphertext as well as signature can be randomisable by any entity

32 Proxy approach Consumers carry their own privacy-enforcing devices (proxies) 1 Watchdog tags audit system for RFID privacy monitor ambient scanning of tags and collect information form readers 2 RFID Guardian or RFID Enhancer Proxy (REP) batter-powered personal RFID firewall intermediates reader request to tags and selectively simulates tags under its control can implement sophisticated privacy policies further research includes how a Guardian or REP should acquire and release control of tags and associated PINs and keys

33 Proxy approach Consumers carry their own privacy-enforcing devices (proxies) 1 Watchdog tags audit system for RFID privacy monitor ambient scanning of tags and collect information form readers 2 RFID Guardian or RFID Enhancer Proxy (REP) batter-powered personal RFID firewall intermediates reader request to tags and selectively simulates tags under its control can implement sophisticated privacy policies further research includes how a Guardian or REP should acquire and release control of tags and associated PINs and keys

34 Distant measurement 1 The distance between tags and readers serve as a metric for trust 2 Fishkin, Roy, and Jiang ( 04) signal-to-noise ratio of reader signal provides rough metric of distance when scanned in a distance, expose little information release its unique identifier only at close range

35 Blocking tags 1 It jams tree-based anti-collision protocols, thus making impossible to read out tags nearby 2 As cheap to manufacture, it could be integrated into paper bags 3 To prevent jamming of legitimate readers, a privacy bit is set during check-out

37 Assumptions 1 Tags are assumed to perform keyed hash function or hardware efficient symmetric encryption scheme (and also often assumed to have a pseudo random number generator) 2 We assume a centralised system, where readers have constant access to their back-end server 3 Notations we have n tags each tag T i contains in memory a shared secret key k i with the server

38 Authentication 1 Simple challenge-response protocol prevents cloning T i R : ID Ti T i R : P T i R : h(k i, P) or e ki (P) In practice, resource constraints in commercial tags sometimes leads to deployment of weak cryptographic primitives 2 Digital Signature Transponder (DST) currently a theft-deterrent in automobiles and SpeedPass TM use the protocol described above broken since they expect security through obscurity to overcome short key-length

41 Reverse-engineering & Side channels 1 Reverse engineering physical invasive attacks possible tags are too inexpensive to include temper-resistance mechanism 2 Side channels - potentially serious threat in RFID Timing attacks - extract information based on variations in the rate of computation of target devices - over-the-air timing attacks against tags : open research topic Power analysis attacks - measure electromagnetic emanation - exploit measurable variations in power consumption

42 Reverse-engineering & Side channels 1 Reverse engineering physical invasive attacks possible tags are too inexpensive to include temper-resistance mechanism 2 Side channels - potentially serious threat in RFID Timing attacks - extract information based on variations in the rate of computation of target devices - over-the-air timing attacks against tags : open research topic Power analysis attacks - measure electromagnetic emanation - exploit measurable variations in power consumption

43 Relay attacks 1 Relay attack is always possible no matter how well designed cryptographic protocols in RFID systems and no matter how strong cryptographic primitives are used 2 Often security based on assumption - limited read range of tags 3 Attack allows proximity cards to open a door or RFID-based credit cards to effect payment from a kilometer away RFID TAG Leech Ghost RFID Reader Figure of Relay attack in RFID systems

44 Privacy 1 Paradox if a tag emits identifier in challenge-response protocol, no privacy if a reader does not know which tag it is interrogating, it cannot determine which key to use 2 Key search: straightforward but heavy solution tag emits E = f ki (P) reader searches from the space of all keys K = {k j } j for a key k K such that f k (P) = E 3 Weis, Sarma, Rivest, and Engel ( 03) 4 The computational cost of key-search for the reader is linear in the number of tags, thus key search is prohibitively costly in large systems 5 More efficient solutions?

47 Tree approach 1 Molnar and Wagner ( 04) each node (or edge) is associated with a key each tag is assigned to a unique leaf tag contains the keys defined from a root to the leaf if we have a depth d and branching factor b, each tag contains d keys and the scheme accommodates d b tags in total 2 Efficiency reader can identify a tag by means of a depth-first search of the tree search through at most db keys rather than d b keys 3 Security compromise of the secrets in one tag compromise of secrets in other tags

48 Synchronisation approach 1 Suppose that every tag T i maintains a counter c i and the tag outputs E = f ki (c i ) on interrogation 2 Provided that a reader knows the approximate value of c i, it can store a searchable table of tag output values, i.e., reader maintains the output values f ki (c i ), f k i (c i + 1),, f ki (c i + d), for c i [c i, c i + d] 3 Literatures with stronger security (such as forward security) and more efficiency

50 RFID becomes ubiquitous