Revisting Unpredictability-Based RFID Privacy Models Junzuo Lai, Robert Deng, Yingjiu Li Singapore Management University 2018/11/19
Radio Frequency IDentification (RFID) Radio signal (contactless) Range: from 3-5 inches to 3 yards Database Match tag IDs to physical objects Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Reader (transceivers) Read data off tags without direct contact Range can be 100 meters Perfect working conditions for attackers! 2018/11/19
RFID Privacy Issues Allows creation & misuse of user profiles Unauthorized tracking at the physical level Disclosure of the tag identity Linkability of the transactions of a tag Unauthorized tracking at the system level Allows creation & misuse of user profiles Privacy has been one of the most important concerns in the deployment of RFID systems. Most of the privacy concerns are related to unauthorized tracking of RFID tags, which allows creation and misuse of user profiles. Such unauthorized tracking may take place at the physical level or the system level. We looked at both issues, but this talk will focus at the unauthorized tracking at the physical level. 2018/11/19
RFID Privacy Techniques Physical Privacy-Enhancing Methods Kill commoand, active jamming, passive jamming Cryptographic Protocols for RFID Privacy Numerous lightweight RFID protocols for low-cost tags have been proposed They use simple operations (XOR, bit inner product, CRC, etc) Many have been broken (T. van Deursen and S. Radomirovic: Attacks on RFID Protocols, ePrint Archive: Report 2008/310) Many protocols have been broken. The same as other cryptographic protocols, we need to have formal modes and formal proofs. 2018/11/19
Outline Existing unpredictability based RFID privacy models Unp-privacy model Unp’-privacy model A new unpredictability based model Relationship with Ind-privacy model Summary There are other RFID privacy models, such as Vaudenay, Vaudenay & Paise models. They are outside the scope of the paper. 2018/11/19
RFID System Model T = {T1,…,Tn} a set of tags R/D – reader/database The adversary A has complete control over communications between R and T, while the communications between R and D are over a secure channel. 2018/11/19
A Canonical RFID Protocol Tag T Reader R c C r R f F (optional) Shorthand notation: (c, r, f) ← (R, T) 2 round if only tag authentication. 2018/11/19
Query Types Available to Adversary Launch(R): return a session id sid and the 1st message c. SendTag(sid, c, T): return the 2nd message r, response of tag T. SendReader(sid, r): return the 3rd message f, response of Reader. Reveal(T): return the secret of tag T. O1, O2, O3, O4 denote, Launch, SendTag, SendReader, Reveal oracles, respectively. The interaction between adversary A and the protocol participants R and T occurs only via oracles, which model the adversary capabilities in real attacks. The four kinds of queries above can be used to model most, if not all, of the attacks to RFID communications or tags, including eavesdropping, alteration of communication messages, replay attacks, corruption of tags. 2018/11/19
Ind-privacy: indistinguishability of two tags (Jules & Weis, ePrint 2006, PerCom 2007) Ind-Game {Ti, Tj} ← A1O1,O2,O3,O4(R, T); ∈{0, 1}; If = 0 then Tc = Ti, else Tc= Tj; T’ = T - {Ti, Tj}; ’ ←A2O1,O2,O3,O4(R, T’, Tc). A1 not allowed to query O4 on Ti and Tj A2 not allowed to query O4 on Tc A1 learning stage; A2 guessing stage 1) The information learnt by A1 is internally carried over to A2. This definition is not easy to work with – if a protocol does not satisfy ind-privacy, then the definition can be used to verify that fact; however, it’s difficult to prove if a protocol indeed is ind-privacy. To our knowledge, no mutual authentication RFID protocol has been proven directly to be ind-privacy. Juels and Weis prove the ind-privacy of the randomized hash-lock RFID protocol by showing that no adversary can distinguish the real output of a tag from a random value. So they in fact prove the unp-privacy of the randomized hash-lock. Adversary A wins the game if ’ = The advantage of adversary A = |Pr['=]-1/2| Drawback: Not easy to work with 2018/11/19
Unp-privacy: unpredictability of protocol (Ha, Moon, Zhou & Ha, ESORICS 2008) Unp-Game Tc← A1O1,O2,O3,O4(R, T); ∈ {0, 1}; If = 1, r is taken from (c, r, f) ← (R, Tc); else r ← random; ’ ← A2 (r). A1 not allowed to query O4 on Tc The advantage of adversary A = |Pr['=]-1/2| Drawback – A2 does not get the full transcript of the protocol but only r. As a result, protocols meeting Unp-privacy but with known weakness in privacy (Deursen & Radomirovic, ePrint Archive: Report 2008/477) A1 learning stage A2 guessing stage 2018/11/19
Unp’-privacy: unpredictability of protocol (Ma, Li, Deng & Li, CCS 2009) Unp’-Game {Tc, c}← A1O1,O2,O3,O4(R, T); ∈ {0, 1}; If = 1 then (c, r, f) ← (R, Tc), else (r, f) ← random; T’ = T – {Tc} ’ ← A2O1,O2,O3,O4(R, T’, r, f). A1 not allowed to query O4 on Tc The advantage of adversary A = |Pr['=]-1/2| Drawback: A2 is not allowed to query O2 (SendTag) oracle on Tc 2018/11/19
A Counterexample The protocol is unp’-privacy but a tag can be traced by tracing its state s The adversary can modify r2 to find out the state of tag, i.e., s is 0 or 1. That is, First assume the tag is in state s=0 (i.e., reader and tag in synchronization). The attacker modifies r2 in message 2. then the modified r2 is not used by reader in tag verification. The reader will accept the tag and computes f using the modified r2 and f to tag. Tag can not verify f and will reject the reader. Now the tag is in state s=1. During next round of protocol, since the tag is state s=1, tag computes r1 as a function of r2 and sends them to reader. The attacker modifies r2 again. Now the tag and reader is not in synchronization, and the modified r2 is used in verifying r1 by the reader. Of course r1 can not be verified since r2 is modified. The reader will reject the tag.The attacker knows that the tag was in state s=1. 2018/11/19
Outline Existing unpredictability based RFID privacy models Unp-privacy model Unp’-privacy model A new unpredictability based model Relationship with Ind-privacy model Summary 2018/11/19
Unp*-privacy Unp*-Game Tc ← A1O1,O2,O3,O4(R, T); ∈ {0, 1}; ’ ← A2O1,O2,O3(R, Tc). When A2 makes queries to O1, O2, O3 on Tc If = 1, return oracles’ responses Else ( = 1) return c R C if query O1 return r R R if query O2 Return f R F if query O3 A1 not allowed to query O4 on Tc In this new model, if b = 0, return real oracle responses (the queries are made to Tc) If b = 1: return random values. The above queries are made many times, limited only in polynomial size. The model has a flavor of both ind-privacy and unp-privacy. The advantages of the new model: 1) It's easy to work with. We have a protocol which is shown meets Unp’'-privacy 2) It avoids the problem of unp-privacy definition since we allow A2 to query O2 on Tc 3) It avoids the problem of PV08, since there is no contraction between reader authentication and privacy notion 2018/11/19
A Protocol with Unp*-Privacy Note: when the reader fails to identify a tag, it does not simply abort, but responds with a random message. Unp*-privacy is given in the full paper. 2018/11/19
Outline Existing unpredictability based RFID privacy models Unp-privacy model Unp’-privacy model A new unpredictability based model Relationship with Ind-privacy model Summary 2018/11/19
Relation Between Unp*-Privacy and Ind-privacy models Ind-privacy Unp*-privacy Assume that (c, r, f) (R, T) is Ind-privacy. Let (c, r|r, f) ’(R,T). ’(R,T) is Ind-privacy, but it is not Unp*-privacy. Ind-privacy Unp*-privacy See paper 2018/11/19
A Minimal Condition (not in paper) Minimal requirement for RFID systems to achieve Unp*-privacy Unp”-privacy PRF 2018/11/19
Summary Existing privacy models Ind-privacy, unp-privacy, unp’-privacy A new model: Unp*-privacy Relations Unp*-privacy Ind-privacy PRF Forward security – knowing present state, can not distinguish past protocol messages Backward security – knowing present state, can not distinguish future protocol messages (this assumes that an adversary knows the present state of a tag, but cannot know the future states of the tag) Future work including privacy models and design of efficient protocols 2018/11/19
Thank You! 2018/11/19