RFID Security and Privacy. Simson L. Garfinkel, Ph.D. Center for Research on Computation and Society Harvard University October 5, 2005



Similar documents
50 ways to break RFID privacy

Security Issues in RFID systems. By Nikhil Nemade Krishna C Konda

RF ID Security and Privacy

An Overview of RFID Security and Privacy threats

Microsoft RFID Platform Data Management. Christopher H. Short Microsoft Technology Center Director

RFID Security: Threats, solutions and open challenges

An Overview of Approaches to Privacy Protection in RFID

Strengthen RFID Tags Security Using New Data Structure

RFID SECURITY. February The Government of the Hong Kong Special Administrative Region

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

Security Issues in RFID. Kai Wang Research Institute of Information Technology, Tsinghua University, Beijing, China

RFID Security. April 10, Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark

A Study on the Security of RFID with Enhancing Privacy Protection

Tackling Security and Privacy Issues in Radio Frequency Identification Devices

Various Attacks and their Countermeasure on all Layers of RFID System

Identification and Tracking of Individuals and Social Networks using the Electronic Product Code on RFID Tags

Allwin Initiative for Corporate Citizenship Dartmouth Center for the Advancement of Learning Dickey Center Ethics Institute Institute for Security

Privacy Guidelines for RFID Information Systems (RFID Privacy Guidelines)

THE SECURITY AND PRIVACY ISSUES OF RFID SYSTEM

Business Security and Privacy Risk of RFID

Small Tech, Big Issues

RFID Survives Sterilization to Deliver Medical Device Tracking Solution

Enabling the secure use of RFID

RFID Security and Privacy: Threats and Countermeasures

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

Back-end Server Reader Tag

Cloud RFID UHF Gen 2

RFID Security and Privacy: A Research Survey. Vincent Naessens Studiedag Rabbit project

How To Hack An Rdi Credit Card

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

RFID Basics HEGRO Belgium nv - Assesteenweg Ternat Tel.: +32 (0)2/ Fax : +32 (0)2/ info@hegrobelgium.

Security and Privacy in Intermodal Baggage Management With RFID

Asset Tracking & Radio Frequency Identification White Paper

Radio Frequency Identification (RFID)

Mobile RFID Applications and Security Challenges

PAP: A Privacy and Authentication Protocol for Passive RFID Tags

Privacy and Security in library RFID Issues, Practices and Architecture

Feature. Security and Privacy Trade-offs in RFID Use. Operational Zone RFID Tag. RFID Reader

Security and Privacy of RFID Systems. Claude Castelluccia

A Research on Issues Related to RFID Security and Privacy

Data Protection Technical Guidance Radio Frequency Identification

A RESEARCH SURVEY: RFID SECURITY & PRIVACY ISSUE

Fighting product clones through digital signatures

RFID Technology - Potential Of Big Brother

RFID within the Retail Environment

Security and Privacy for Internet of Things Application

Karsten Nohl University of Virginia. Henryk Plötz HU Berlin

RFID Field Guide. Deploying Radio Frequency Identification Systems. Manish Bhuptani Shahram Moradpour. Sun Microsystems Press A Prentice Hall Title

Privacy Implications of RFID Tags by Paul Stamatiou. CS4001, Georgia Institute of Technology November 8 th, 2007

EU Policy on RFID & Privacy

Implementing high-level Counterfeit Security using RFID and PKI

A Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags

ATTACHMENT E: RFID SECURITY AND PRIVACY WHITE PAPER

entigral whitepaper Understanding RFID and Barcode Differences

The RFID agenda of the European Commission. Florent Frederix European Commission Directorate General Information Society and Media

Strengths and Weaknesses of Access Control Systems. Eric Schmiedl and Mike Spindel

Lightweight Cryptography. Lappeenranta University of Technology

RFID and GSM Based ATM Money Transfer Prototype System

The Study on RFID Security Method for Entrance Guard System

Privacy(and(Data( Protection( (Part(II(

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

On the Security of RFID

Threat Modeling in EPC-Based Information Sharing Networks

RFID Design Principles

Tiny integrated circuits equipped with radio antennas

E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption

The Future of Retail Customer Loyalty

Data Storage in RFID Systems

RAIN RFID and the Internet of Things: Industry Snapshot and Security Needs. Matt Robshaw and Tyler Williamson Impinj Seattle, USA

3M Cogent, Inc. White Paper. Beyond. Wiegand: Access Control. in the 21st Century. a 3M Company

Online Ticket Guide Expo Milano 2015 (update 13/05/2015)

RECOMMENDATIONS COMMISSION

Security Assessment of EPCglobal Architecture Framework

Radio Frequency Identification (RFID) An Overview

EPCglobal RFID standards & regulations. Henri Barthel OECD Paris, 5 October 2005

Neoscope

How Secure are Contactless Payment Systems?

SECURITY IN LOW RESOURCE ENVIRONMENTS

If you are interested in Radio Frequency Identification technology, then this is the best investment that you can make today!

Towards the Internet of Things: An introduction to RFID technology

Security and Privacy in RFID Applications

The Drug Quality & Security Act

Security and Privacy Flaws in a Recent Authentication Protocol for EPC C1 G2 RFID Tags

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION RECOMMENDATION. of

Security and privacy in RFID

A Secure RFID Ticket System For Public Transport

Simplifying IT Management and Data Security with RFID

Biometric Authentication Platform for a Safe, Secure, and Convenient Society

Chapter 15: Computer Security and Privacy

Research on Anomaly Detection of RFID Supply Chain Data Based on EPC

Security and User Privacy for Mobile-RFID Applications in Public Zone

Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1. Network Security. Canada France Meeting on Security, Dec 06-08

Chapter 1: Introduction

Zero-knowledge Device Authentication: Privacy & Security Enhanced RFID preserving Business Value and Consumer Convenience

Secure Active RFID Tag System

Langara College PCI Awareness Training

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Proxy Framework for Enhanced RFID Security and Privacy

RFID and IOT: An overview

Transcription:

RFID Security and Privacy Simson L. Garfinkel, Ph.D. Center for Research on Computation and Society Harvard University October 5, 2005 1

RFID: The Industry s Vision. Distribution Center Consumer Docks Store Factory Docks. 2

RFID: Privacy and Security Concerns. Consumer Privacy Invasion Distribution Center Consumer Docks Store Factory Docks Chip IDs stolen and resold Surveillance by Competitors Cloned Chips Diverted. 3

One vision of the privacy problem The consumer privacy problem Here s Mr. Jones in 2020 Replacement hip medical part #459382 Wig model #4456 (cheap polyester) Das Kapital and Communistparty handbook 30 items of lingerie 1500 Euros in wallet Serial numbers: 597387,389473 Source: Ari Juels, RSA Security 4

Another vision of the privacy problem.. 5

Another vision of the privacy problem.. Hidden tags transmit to hidden receivers in the house. 6

The problem is visibility and transparency. Barcodes must be visible to work. Radio waves are invisible and penetrate; RFID tags can be hidden This is both a privacy and security problem. Security Threats Jamming Replay attacks Covert reading Privacy Threats Covert reading Tracking over time Individual profiling 7

The threat realized: a prox-card cloner. Source: Jonathan Westhues 8

Proposed industry solutions At the tag: Kill Encryption At the ONS: EPC Trust Services EPC-IS provide fine-grained access control. How does one provide fine-grained control with 10 million players? 9

First problem with the industry solution: Managing the keys. K 10 K 4 K 3 K 6 K 7 K 5 K 1 K2 K 13 K 9 K 8 K 11 K 12 If all of the keys are different, how are they managed? 10

First problem with the industry solution: Managing the keys. K 10 1 K 41 K 31 K 61 K 71 K 51 K 1 K2 K1 K 13 1 K 91 K 81 K 11 1 K 12 1 If all of the keys are the same, how is it protected? 11

Kill is a simple solution that works today, but not tomorrow. Post-consumer use of RFID? (Refridgerators, Closets, Washing Machines) Recycling? Returns? How do you verify a kill? What about blind people? Kill unreasonably limits RFID. 12

There are several proposals from outside the industry: Sure Kill Foil-lined bags The Blocker Tag Randomization Switches RFID Bill of Rights Abstinence 13

Sure Kill This is kill a Biblical Sense. Sanjay Sarma 14

Foil-lined bags These are better known as Booster Bags. Checkpoint s MetalPoint detects them. 15

The Blocker Tag is a single that that looks like billions: 765 441 334 007 993 443 007 334 553 993 553 765 334 441 443 553 007 443 993 441 765 Consumers need to get and trust the tag. Blockers could be made illegal. (Attacks on anti-theft systems.) Juels proposes polite blocking as a compromise. 16

A switch could be used to turn the RFID chip on and off RFID Inactive RFID Active 17

Randomization Pseudorandom rotation: Random Assignment 123 356 934 334 765 553 441 007 443 993 877 531 987 If the ONS is going to be tightly controlled, randomization poses no additional overhead. 18

Randomization breaks the traditional ONS model 96 bits 1 Manufacturer Item SN Instead, you get this: 96 bits 2 Large Random Number 19

Policy-based Solutions: The RFID Bill of Rights MIT put an RFID chip in my ID card! 20

I have many questions about my chip... Does it have my name on it? Who has access to the database? How far can my card be read? What s the security? What about cash purchases? Where are the readers? What s done with all of this data? 21

The RFID Bill of Rights addresses the most obvious RFID abuses Users of RFID systems and purchasers of products containing RFID tags have: 1. The right to know if a product contains an RFID tag. 2. The right to have embedded RFID tags removed, deactivated, or destroyed when a product is purchased. 3. The right to first class RFID alternatives: consumers should not lose other rights (e.g. the right to return a product or to travel on a particular road) if they decide to opt-out of RIFD or exercise an RFID tag s kill feature. 4. The right to know what information is stored inside their RFID tags. If this information is incorrect, there must be a means to correct or amend it. 5. The right to know when, where and why an RFID tag is being read. 22

EPCglobal s Guidelines fall short. 1. Consumer Notice of tags, not readers. 2. Consumer Choice consumers are allowed to discard or remove or in the future disable the tags. 3. Consumer Education consumers will have the opportunity easily to obtain accurate information about EPC and its applications. 4. Record Use, Retention and Security Companies will follow existing privacy legislation for their databases. These guidelines: Assume that no information is stored in the tags. No opt-out. Little transparency, no accountability http://www.epcglobalinc.org/public policy/public policy guidelines.html http://tinyurl.com/b9r2t 23

Abstinence If we don t solve these security and privacy issues, RFID may be rejected by business and consumers. That would be a pity. Questions? 24

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information