Presentation is loading. Please wait.

Presentation is loading. Please wait.

Covert Channels in Privacy-Preserving Identification Systems Daniel V. Bailey (RSA Labs) Dan Boneh (Stanford) Eu-Jin Goh (Stanford) Ari Juels (RSA Labs)

Published byRoy Powers Modified over 8 years ago

Similar presentations

Presentation on theme: "Covert Channels in Privacy-Preserving Identification Systems Daniel V. Bailey (RSA Labs) Dan Boneh (Stanford) Eu-Jin Goh (Stanford) Ari Juels (RSA Labs)"— Presentation transcript:

1 Covert Channels in Privacy-Preserving Identification Systems Daniel V. Bailey (RSA Labs) Dan Boneh (Stanford) Eu-Jin Goh (Stanford) Ari Juels (RSA Labs) © 2007 RSA Laboratories ACM CCS 31 October 2007

2 You are probably carrying a constellation of wireless identification devices right now

3 Proximity cards

4 Automobile ignition keys f RFID helps secure hundreds of millions of automobiles –Cryptographic challenge-response –Philips claims more than 90% reduction in car theft thanks to RFID! –(Some, e.g., Texas Instruments DST, are weak [Bono et al. ‘05])…

5 Credit cards RFID now offered in all major credit cards in U.S.… Some even broadcast your name in the clear! –See “Vulnerabilities in First-Generation RFID-Enabled Credit Cards” [Heydt-Benjamin et al. ’07]

6 Transit cards

7 Passports Dozens of countries issuing RFID-enabled passports Other identity documents, e.g., drivers’ licenses, to follow

8 Animals too… “Not Really Mad” Livestock Housepets The cat came back, the very next day… 50 million+

9 Human location tracking Schools Amusement parks Hospitals In the same vein: mobile phones with GPS…

10 ??? Human-implantable RFID += VeriChip TM

11 Human-implantable RFID += VeriChip TM Excellent test bed for privacy and security concepts! Proposed for medical-patient identification Also proposed and used as an authenticator for physical access control, a “prosthetic biometric” –E.g., Mexican attorney general purportedly used for access to secure facility What kind of cryptography does it have? –None: It can be easily cloned [Halamka et al. ’06] So shouldn’t we add a challenge-response protocol? Cloning may actually be a good thing

12 Human-implantable RFID Physical coercion and attack –In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric- enabled Mercedes –What would happen if the VeriChip were used to access ATM machines and secure facilities? Perhaps better if tags can be cloned! Tags should not be used for authentication—only for identification

13 Cloneability + privacy Privacy means no linkability or information about identities If a tag can be cloned, does that mean it can’t provide privacy? –Surprisingly, no! A very simple scheme allows for simultaneous cloneability and privacy

14 Cloneability + privacy Homomorphic public-key cryptosystem (e.g., El Gamal) Private / public key pair (SK, PK) Randomized scheme: C = E PK,r [m] Semantic security: Adversary cannot distinguish C = E PK,r [“Alice”] from C’*= E PK,s [“Bob”] Re-encryption property: Given C only, can produce randomized C* = E PK,s [m], without knowing m

15 Cloneability + privacy The scheme: When read, tag chooses fresh r and outputs C = E PK,r [“name”] Then: Reader with SK can decrypt name Semantic Security: Adversary cannot distinguish among tags, i.e., infringe privacy Re-encryption property: Adversary can clone a tag: records C and outputs randomized C*

16 The covert-channel problem Suppose there is an identification / authentication system… Authorized Employees Only Who’s there? E[“Alice”] It’s Alice!

17 The covert-channel problem Suppose there is an identification / authentication system… Authorized Employees Only Who’s there? E[“Alice” + ?] Alice has low blood pressure and high blood-alcohol Alice recently passed a casino’s RFID reader. Mercury switch indicates that Alice napped on job

18 How can we assure Alice of no covert channels? Outputs must be deterministic –Randomness always leaves room for covert emissions Could give Alice a secret key to check that outputs are formatted correctly –E.g., PRNG seed for device But we don’t want Alice (or a third party) to have to manage sensitive keying material! Can we enable Alice to verify covert-freeness publicly, i.e., without exposing secret keys? Simultaneous publicly verifiable covert-freeness and privacy are impossible!

19 Here’s why… Suppose there were a public CC detector… X18 Ultra CC-Detector TM A1A1 A2A2 No CC Yes, CC!

20 Here’s a covert channel! 1.Create identity for user “Bob” Bob could be fictitious Just need output sequence B 1, B 2, … 2.Alice’s chip does following: If no nap, output A 1, A 2, A 3, etc. with Alice’s identity If Alice has taken a nap, then flip to Bob’s identity, i.e., output A 1, A 2 … B 1, B 2

21 Suppose we detect this covert channel X18 Ultra CC-Detector TM A1A1 A2A2 No CC B1B1 Yes, CC

22 Now if there really is a user Bob, we have a problem... X18 Ultra CC-Detector TM A1A1 A2A2 No CC

23 Alice followed by Bob yields “Yes” X18 Ultra CC-Detector TM A1A1 B1B1 Yes, CC

24 BobAlice Privacy is broken: We can distinguish between identities! X18 Ultra CC-Detector TM Yes X18 Ultra CC-Detector TM No

25 So public CC-verifiability + privacy is impossible Now let’s show how to achieve it anyway… Idea: –Weaken privacy definition to eliminate localized privacy, e.g., privacy across pairwise values –Allow localized CC-checking, e.g., pairwise –Localized privacy is least important type of privacy Now we can do spot CC-checking… A1A1 A2A2 A3A3 A4A4 A5A5 A6A6 A7A7 A8A8 A9A9 X18 Ultra CC-Detector TM yes / no

26 So public CC-verifiability + privacy is impossible Now let’s show how to achieve it anyway… Idea: –Weaken privacy definition to exclude localized privacy, e.g., privacy across pairwise values –Allow localized CC-checking, e.g., pairwise –Localized privacy is least important type of privacy Now we can do spot CC-checking… A1A1 A2A2 A3A3 A4A4 A5A5 A6A6 A7A7 B1B1 B2B2 X18 Ultra CC-Detector TM yes / no

27 So public CC-verifiability + privacy is impossible Now let’s show how to achieve it anyway… Idea: –Weaken privacy definition to exclude localized privacy, e.g., privacy across pairwise values –Allow localized CC-checking, e.g., pairwise –Localized privacy is least important type of privacy Now we can do spot CC-checking… A1A1 A2A2 A3A3 A4A4 A5A5 A6A6 A7A7 A8A8 A9A9 ???

28 Still a challenge Construct a deterministic sequence whose values are: –Unlinkable (except pairwise) –Publicly, pairwise verifiable Basic ideas of our solution 1.General unlinkability via exponent squaring: –A 1 = h r, A 2 = h r, A 3 = h r, A 4 = h r, etc. 24816 2. Verifiability via use of group with bilinear map e: –Pairwise check: e(A 2,A 2 ) = e(h,A 3 ) = e(h,h) r 8

29 Improving efficiency A 1 = h r, A 2 = h r, A 3 = h r, A 4 = h r, etc. 24816 Determining identity is not efficient –Every tag must use separate value r known to reader –Reader must compute sequence for every tag Use composite-order bilinear maps [BGN ’05] –Reader secret g; public h (different subgroups) –Each tag has identifier e(g,g) d for unique d – At time i, tag with identifier d outputs g d A i – Reader computes e(g, g d A i ) = e(g, g d ) = e(g, g) d = tag ID – (With g and h in different subgroups, we can make h-base disappear)

30 More to do… In paper, we also demonstrate k-wise-checkable constructions and other access structures But there are still some problems: 1.Non-standard hardness assumption l -BDHS (Bilinear Diffie-Hellman Squaring) 2.We only address covert channels in known communication layer What if tag takes secret input? (Record transactions?) Timing or power side-channels? 3.Tag is no longer cloneable! 4

31 Much more to do… The number of implantable cardiac defibrillators (ICDs) alone is set to exceed 250,000 per year in the U.S. ICDs emit measurements and permit reprogramming Those constellations of wireless devices are moving into the body…

Download ppt "Covert Channels in Privacy-Preserving Identification Systems Daniel V. Bailey (RSA Labs) Dan Boneh (Stanford) Eu-Jin Goh (Stanford) Ari Juels (RSA Labs)"

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.

Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.
RFID and SECURITY All slides © 2008 RSA Laboratories.

RFID and SECURITY All slides © 2008 RSA Laboratories.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Similar presentations

Ads by Google