Presentation is loading. Please wait.

Presentation is loading. Please wait.

All slides © 2006 RSA Laboratories. RFID (Radio-Frequency IDentication) takes many forms…

Published byJulian Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "All slides © 2006 RSA Laboratories. RFID (Radio-Frequency IDentication) takes many forms…"— Presentation transcript:

1 All slides © 2006 RSA Laboratories

2 RFID (Radio-Frequency IDentication) takes many forms…

3 “RFID” really denotes a spectrum of devices Automobile ignition key Mobile phone Toll payment plaque Basic “smart label” passive semi-passive no crypto some crypto few cm to few meters range several meters range several cm range

4 “Smart labels”: EPC (Electronic Product Code) tags Barcode EPC tag Line-of-sight Radio contact Specifies object type Uniquely specifies object Fast, automated scanning Provides pointer to database entry for every object, i.e., unique, detailed history

5 30 April: RFID-tagged cow “Bessie” produces milk 30 April: Milk transferred to RFID-tagged tank –Cow identity and milking time recorded in tank-tag database 1 May: RFID portal on truck records loading of refrigeration tanks –Truck also has active RFID (+GPS) to track geographical location and RFID transponder to pay tolls 2 May: Chemical-treatment record written to database record for milk barrel –Bessie’s herd recorded to have consumed bitter grass; compensatory sugars added 3 May: Milk packaged in RFID-tagged carton; milk pedigree recorded in database associated with carton tag 4 May: RFID portal at supermarket loading dock records arrival of carton 5 May: “Smart” shelf records arrival of carton in customer area 5 May 0930h: “Smart” shelf records removal of milk 5 May 0953h: Point-of-sale terminal records sale of milk (to Alice) 2030: Week in the life of a milk carton

6 6 May 0953h: Supermarket transfers carton tag ownership to Alice’s smart home 6 May 1103h: Alice’s refrigerator records arrival of milk 6 May 1405h: Alice’s refrigerator records removal of milk; refrigerator looks up database-recorded pedigree and displays: “Woodstock, Vermont, Grade A, light pasturization, artisanal, USDA organic, breed: Jersey, genetic design #81726” 6 May 1807h: Alice’s “smart” home warns domestic robot that milk has been left out of refrigerator for more than four hours 6 May 1809h: Alice’s refrigerator records replacement of milk 7 May 0530h: Domestic robot uses RFID tag to locate milk in refrigerator; refills baby bottle 2030: Week in the life of a milk carton

7 6 May 0953h: Supermarket transfers carton tag ownership to Alice’s smart home 6 May 1103h: Alice’s refrigerator records arrival of milk 6 May 1405h: Alice’s refrigerator records removal of milk; refrigerator looks up database-recorded pedigree and displays: “Woodstock, Vermont, Grade A, light pasturization, artisanal, USDA organic, breed: Jersey, genetic design #81726” 6 May 1807h: Alice’s “smart” home warns domestic robot that milk has been left out of refrigerator for more than four hours 6 May 1809h: Alice’s refrigerator records replacement of milk 7 May 0530h: Domestic robot uses RFID tag to locate milk in refrigerator; refills baby bottle 7 May 2357h: Recycling center scans RFID tag on carton; directs carton to paper-brick recycling substation 7 May 0531h: Robot discards carton; “Smart” refrigerator notes absence of milk; transfers order to Alice’s PDA/phone/portable server grocery list 2030: Week in the life of a milk carton

8 Proximity cards RFID Today: IN Your POcket Note: Often just emit static identifiers, i.e., they are just smart labels!

9 Automobile ignition keys f RFID helps secure hundreds of millions of automobiles Cryptographic challenge-response Philips claims more than 90% reduction in car theft thanks to RFID! Note: some devices, e.g., Texas Instruments DST, are weak (Bono et al.)… in your pocket

10 Payment devices RFID now offered in all major credit cards in U.S.… in your pocket “Vulnerabilities in First-Generation RFID-Enabled Credit Cards” T. Heydt-Benjamin, D. Bailey, K. Fu, A. Juels, and T. O’Hare Many cards not doing challenge-response Some cards leaking cleartext bearer names and card numbers!

11 Talk in 2003-4 of planting RFID tags in 10,000 Yen banknotes and Euro banknotes Talk has dissipated Main interest: anti-counterfeiting In Currency?

12 “Not Really Mad” Cattle Housepets The cat came back, the very next day… 50 million+ in ANIMALs

13 Schools Amusement parks Hospitals In the same vein: mobile phones with GPS… on People

14 1500 Euros in wallet Serial numbers: 597387,389473 … Wig model #4456 (cheap polyester) 30 items of lingerie Das Kapital and Communist- party handbook Replacement hip medical part #459382 The consumer privacy problem Here’s Mr. Jones in 2030…

15 Wig serial #A817TS8 …and the tracking problem Mr. Jones pays with a credit card; his RFID tags now linked to his identity; determines level of customer service –Think of car dealerships using drivers’ licenses to run credit checks… Mr. Jones attends a political rally; law enforcement scans his RFID tags Mr. Jones wins Turing Award; physically tracked by paparazzi via RFID

16 1500 Euros in wallet Serial numbers: 597387,389473 … Replacement hip medical part #459382 The authentication problem Mad-cow hamburger lunch Counterfeit! Good readers, bad tags Mr. Jones’s car is stolen! Mr. Jones in 2030

17 Won’t crypto solve our problems? We can do: Challenge-response for authentication Mutual authentication and/or encryption for privacy AES Side-channel countermeasures But: 1.Moore’s Law vs. pricing pressure 2.Basic cryptography is not a cure-all… This is the theme of our talk!

18 Simple key management: Possession is 9/10 ths of law How does Alice’s refrigerator get read/write privileges for the history for the milk carton bearing tag T? The straightforward approach: –A central registry R shares symmetric key k with the tag T –Alice’s refrigerator acts as authentication proxy between R and T –Tag T authenticates via challenge-response c r = f k (c) k Registry R k c r = f k (c)

19 Simple key management: Possession is 9/10 ths of law But what if the tag is on Alice’s wristwatch? –Should any nearby reader be able to read tag history? –Should any nearby reader be able to modify tag history? What if registry R is unavailable? –Will the tag carry information on board? –If so, who can access it? –Does Alice’s baby get its milk?

20 ??? The VeriChip TM += Human-implantable RFID

21 The VeriChip TM += Human-implantable RFID Proposed for medical-patient identification Also proposed and used as an authenticator for physical access control, a “prosthetic biometric” –E.g., Mexican attorney general purportedly used for access to secure facility What kind of cryptography does it have? –None: It can be easily cloned So shouldn’t we add a challenge-response protocol? Cloning may actually be a good thing

22 The VeriChip TM Physical coercion and attack –In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric-enabled Mercedes –What would happen if the VeriChip were used to access ATM machines and secure facilities? Perhaps it is better then if tags can be cloned and are not used for authentication—only for identification But if a tag is cloneable, and used for identification, does that mean that privacy is impossible? –I.e., does cloneability imply an ability to track?

23 Private identification A very simple scheme allows for simultaneous cloneability and privacy El Gamal public-key cryptosystem: –Randomized scheme: C = E PK,r [m] –Semantic security: Cannot distinguish between ciphertexts C and C’ on known plaintexts without knowledge of SK Adversary cannot distinguish between C = E PK,r [Alice] and C’ = E PK,r’ [Bob]

24 Private identification Our simple scheme: “Who are you?” C = E PK, r [Alice] SK “Proceed to authenticate Officer Alice” Officer Alice

25 Private identification Take two: “Who are you?” C’ = E PK, r’ [Alice] SK Officer Alice “Proceed to authenticate Officer Alice”

26 Private identification Semantic security → An attacker who intercepts C and C’ cannot tell if they come from the same chip –Attacker cannot identify or track Alice But attacker can still clone Alice’s chip! El Gamal re-encryption (homomorphism): –Let U = E PK,r [1] have uniformly random r –Then given C = E PK,r’ [m], the distribution CxU is uniform over ciphertexts on m Clone chip selects U and outputs CxU Clone chip is indistinguishable from Alice’s!

27 Attacker’s perspective “Who are you?” C Alice’s chip

28 Attacker’s perspective “Who are you?” C x U “Proceed to authenticate Officer Alice” Attacker can simulate Alice’s chip, but… He cannot track Alice He may not even know whose chip he’s cloned!

29 The covert-channel problem Suppose there is a secret sensor… “Who are you?” C SK Officer Alice “Officer Alice has low blood pressure and high blood-alcohol”

30 The covert-channel problem Suppose there is a secret sensor… “Who are you?” C SK Officer Alice “Officer Alice recently passed near the RFID reader of a casino”

31 The covert-channel problem Suppose there is a secret sensor… “Who are you?” C SK Officer Alice “Mercury switch indicates that Officer Alice took a nap this afternoon.”

32 How can we ensure no covert channels? Must make outputs deterministic Can also, e.g., give PRNG keys to Alice But can we: –Allow Alice to verify covert-freeness without exposing secret keys to her? –Enable a third party to verify covert-freeness? It turns out that privacy and such verifiable covert-freeness are contradictory!

33 Covert-freeness detector A A’ “No covert channel” “Yes, covert channel suspected”

34 Here’s a covert channel! 1.Create identifier for Bob Bob need not actually own a chip 2.Alice’s chip does following: If no nap, output ciphertexts A, A’, A’’, etc. with Alice’s identity If Alice has taken a nap, then flip to Bob’s identity, i.e., output ciphertexts A, A’…B’,B’’

35 Suppose we detect the covert channel… “No covert channel” A A’

36 Suppose we detect the covert channel… “ Yes, covert channel suspected ” A B

37 Then we can distinguish between Alice and Bob: Privacy is broken! “ Yes, covert channel suspected ” A B

38 Then we can distinguish between Alice and Bob: Privacy is broken! “ A and B represent different people ” A B

39 Let’s change (relax) the definition of privacy! If non-sequential tag outputs are checked, detector learns nothing… READ EVENTS “?????” Covert-freeness and privacy?

40 Detector can do pairwise check only… READ EVENTS “Covert-free pair” Achievable “efficiently” with pairings-based cryptography (ECC)

41 Covert-freeness and privacy? Privacy is largely preserved because of locality –Can only correlate events in immediate succession Covert-freeness checkable probabilistically, i.e., with spot checks READ EVENTS “Covert-free pair”

42 A sobering thought: Suppose we can achieve privacy… Y. Oren and A. Shamir attacked EPC kill passwords via over-the- air power analysis Found that dead tags are detectable! –Backscatter from antennas Hypothesize manufacturer type may be learnable 3 type A tags (merchandise) 2 type B tags (medication) 10 type C tags (500-Euro banknotes) Probably of limited significance, but still bears on privacy Do tags possess uniquely detectable RF fingerprints? –Device signatures a staple of electronic warfare Cryptography would not help here!

43 Some caveats Some of talk really in outer limits, but basic caveats are important: –Pressure to build a smaller, cheaper tags without cryptography –RFID tags are close and personal, giving privacy a special dimension –RFID tags change ownership frequently –Key management will be a major problem Think for a moment after this talk about distribution of kill passwords… Are there good hardware approaches to key distribution, e.g., proximity as measure of trust Straightforward crypto is not always the answer! Cryptography is still important –Urgent need for cheaper hardware for primitives and better side- channel defenses

44 To Learn More: RFID CUSP RFID ConsortiUm for Security and Privacy –Collaboration among Johns Hopkins, RSA Laboratories, and UMass- Amherst –www.rfid-cusp.orgwww.rfid-cusp.org Papers: –“RFID security and privacy: a research survey” –“Vulnerabilities in First-Generation RFID-Enabled Credit Cards” Joint work with T. Heydt-Benjamin, D. Bailey, K. Fu, and T. O’Hare –“Security Analysis of a Cryptographically-Enabled RFID Device” Joint work with S. Bono, M. Green, A. Stubblefield, A. Rubin, and M. Szydlo –“The security implications of VeriChip TM cloning,” Joint work with J. Halamka, A. Stubblefield, and J. Westhues –“Covert channels in privacy-preserving identification systems” Forthcoming work –“Power analysis of RFID tags” (on Internet; not RFID-CUSP) Y. Oren and A. Shamir

Download ppt "All slides © 2006 RSA Laboratories. RFID (Radio-Frequency IDentication) takes many forms…"

Similar presentations

SMUCSE 7349 RFID Security. SMUCSE 7349 Current Applications Logistics –Military supply logistics Gulf War I: Double orders to ensure arrival Gulf War.

SMUCSE 7349 RFID Security. SMUCSE 7349 Current Applications Logistics –Military supply logistics Gulf War I: Double orders to ensure arrival Gulf War.
Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
Ari Juels RSA Laboratories 19 October 2005 RFID : The Problems of Cloning and Counterfeiting.

Ari Juels RSA Laboratories 19 October 2005 RFID : The Problems of Cloning and Counterfeiting.
Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.

Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.
RFID and SECURITY All slides © 2008 RSA Laboratories.

RFID and SECURITY All slides © 2008 RSA Laboratories.
TPS – UNIQUE HARDWARE (WWW.HOWSTUFFWORKS.COM) Option 1: Transaction Processing Systems.

TPS – UNIQUE HARDWARE ( Option 1: Transaction Processing Systems.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy A. Juels, R. L. Rivest, and M. Szydlo 8th ACM Conference on Computer and Communications.

The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy A. Juels, R. L. Rivest, and M. Szydlo 8th ACM Conference on Computer and Communications.
Embedded Wireless Sensors Tony Arous Vincent Yu. Recap  RFID– Radio Frequency Identification  Sensors help to easily keep track of various information.

Embedded Wireless Sensors Tony Arous Vincent Yu. Recap  RFID– Radio Frequency Identification  Sensors help to easily keep track of various information.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
RFID Security and Privacy A Research Survey Shruti Pathak CS 585 Spring ‘09.

RFID Security and Privacy A Research Survey Shruti Pathak CS 585 Spring ‘09.
RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.

RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
Security in RFID Presented By… NetSecurity-Spring07

Security in RFID Presented By… NetSecurity-Spring07
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Risk of Using RFID chips in Passports Oscar Mendez.

Risk of Using RFID chips in Passports Oscar Mendez.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google