Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2006 Sanjay Sarma RFID and Security Sanjay Sarma MIT and CTO of OATSystems.

Similar presentations


Presentation on theme: "©2006 Sanjay Sarma RFID and Security Sanjay Sarma MIT and CTO of OATSystems."— Presentation transcript:

1 ©2006 Sanjay Sarma RFID and Security Sanjay Sarma MIT and CTO of OATSystems

2 ©2005 OATSystems©2006 Sanjay Sarma2 Everything is different with RFID Power is limited Cost is an issue Bandwidth is limited Memory is a premium Data is fast but… fallible Tag connectivity is sporadic The range of applications is large The range of related technologies is huge

3 ©2005 OATSystems©2006 Sanjay Sarma3 History ( See “Shrouds of Time The history of RFID,” Landt 2001) 1948: Backscatter –Stockman, H. "Communication by Means of Reflected Power", Proceedings of the IRE, pp , October : Automotive license plates –Sterzer, F., "An electronic license plate for motor vehicles", RCA Review, 1974, 35, (2) pp : DISC, Auto-ID Center founded at MIT 2001: First standards presented 2002: Gillette orders 500,000,000 tags from Alien 2003: Wal-Mart, DoD Mandates –EPCglobal launched, Center retired –HP sits on the board 2004: More mandates 2005: First bulk tagging –Emergence of Gen 2 –Multi-site deployments –Beginnings of value 2006: Next Generation research

4 ©2005 OATSystems©2006 Sanjay Sarma4 History of the EPC : DISC, Auto-ID Center founded at MIT 2001: First standards presented 2002: Gillette orders 500,000,000 tags from Alien 2003: Wal-Mart, DoD Mandates –EPCglobal launched, Center retired 2004: More mandates 2005: First bulk tagging –Emergence of Gen 2 –Multi-site deployments –Beginnings of value

5 ©2005 OATSystems©2006 Sanjay Sarma5 Low cost RFID time die size/cost, cents handling cost Silicon: 4c/mm 2

6 ©2005 OATSystems©2006 Sanjay Sarma6 The stack Readers tags Company Software Gen 1 air-interface Savant ONS Readers tags ERP+RFID Software Company #1 Company #2 Reader interface Gen 2 air-interface Reader Protocol EPC-IS ONS + Blob

7 ©2005 OATSystems©2006 Sanjay Sarma7 RFID Systems ID –Electronic product code: header:manufacturer:product:serial –Read-write extra memory/sensory data Anti-collision –One reader can read many tags Reader coordination –Make sure readers don’t interfere with each other Middleware –Collect all the data and make sense of it

8 ©2005 OATSystems©2006 Sanjay Sarma8 How EPC Gen2 works RF level –Multiple speeds –Dense-mode –Many dials for EU, Asia, US operation Logic level –Generalized selection –Advanced sessions –Advanced payload etc. access Generalized Selection Anti-collision (Query) Access of payload Entire population Thinned population Single tag identified Payload from tag

9 ©2005 OATSystems©2006 Sanjay Sarma9 My focus today Classes of tags Passive –No battery; chip runs on scavenged power –Communication by backscatter only –10m range Semi-passive –Battery to run the chip –Communication by backscatter only –50m range Active –Battery runs the chip –Communication by transmission –100+m range Forward bandwidth is low Low compute cycles for power Power limited range Weak backscatter Forward bandwidth is higher Faster cycles for power Strong backscatter Wake-up circuit Endless possibilities Do not confuse with near-field tags and smart-cards

10 ©2006 Sanjay Sarma How RFID is used in the supply chain

11 ©2005 OATSystems©2006 Sanjay Sarma11 Inventory TAG EPC TIME LOCATION

12 ©2005 OATSystems©2006 Sanjay Sarma12 The Trace TAG EPC TIME LOCATION Theft!! Counterfeit! Diversion!

13 ©2005 OATSystems©2006 Sanjay Sarma13 The Flow TAG EPC TIME LOCATION RECALL!!!

14 ©2005 OATSystems©2006 Sanjay Sarma14 Supply Chain Problems TAG EPC TIME LOCATION RFID enables Real-time detection of errors Real-time correction Run-to-run improvement i.e., tactical, operational, strategic enhancement. Errors making plans less effective

15 ©2006 Sanjay Sarma On security of passive and semi passive tags

16 ©2005 OATSystems©2006 Sanjay Sarma16 Privacy: The very act of detection poses a challenge Readers and tags cannot hide their very presence –Sniffing The structured ID could be a problem –header:manufacturer:product:serial –Do I want people to know I am taking a Pfizer product? Repeated unique numbers are a problem –Track based on repeated ID Constellations of non-unique numbers are a problem –I may be the only person in Graz with a Titan watch and Docker pants

17 ©2005 OATSystems©2006 Sanjay Sarma17 Some problems can be solved Readers and tags cannot hide their very presence –Sniffing The structured ID could be a problem –header:manufacturer:product:ser ial –Do I want people to know I am taking a Pfizer product? Repeated unique numbers are a problem –Track based on repeated ID Constellations of non-unique numbers are a problem –I may be the only person in Graz with a Titan watch and Docker pants Spread spectrum, etc. expensive. Non-structured numbers, special ONS for sorting them out Temporary ID by encrypting EPC|nonce Shared key, so key-management problem

18 ©2005 OATSystems©2006 Sanjay Sarma18 The fact of the matter is Can’t do anything beyond hashes in passive RFID tags Physics is our best friend –Can’t activate from afar –Can’t hear backscatter from afar –Consider backscatter channel a private channel There is a physical zone of trust for privacy –Tag response audible a few meters –If you have worries, you can create further physical barriers Shielding Killing the tag –Famous EPC kill code Reduced range mode of tags Personalization of tags

19 ©2005 OATSystems©2006 Sanjay Sarma19 Some of the other issues Privacy violation is a consequence of unauthorized reading –Other privacy protections –Detection of unauthorized readers Eavesdropping Using tags to prevent counterfeits –Skimming the tag and replaying –Tampering with the physical artifact Prevent tag hijack

20 ©2005 OATSystems©2006 Sanjay Sarma20 Other issues in unauthorized reading Perhaps require readers to announce themselves –What if reader announced its name, ID, and function –Tag detects this and chooses not to respond –Too expensive  –Too voluntary The Sentinel Concept –Blocker Tag from Juels et. al. Logical jamming when readin some tags –The Watchdog Tag from Floerkemeier (upcoming PhD thesis) Sarma’s vindictive Sentinel –All readers need to register with guardian –If a reader is not registered, Sentinel will jam the channel –No politeness

21 ©2005 OATSystems©2006 Sanjay Sarma21 Eavesdropping A reader in Wal-Mart is readings its tags –Readers put out ~watts A competitor is sitting outside listening to the reader –Can it infer the contents? Tag response unlikely to be decipherable Put secret information in tag response channel The forward response is now XOR’ed with previous reverse channel secret –Blind-tree walking by [Weis 03]

22 ©2005 OATSystems©2006 Sanjay Sarma22 Eavesdropping is easier when Gen 2 Masking is used You are listening from a distance You hear the selection command You see the number of responses that were received You can detect the numbers of tags in a population Solution is: –Use masking judiciously –Use chaff when necessary –Sentinel Tag generates chaff, notifies middleware –The Sentinel Tag again! Generalized Selection Anti-collision (Query) Access of payload Entire population Thinned population Single tag identified Payload from tag

23 ©2005 OATSystems©2006 Sanjay Sarma23 Counterfeit detection Some secret on the tag which you can verify Can do it by hash, symmetric or asymmetric crypto Easier to do in near-field or semi-passive/active tags Harder to do in RFID –Limited gates –Limited compute cycles –Ephemeral contact Killer app for RFID –Counterfeit market worldwide is very large ($500B? See Staake’s work) –The very presence of an RFID tag is also a defense –The history of a serialized number is further defense

24 ©2005 OATSystems©2006 Sanjay Sarma24 Low-Cost Hash Design [Weis 2003] Traditional: Many Gates, Few Cycles –Expensive –High-power Low-Cost: Few Gates, Many Cycles –Slow Cellular Automata –Cellhash, No major breaks (yet). –Very cheap, fast and scalable. Non-Linear Feedback Shift Registers: –Relatively cheap and flexible. –Lots of classified work.

25 ©2005 OATSystems©2006 Sanjay Sarma25 The Digital Millennium Act Can be used to stymie commodity replacements! Tags on cartridges Readers in printers Some important content in tag: say colors Non-copy-able

26 ©2005 OATSystems©2006 Sanjay Sarma26 The Pink Panther replay scenario Imagine diamonds in a display (each diamond has passive tag) Tags are being read continuously by reader Pink Panther has a tag mimicking machine –Listens for the tags being read –Starts playing them back –While pink Panther steals the diamonds One solution is a Sentinel Tag generating chaff Mimicking machine cannot tell chaff from real content Will replay chaff The Sentinel Tag again

27 ©2005 OATSystems©2006 Sanjay Sarma27 Writing to tags Enter Code and Lock Kill Write Issues: Administering kill codes Preventing mass killing of tags Administering the other codes Personalizing tags

28 ©2005 OATSystems©2006 Sanjay Sarma28 Preventing mass kill If the codes are not all set to 1111, then you can’t kill the tags easily Killing is not an RF function in EPC tags; it is an addressed, logical request –You can only kill at the rate of anti-collision –You can only kill from the passive distance –From that range, you have other options open to you Sarma’s Sentinel Tag: when you see an unauthorized kill going on, jam the airwaves! The real challenge is kill code management: how does it pass from owner to owner?

29 ©2005 OATSystems©2006 Sanjay Sarma29 A keyless approach to administration [Weis 03] Reader Tag metaID := hash(key) metaID Store: (key,metaID) metaID Who are you? Store: metaID Locking a tagQuerying a locked tagUnlocking a tag key metaID == hash(key)? “Hi, my name is..”

30 ©2005 OATSystems©2006 Sanjay Sarma30 Personalizing tags: an opportunity Say you go to a store and buy a product The product has a tag You now want to personalize that tag You have a little PDA which talks to the store reader and personalizes your tag Your PDA is a personalizing device which now talks to your back-end system at home –Tanenbaum et. al 05 –Foley 05

31 ©2005 OATSystems©2006 Sanjay Sarma31 The repeating themes The backscatter distance is a zone of trust –No perfect, inexpensive solution beyond within that zone of trust for passive tags Passive tags cry for a Sentinel Tag –Sentinel can aggregate security/defense/privacy functions which individual tags cannot afford –Turns out that there are several other

32 ©2006 Sanjay Sarma The System

33 ©2005 OATSystems©2006 Sanjay Sarma33 The system Readers tags Company Software Gen 1 air-interface Savant ONS Readers tags ERP+RFID Software Company #1 Company #2 Reader interface Gen 2 air-interface Reader Protocol EPC-IS ONS + Blob Transfer of codes, Data, etc.

34 ©2006 Sanjay Sarma Recent attacks

35 ©2005 OATSystems©2006 Sanjay Sarma35 Viruses and Worms Tanenbaum’s group Researchers demonstrated a RFID virus: Based on an “SQL injection” attack Website: Shamir’s group Side channel attack Power analysis

36 ©2006 Sanjay Sarma Conclusions

37 ©2005 OATSystems©2006 Sanjay Sarma37 The opportunities Technology Tags Semiconductors Packaging Protocols Antennae Readers Middleware/Reader Middleware Databases Enterprise architecture Distributed systems Identity management Business process Applications Supply chain –Retail –Healthcare –B2B –Critical goods Logistics –Travel/airports –Defense –Heavy industries –Asset management Operations –Factory –DC/warehouse –Institutions –Maintenance Personal systems…. Analysis RF Systems Communications Security System dynamics –Supply chain Planning Execution Policy –Demand planning Social/ethical Business planning Macroeconomics Policy/frequency


Download ppt "©2006 Sanjay Sarma RFID and Security Sanjay Sarma MIT and CTO of OATSystems."

Similar presentations


Ads by Google