Presentation is loading. Please wait.

Presentation is loading. Please wait.

RFID Security: In the Shoulder and on the Loading Dock Ari Juels RSA Laboratories Joint work with D. Boneh, E.-J. Goh, J. Halamka, A. Stubblefield, B.

Published byWilfrid Fisher Modified over 8 years ago

Similar presentations

Presentation on theme: "RFID Security: In the Shoulder and on the Loading Dock Ari Juels RSA Laboratories Joint work with D. Boneh, E.-J. Goh, J. Halamka, A. Stubblefield, B."— Presentation transcript:

1 RFID Security: In the Shoulder and on the Loading Dock Ari Juels RSA Laboratories Joint work with D. Boneh, E.-J. Goh, J. Halamka, A. Stubblefield, B. Parno, R. Pappu, and J. Westhues

2 RFID on the Loading Dock Recapping Ravi Pappu’s presentation…

3 Keeping the customer satisfied… “I want a rock-solid encryption algorithm… with 20-bit keys.” “I want my database encrypted… but all my employees and customers need to have access.” “I want my retail stores to be able to read RFID-tagged items… but I want tags to be unreadable after sale… and I don’t want to have to kill or rewrite them…

4 EPC tags and privacy EPC tags have no true cryptographic functionality One true, explicit EPC privacy feature: Kill –On receiving tag-specific PIN, tag self-destructs But commercial RFID users say: –They do not want to manage kill PINs –They have no channel to communicate secret keys downstream in supply chain

5 “Privacy without killing” approach: Put the secret keys on the tags Encrypt tag data under secret key  Apply secret sharing to spread key  across tags in crate –E.g.,   ( s 1, s 2,, s 3 ) E  (m 1 ) s 1 E (m2)s2E (m2)s2 E (m3)s3E (m3)s3 

6 Encrypt tag data under secret key  Apply secret sharing to spread key  across tags in crate –E.g.,   ( s 1, s 2,, s 3 ) E  (m 1 ) s 1 E (m2)s2E (m2)s2 E (m3)s3E (m3)s3  “Privacy without killing” approach: Put the secret keys on the tags Supersteroids 500mg; 100 count Serial #87263YHG Mfg: ABC Inc. Exp: 6 Mar 2010

7 Privacy through dispersion

8 E  (m 1 )  1 E (m2)2E (m2)2 E (m3)3E (m3)3 Individual shares / small sets reveal no information about medication! ( Super- Steroids) (Super- Steroids) (Super- Steroids)

9 Challenges that Ravi discussed 1.Storage is at a premium in EPC, but no secret-sharing literature on “tiny” shares “Short” shares are 128 bits, but we may want 16 bits or less! 2.Scanning errors We need robustness in our secret-sharing scheme

10 Another place for RFID secret-sharing: Authentication A key  is useful not just for consumer privacy –Read / write “unlock” codes for EPC tags –Anti-cloning for EPC tags [Juels ’05] –Symmetric key for challenge-response tag authentication (again, anti-cloning) But putting  on crate is bad if crate is diverted –Attacker can read / rewrite tags and re-inject goods –Attacker can clone tags

11 Secret-sharing across crates  s1s1 s2s2 s3s3 ’’ s’ 1 s’ 2 s’ 3 Dimension 1: Dimension 2:

12 Secret-sharing across crates  s1s1 s2s2 s3s3 ’’ s1s1 s2s2 s3s3 Dimension 1: Dimension 2: s1s1 (Or crate-specific tag)

13 But “windows” are not always neat… s1s1 s2s2 s3s3 s1s1 s2s2 s3s3 Warehouse AWarehouse B receivers cannot reconstruct  and  ’ !

14 SWISS (Sliding Window Information Secret-Sharing) Given  2 out of 4 s i, get corresponding  i s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 11 22 33 44 55 66

15 SWISS (Sliding Window Information Secret-Sharing) 11 33 Warehouse B 55 s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 11 22 33 44 55 66

16 SWISS (Sliding Window Information Secret-Sharing) ???? Adversary with more sporadic crate access s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 11 22 33 44 55 66

17 SWISS (Sliding Window Information Secret-Sharing) A k-out-of-n-SWISS scheme is straightforward with share size s i linear in n It’s not obvious how to get more compact s i That’s what our paper addresses… –More pairings tricks –Basic RSA variant –Size of s i is constant(!) in n s1s1 s2s2 s3s3 s4s4 s5s5 s6s6

18 RFID in the Shoulder

19 We’ve talked about many different RFID devices at this workshop… and many different threats

20 Proximity cards

21 Credit cards RFID now offered in all major credit cards in U.S.… (See “Vulnerabilities in First-Generation RFID-Enabled Credit Cards” [Heydt- Benjamin et al. ’07])

22 Transit cards

23 Passports Dozens of countries issuing RFID-enabled passports Other identity documents following, e.g., drivers’ licenses, WHTI

24 Animals too… “Not Really Mad” Livestock Housepets The cat came back, the very next day… 50 million+

25 Human location tracking Schools Amusement parks Hospitals In the same vein: mobile phones with GPS…

26 ??? Human-implantable RFID += VeriChip TM

27 Human-implantable RFID += VeriChip TM Excellent test bed for privacy and security concepts! Proposed for medical-patient identification Also proposed and used as an authenticator for physical access control, a “prosthetic biometric” –E.g., Mexican attorney general purportedly used for access to secure facility What kind of cryptography does it have? –None: It can be easily cloned [Halamka et al. ’06] So shouldn’t we add a challenge-response protocol? Cloning may actually be a good thing

28 Human-implantable RFID Physical coercion and attack –In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric- enabled Mercedes –What would happen if the VeriChip were used to access ATM machines and secure facilities? Perhaps better if tags can be cloned! Tags should not be used for authentication—only for identification

29 Cloneability + privacy Privacy means no linkability or information about identities If a tag can be cloned, does that mean it can’t provide privacy? –Surprisingly, no! A very simple scheme allows for simultaneous cloneability and privacy

30 Cloneability + privacy Homomorphic public-key cryptosystem (e.g., El Gamal) Private / public key pair (SK, PK) Randomized scheme: C = E PK,r [m] Semantic security: Adversary cannot distinguish C = E PK,r [“Alice”] from C’*= E PK,s [“Bob”] Re-encryption property: Given C only, can produce randomized C* = E PK,s [m], without knowing m

31 Cloneability + privacy The scheme: When read, tag chooses fresh r and outputs C = E PK,r [“name”] Then: Reader with SK can decrypt name Semantic Security: Adversary cannot distinguish among tags, i.e., infringe privacy Re-encryption property: Adversary can clone a tag: records C and outputs randomized C*

32 The covert-channel problem Suppose there is an identification / authentication system… Authorized Employees Only Who’s there? E[“Alice”] It’s Alice!

33 The covert-channel problem Suppose there is an identification / authentication system… Authorized Employees Only Who’s there? E[“Alice” + ?] Alice has low blood pressure and high blood-alcohol Alice recently passed a casino’s RFID reader. Mercury switch indicates that Alice napped on job

34 How can we assure Alice of no covert channels? Outputs must be deterministic –Randomness always leaves room for covert emissions Could give Alice a secret key to check that outputs are formatted correctly –E.g., PRNG seed for device But we don’t want Alice (or a third party) to have to manage sensitive keying material! Can we enable Alice to verify covert-freeness publicly, i.e., without exposing secret keys? Simultaneous publicly verifiable covert-freeness and privacy are impossible!

35 Here’s why… Suppose there were a public CC detector… X18 Ultra CC-Detector TM A1A1 A2A2 No CC Yes, CC!

36 Here’s a covert channel! 1.Create identity for user “Bob” Bob could be fictitious Just need output sequence B 1, B 2, … 2.Alice’s chip does following: If no nap, output A 1, A 2, A 3, etc. with Alice’s identity If Alice has taken a nap, then flip to Bob’s identity, i.e., output A 1, A 2 … B 1, B 2

37 Suppose we detect this covert channel X18 Ultra CC-Detector TM A1A1 A2A2 No CC B1B1 Yes, CC

38 Now if there really is a user Bob, we have a problem... X18 Ultra CC-Detector TM A1A1 A2A2 No CC

39 Alice followed by Bob yields “Yes” X18 Ultra CC-Detector TM A1A1 B1B1 Yes, CC

40 BobAlice Privacy is broken: We can distinguish between identities! X18 Ultra CC-Detector TM Yes X18 Ultra CC-Detector TM No

41 So public CC-verifiability + privacy is impossible But we can achieve it anyway [Boneh et al. ’07]… Idea: –Change privacy definition to eliminate localized privacy, e.g., privacy across pairwise values –Allow localized CC-checking, e.g., pairwise –Localized privacy is least important type of privacy Now we can do spot CC-checking… A1A1 A2A2 A3A3 A4A4 A5A5 A6A6 A7A7 A8A8 A9A9 X18 Ultra CC-Detector TM yes / no

42 The message of this talk: Crypto is not the hard part! We can do: Challenge-response for authentication Mutual authentication and/or encryption for privacy AES Side-channel countermeasures But: 1.Moore’s Law vs. pricing pressure 2.The theme of today’s talk: The really hard part is key management…

43 The key-management problem Okinawa, Japan Kansas, USA “Top secret: X-32 cone” crypto key “Top secret: X-32 cone” The key poses its own “transport” problems: It must be tag-specific (usually) It must be highly available It must be secured at all times Like managing 10,000,000,000 passwords!

44 The RFID key-management problem Keys / PINs for consumer privacy Body passwords?

45 To learn more Papers available at RFID CUSP: www.rfid-cusp.orgwww.rfid-cusp.org J. Halamka, A. Juels, A. Stubblefield, and J. Westhues. “The Security Implications of VeriChip Cloning.” Journal of the American Medical Informatics Association (JAMIA), 2006. D. Bailey, D. Boneh, E.-J. Goh, and A. Juels. “Covert Channels in Privacy-Preserving Identification Systems.” In ACM CCS, 2007. A. Juels, R. Pappu, and B. Parno. “Key Transport in Unidirectional Channels with Applications to RFID Security.” In submission. J. Westhues’s RFID cloning page: http://cq.cx.

Download ppt "RFID Security: In the Shoulder and on the Loading Dock Ari Juels RSA Laboratories Joint work with D. Boneh, E.-J. Goh, J. Halamka, A. Stubblefield, B."

Similar presentations

Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme.

Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES.

Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES.
Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.

Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.
RFID and SECURITY All slides © 2008 RSA Laboratories.

RFID and SECURITY All slides © 2008 RSA Laboratories.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
RFID Security and Privacy Part 2: security example.

RFID Security and Privacy Part 2: security example.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

Similar presentations

Ads by Google