Building RFID Applications with Security and Privacy

Similar documents
CSE598k / CSE545 Advanced Network Security

CNT Computer and Network Security Review/Wrapup

How To Hack An Rdi Credit Card

BroadSAFE Enhanced IP Phone Networks

NFC. Technical Overview. Release r05

Security within a development lifecycle. Enhancing product security through development process improvement

/ gridsecurity Cyber Security Global solutions for energy automation Answers for infrastructure and cities.

NFC Testing. Near Field Communication Research Lab Hagenberg. Gerald Madlmayr. NFC Research Lab, Hagenberg. E-Smart 2008, Sophia Antipolis

50 ways to break RFID privacy

RFID Security. April 10, Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark

Cyber Security. Global solutions for energy automation. Benefit from certified products, system solutions.

Advanced Social Media Measurement Tools and Resources List. By Karen Clark

Peer-to-peer Cooperative Backup System

Business through Mobile Phone initiated Near Field Communication

What Do We Really Mean By Security for RFID

Privacy and Security in library RFID Issues, Practices and Architecture

RFID Security: Threats, solutions and open challenges

Strengthen RFID Tags Security Using New Data Structure

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Certified Secure Web Application Secure Development Checklist

A Secure RFID Ticket System For Public Transport

RFID Penetration Tests when the truth is stranger than fiction

CS Network Security: Public Key Infrastructure

NFC Near Field Communication

Applying the NFC Secure Element in Mobile Identity Apps. RANDY VANDERHOOF Executive Director Smart Card Alliance

Using RFID Techniques for a Universal Identification Device

Secure recharge of disposable RFID tickets

Criteria for web application security check. Version

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

ISM/ISC Middleware Module

Time recording with the Terminal B-web 93 00

WebEx Security Overview Security Documentation

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Securing Data on Microsoft SQL Server 2012

Web Conferencing: Unleash the Power of Secure, Real-Time Collaboration

Certified Secure Web Application Security Test Checklist

Enabling the secure use of RFID

Information Security Group Active-client based identity management

UNCLASSIFIED Version 1.0 May 2012

Principles of Computer Security. Dr George Danezis

That Point of Sale is a PoS

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

MS-55096: Securing Data on Microsoft SQL Server 2012

Qiong Liu, Reihaneh Safavi Naini and Nicholas Paul Sheppard Australasian Information Security Workshop Presented by An In seok

Appendix H Software Development Plan Template

Securing Host Operations with a Dedicated Cryptographic IC - CryptoCompanion

Introduction Proposed Research

RFID in a nutshell. Colin Jervis, Director, Kinetic Consulting Ltd

NFC Test Challenges for Mobile Device Developers Presented by: Miguel Angel Guijarro

Network Security Essentials Chapter 5

THE SECURITY AND PRIVACY ISSUES OF RFID SYSTEM

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

privileged user management gartner

Check Point FDE integration with Digipass Key devices

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

IBM WebSphere Application Server

Securing EtherNet/IP Using DPI Firewall Technology

Are Second Generation Firewalls Good for Industrial Control Systems?

Securing OS Legacy Systems Alexander Rau

Moderator: Panelists: Panel #2 Big Data: Application Security and Privacy. Keith Swenson, VP of Research and Development, Fujitsu America, Inc.

Firewall Security. Presented by: Daminda Perera

advant advanced contactless smart card system

Fleet Management Solutions

A Viewpoint on Cloud Computing Security Issues

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

What is Web Security? Motivation

Introduction of Information Security Research Division

Sync Security and Privacy Brief

Wireless Security Architecture

Mandatory Access Control in Linux

Software Requirements Specification Document

Design Principles for Protection Mechanisms. Security Principles. Economy of Mechanism. Least Privilege. Complete Mediation. Economy of Mechanism (2)

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Transcription:

Building RFID Applications with Security and Privacy Kevin Fu kevinfu@cs.umass.edu http://prisms.cs.umass.edu/ Assistant Professor Department of Computer Science University of Massachusetts at Amherst, USA Computer Science 1

What s special about security? Computer Science 2

Correctness is easy. Computer Science Building Secure RFID Systems 3

Correctness is easy. Security is hard. Computer Science Building Secure RFID Systems 3

Building RFID with Security & Privacy Privacy in public transportation An RFID toolkit for academics Principles of secure computer systems Computer Science Building Secure RFID Systems 4

RFID Security and Public Transportation 5

RFID Security and Public Transportation 5

What data are vulnerable? Computer Science Building Secure RFID Systems 6

Who knows your travel information? Computer Science Building Secure RFID Systems 7

Who knows your travel information? Transit Authority Computer Science Building Secure RFID Systems 7

Who knows your travel information? Law Enforcement Computer Science Building Secure RFID Systems 7

Who knows your travel information? That weird guy sitting across from you!? Computer Science Building Secure RFID Systems 7

8

9

Sony VAIO w/ RFID reader FeliCa Port 10

11

What data are vulnerable? Computer Science Building Secure RFID Systems 12

Unique card ID (not shown) What data are vulnerable? Computer Science Building Secure RFID Systems 12

Unique card ID (not shown) Current Balance What data are vulnerable? Computer Science Building Secure RFID Systems 12

Unique card ID (not shown) Current Balance What data are vulnerable? Beginning Balance Computer Science Building Secure RFID Systems 12

Unique card ID (not shown) Current Balance Entrance and exit date and station What data are vulnerable? Beginning Balance Computer Science Building Secure RFID Systems 12

Unique card ID (not shown) Current Balance Entrance and exit date and station Merchandise purchase What data are vulnerable? Beginning Balance Computer Science Building Secure RFID Systems 12

An architecture for public transit Computer Science Building Secure RFID Systems 13

An architecture for public transit Computer Science Building Secure RFID Systems 13

An architecture for public transit Computer Science Building Secure RFID Systems 13

An architecture for public transit Computer Science Building Secure RFID Systems 13

An architecture for public transit Computer Science Building Secure RFID Systems 13

How often does this happen? Computer Science Building Secure RFID Systems 14

How often does this happen? I propose a new RFID security protocol! Computer Science Building Secure RFID Systems 14

How often does this happen? Here is a Big-O analysis of the running time. Look, it s wonderful. It makes everything taste better. I propose a new RFID security protocol! Computer Science Building Secure RFID Systems 14

How often does this happen? Here is a Big-O analysis of the running time. Look, it s wonderful. It makes everything taste better. I propose a new RFID security protocol! Build! Then we can measure. Computer Science Building Secure RFID Systems 14

An RFID Software Toolkit 14443B toolkit (13.56Mhz) Trace analysis enables rapid prototyping Interface with oscilloscope allows emulation and debugging Computer Science Building Secure RFID Systems 15

The Gumstix Computer Science Building Secure RFID Systems 16

Breakout Board for GPIOs Etherstix Board Computer Science Building Secure RFID Systems 17

Computer Science Building Secure RFID Systems 18

Computer Science Building Secure RFID Systems 19

20

Principles for Secure Computer Systems Based on: Fredrick Brooks, Jerome Saltzer, Mike Schroeder, Butler Lampson, Frans Kaashoek, and the cumulative wisdom of many others 21

Incommensurate Scaling 22

Credit: Dawnrazor 23

Credit: Colin/Hotbox Designs 24

Credit: Colin/Hotbox Designs 24

Second System Effect 25

Credit: NYTimes 26

First system: 1. Put an ID number on a product Credit: RFID Journal 27

First system: Second system: 1. Put an ID number on a product Credit: RFID Journal 27

First system: 1. Put an ID Second system: 1. Kill function number on a product Credit: RFID Journal 27

First system: 1. Put an ID number on a Second system: 1. Kill function 2. Crypto product Credit: RFID Journal 27

First system: 1. Put an ID number on a product Second system: 1. Kill function 2. Crypto 3. RW Storage Credit: RFID Journal 27

First system: 1. Put an ID number on a product Second system: 1. Kill function 2. Crypto 3. RW Storage 4. Computation Credit: RFID Journal 27

First system: 1. Put an ID number on a product Second system: 1. Kill function 2. Crypto 3. RW Storage 4. Computation 5. Operating System Credit: RFID Journal 27

First system: 1. Put an ID number on a product Second system: 1. Kill function 2. Crypto 3. RW Storage 4. Computation 5. Operating System 6. Mobile Phone Credit: RFID Journal 27

First system: 1. Put an ID number on a product Second system: 1. Kill function 2. Crypto 3. RW Storage 4. Computation 5. Operating System 6. Mobile Phone 7. Shared Tags Credit: RFID Journal 27

First system: 1. Put an ID number on a product Second system: 1. Kill function 2. Crypto 3. RW Storage 4. Computation 5. Operating System 6. Mobile Phone 7. Shared Tags 8. Key Management Credit: RFID Journal 27

First system: 1. Put an ID number on a product Second system: 1. Kill function 2. Crypto 3. RW Storage 4. Computation 5. Operating System 6. Mobile Phone 7. Shared Tags 8. Key Management Credit: RFID Journal 9. Untrusted Infrastructure 27

First system: 1. Put an ID number on a product Second system: 1. Kill function 2. Crypto 3. RW Storage 4. Computation 5. Operating System 6. Mobile Phone 7. Shared Tags 8. Key Management Credit: RFID Journal 9. Untrusted Infrastructure 10. Online Databases 27

First system: 1. Put an ID number on a product Second system: 1. Kill function 2. Crypto 3. RW Storage 4. Computation 5. Operating System 6. Mobile Phone 7. Shared Tags 8. Key Management Credit: RFID Journal 9. Untrusted Infrastructure 10. Online Databases... 27

First system: 1. Put an ID number on a product Second system: 1. Kill function 2. Crypto 3. RW Storage Danger! 4. Computation 5. Operating System Second System 6. Mobile Phone Effect! 7. Shared Tags 8. Key Management Credit: RFID Journal 9. Untrusted Infrastructure 10. Online Databases... 27

Open Design Principle 28

Credit: softwar.net 29

30

Design for the User: Usable Security 31

Credit: MGH 32

Hospital Bracelet? 33

Be Explicit 34

How Big is Your Trusted Computing Base? Big Things I Trust: Readers, Tag Bearers, Things within 10cm, the network, operating systems, data on tags, user input, a cryptographic key, an online database, public key infrastructure, revocation lists, data brokers,... 35

How Big is Your Trusted Computing Base? Big Things I Trust: Readers, Tag Bearers, Things within 10cm, the network, operating systems, data on tags, user input, a cryptographic key, an online database, public key infrastructure, revocation lists, data brokers,... Manageable Things I Trust: A key 35

36

End-to-End Argument Saltzer, Reed, Clark (1981) Whenever possible, communications protocol operations should be defined at the end-points of a communication system, or as close as possible to the resource being controlled. Computer Science Building Secure RFID Systems 37

End-to-End Argument Saltzer, Reed, Clark (1981) Whenever possible, communications protocol operations should be defined at the end-points of a communication system, or as close as possible to the resource being controlled. Secure tag to reader? Secure tag to database? Secure reader to reader? Find your end points. Or you might implement an expensive approach. Computer Science Building Secure RFID Systems 37

Principle of Least Privilege Immediate Feedback End-to-End Incommensurate Scaling Minimize Secrets Simplify Principles for Secure Systems Second System Effect Be Explicit Open Design Principle Design for the User 38

Humility If you think you have a completely secure system, you are doomed. 39

Expect the Unexpected 40

The perfect system is not. 41

Computer Science at UMass/Amherst http://www.cs.umass.edu 43 faculty, ~230 graduate students, ~300 undergraduate students Computer Science 42

RFID Security at UMass Amherst http://prisms.cs.umass.edu/ Graduate Students Faculty and affiliates Computer Science Building Secure RFID Systems 43

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information