Presentation is loading. Please wait.

Presentation is loading. Please wait.

Physically Unclonable Function– Based Security and Privacy in RFID Systems Leonid Bolotnyy and Gabriel Robins Dept. of Computer Science University of Virginia.

Published byPamela Walker Modified over 8 years ago

Similar presentations

Presentation on theme: "Physically Unclonable Function– Based Security and Privacy in RFID Systems Leonid Bolotnyy and Gabriel Robins Dept. of Computer Science University of Virginia."— Presentation transcript:

1 Physically Unclonable Function– Based Security and Privacy in RFID Systems Leonid Bolotnyy and Gabriel Robins Dept. of Computer Science University of Virginia www.cs.virginia.edu/robins

2 Contribution and Motivation Contribution Privacy-preserving tag identification algorithm Secure MAC algorithms Comparison of PUF with digital hash functions Motivation Digital crypto implementations require 1000’s of gates Low-cost alternatives –Pseudonyms / one-time pads –Low complexity / power hash function designs –Hardware-based solutions

3 PUF-Based Security Physical Unclonable Function (PUF) [Gassend et al 2002] PUF Security is based on –wire delays –gate delays –quantum mechanical fluctuations PUF characteristics –uniqueness –reliability –unpredictability PUF Assumptions –Infeasible to accurately model PUF –Pair-wise PUF output-collision probability is constant –Physical tampering will modify PUF

4 Privacy in RFID Privacy ABC Alice was here: A, B, C privacy

5 Private Identification Algorithm Assumptions –no denial of service attacks (e.g., passive adversaries, DoS detection/prevention mechanisms) –physical compromise of tags not possible It is important to have –a reliable PUF –no loops in PUF chains –no identical PUF outputs ID Request p(ID) ID Database ID 1, p(ID 1 ), p 2 (ID 1 ), …, p k (ID 1 )... ID n, p n (ID n ), p n 2 (ID n ), …, p n k (ID n )

6 Improving Reliability of Responses Run PUF multiple times for same ID & pick majority μ m (1-μ) N-m ) k R( μ, N, k ) ≥ (1 - ∑ N NmNm N+1 2 m= number of runs chain length unreliability probability overall reliability R(0.02, 5, 100) ≥ 0.992 Create tuples of multi-PUF computed IDs & identify a tag based on at least one valid position value ∞ expected number of identifications S( μ, q ) = ∑ i [(1 – (1- μ ) i+1 ) q - (1 – (1-μ) i ) q ] i=1 tuple size S(0.02, 1) = 49, S(0.02, 2) = 73, S(0.02, 3) = 90 (ID 1, ID 2, ID 3 )

7 Privacy Model 1.A passive adversary observes polynomially-many rounds of reader-tag communications with multiple tags 2.An adversary selects 2 tags 3.The reader randomly and privately selects one of the 2 tags and runs one identification round with the selected tag 4.An adversary determines the tag that the reader selected Experiment: Definition: The algorithm is privacy-preserving if an adversary can not determine reader selected tag with probability substantially greater than ½ Theorem: Given random oracle assumption for PUFs, an adversary has no advantage in the above experiment.

8 PUF-Based MAC Algorithms MAC based on PUF –Motivation: “yoking-proofs”, signing sensor data –large keys (PUF is the key) –cannot support arbitrary messages MAC = (K, τ, υ) K K valid signature σ : υ (M, σ) = 1 forged signature σ’ : υ (M’, σ’) = 1, M = M’ Assumptions –adversary can adaptively learn poly-many (m, σ) pairs –signature verifiers are off-line –tag can store a counter (to protect against replay attacks)

9 Large Message Space σ (m) = c, r 1,..., r n, p c (r 1, m),..., p c (r n, m) Assumption: tag can generate good random numbers (can be PUF-based) Signature verification requires tag’s presence password-based or in radio-protected environment (Faraday Cage) learn p c (r i, m), 1 ≤ i ≤ n verify that the desired fraction of PUF computations is correct To protect against hardware tampering authenticate tag before MAC verification store verification password underneath PUF Key: PUF

10 Choosing # of PUF Computations α < prob v ≤ 1 and prob f ≤ β ≤ 1 0 ≤ t ≤ n-1 i=t+1 μ i (1-μ) n-i prob v (n, t, μ) = 1 - ∑ n nini j=t+1 τ j (1-τ) n-j prob f (n, t, τ) = 1 - ∑ n njnj prob v (n, 0.1n, 0.02) prob f (n, 0.1n, 0.4)

11 Theorem Given random oracle assumption for a PUF, the probability that an adversary could forge a signature for a message is bounded from above by the tag impersonation probability.

12 Small Message Space Assumption: small and known a priori message space Key[p, m i, c] = c, p c (1) (m i ),..., p c (n) (m i ) PUF message counter σ(m) = c, p c (1) (m),..., p c (n) (m),..., c+q-1, p c+q-1 (1) (m), p c+q-1 (n) (m) sub-signature Verify that the desired number of sub-signatures are valid PUF reliability is again crucial

13 Theorem Given random oracle assumption for a PUF, the probability that an adversary could forge a signature for a message is bounded by the tag impersonation probability times the number of sub-signatures.

14 Attacks on MAC Protocols originalclone Impersonation attacks –manufacture an identical tag –obtain (steal) existing PUFs Hardware-tampering attacks –physically probe wires to learn the PUF –physically read-off/alter keys/passwords Side-channel attacks –algorithm timing –power consumption Modeling attacks –build a PUF model to predict PUF’s outputs

15 Comparison of PUF With Digital Hash Functions Reference PUF: 545 gates for 64-bit input –6 to 8 gates for each input bit –33 gates to measure the delay Low gate count of PUF has a cost –probabilistic outputs –difficult to characterize analytically –non-unique computation –extra back-end storage Different attack target for adversaries –model building rather than key discovery Physical security –hard to break tag and remain undetected MD4 7350 MD5 8400 SHA-256 10868 Yuksel 1701 PUF 545 AES 3400 algorithm # of gates

16 PUF Design Attacks on PUF –impersonation –modeling –hardware tampering –side-channel Weaknesses of existing PUF New PUF design –no oscillating circuit –sub-threshold voltage Compare different non-linear delay approaches reliability

17 Conclusions and Future Work Develop theoretical framework for PUF Design new sub-threshold voltage based PUF Manufacture and test PUFs –varying environmental conditions –motion, acceleration, vibration, temperature, noise Design new PUF-based security protocols –ownership transfer –recovery from privacy compromise –PUFs on RFID readers } in progress PUF: hardware primitive for RFID security Identification and MAC algorithms based on PUF PUFs protect tags from physical attacks PUFs is the key

18 Thank You Questions ? Leonid Bolotnyy lbol@cs.virginia.edu Dept. of Computer Science University of Virginia

19 PUF-Based Ownership Transfer Ownership Transfer To maintain privacy we need –ownership privacy –forward privacy Physical security is especially important Solutions –public key cryptography (expensive) –knowledge of owners sequence –trusted authority –short period of privacy

20 s 2,4 s 1,2 s 3,9 s 2,5 s 3,10 s 3,8 Using PUF to Detect and Restore Privacy of Compromised System 1.Detect potential tag compromise 2.Update secrets of affected tags s 1,0 s 2,0 s 1,1 s 2,1 s 3,1 s 2,2 s 2,3 s 3,0 s 3, 4 s 3,5 s 3,2 s 3,3 s 3,7 s 3,6

21 Related Work on PUF Optical PUF [Ravikanth 2001] Silicon PUF [Gassend et al 2002] –Design, implementation, simulation, manufacturing –Authentication algorithm –Controlled PUF PUF in RFID –Identification/authentication [Ranasinghe et al 2004] –Off-line reader authentication using public key cryptography [Tuyls et al 2006]

Download ppt "Physically Unclonable Function– Based Security and Privacy in RFID Systems Leonid Bolotnyy and Gabriel Robins Dept. of Computer Science University of Virginia."

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Lecture10 – More on Physically Unclonable Functions (PUFs)

Lecture10 – More on Physically Unclonable Functions (PUFs)
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
Physical Unclonable Functions

Physical Unclonable Functions
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Outline  Introduction  Related Work  PUF-Based Tag Identification Algorithm  PUF-Based MAC Protocols  PUF Vs. Digital Hash Functions  Building PUFs.

Outline  Introduction  Related Work  PUF-Based Tag Identification Algorithm  PUF-Based MAC Protocols  PUF Vs. Digital Hash Functions  Building PUFs.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google