Mitigate Unauthorized Tracking in RFID Discovery Service Qiang Yan 1, Robert H. Deng 1, Zheng Yan 2, Yingjiu Li 1, Tieyan Li 3 1 Singapore Management University,

Slides:

Advertisements

Similar presentations

Enabling New RFID Communication Opportunities with EPC Network Services Tony Rutkowski Vice President VeriSign Communication Services tel:

Advertisements

Toward Practical Public Key Anti- Counterfeiting for Low-Cost EPC Tags Alex Arbit, Avishai Wool, Yossi Oren, IEEE RFID April

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

1 Design of Key-Sharing System Based on a Unique Device Kenji Imamoto (Kyushu Univ.) Hiromi Fukaya (Pastel) Kouichi Sakurai (Kyushu Univ.)

Mobile RFID Service and Its Security in Korea 17 Nov Keon Woo Kim.

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Chapter 14 – Authentication Applications

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

TI: An Efficient Indexing Mechanism for Real-Time Search on Tweets Chun Chen 1, Feng Li 2, Beng Chin Ooi 2, and Sai Wu 2 1 Zhejiang University, 2 National.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

11 Distributed Middleware for Container Transport: Lessons Learned (Klaas Thoelen, Sam Michiels, Wouter Joosen) 7th MiNEMA Workshop August 21, Lappeenranta,

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels.

YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Database Security By Bei Yuan. Why do we need DB Security? Make data arranged and secret Secure other’s DB.

Key Management in Cryptography

David Molnar, David Wagner - Authors Eric McCambridge - Presenter.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Database Key Management CSCI 5857: Encoding and Encryption.

- 1 - Secure and Serverless RFID Authentication and Search Protocols Chiu C. Tan, Bo Sheng, and Qun Li IEEE Transactions on Wireless Communication APRIL.

Radio Frequency Identification By Bhagyesh Lodha Vinit Mahedia Vishnu Saran Mitesh Bhawsar.

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Mobile and Wireless Communication Security By Jason Gratto.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

多媒體網路安全實驗室 An Efficient RFID Authentication Protocol for Low-cost Tags Date ： Reporter : Hong Ji Wei Authors : Yanfei Liu From : 2008 IEEE/IFIP.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

SEC835 Practical aspects of security implementation Part 1.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.

EPCglobal Network Security: Research Challenges and Solutions Yingjiu Li Assistant Professor School of Information Systems Singapore Management University.

Attacks and Improvements to an RFID Mutual Authentication Protocol and its Extensions Shaoying Cai 1 Yingjiu Li 1 Tieyan Li 2 Robert H. Deng 1 1 Singapore.

Network Security David Lazăr.

V0.0CPSC415 Biometrics and Cryptography1 Placement of Encryption Function Lecture 3.

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.

Modes of Usage Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up: Modes of.

Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

ASIACCS 2007 Protecting RFID Communications in Supply Chains Yingjiu Li & Xuhua Ding School of Information Systems Singapore Management University.

On The Untraceability of Anonymous RFID Authentication Protocol with Constant Key-Lookup Presented By Professor LI Yingjiu.

AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Presented By Amarjit Datta

Implementing Secure IRC App with Elgamal By Hyungki Choi ID : Date :

Security of the Internet of Things: perspectives and challenges

RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.

Security of Broadcast Networks 1. Overview r Broadcast networks are used mostly for TV r Historical development r Commercial models r One-way or Two-way.

Cryptography and Network Security

Changshe Ma, Yingjiu Li, Robert Deng, Tieyan Li

RFID Security & Privacy at both Physical and System Levels - Presentation to IoT-GSI 26th August 2011 Robert H. Deng & Yingjiu Li School of Information.

Presentation transcript:

Mitigate Unauthorized Tracking in RFID Discovery Service Qiang Yan 1, Robert H. Deng 1, Zheng Yan 2, Yingjiu Li 1, Tieyan Li 3 1 Singapore Management University, Singapore 2 Nokia Research Center, Finland 3 Institute for Infocomm Research, Singapore September 2010

Outline Background & Motivation Discovery Service based Tracking Attack Pseudonym-based Design – Basic ideas – Scheme I: supporting flexible tag level tracking – Scheme II: supporting user revocation Conclusion

Anti-tracking problem in EPCglobal RFID architecture 1. Tag information (e.g. EPC code, …) 2. Location query by unique identifier e.g. EPC code 3. Location information of associated IS servers 4. Request for processing current tags 5. Response of processing request 6. Update tag if necessary Most of research works assume discovery service is trusted and focus on secure protocol design to defend unauthorized tracking at the physical level. It could be easier for an attacker to track information flow at the system level, e.g. from a compromised DS server. DS is designed to be a restricted-access search engine. But it is still possible to compromise a DS server deployed on the Internet.

RFID discovery service enables tag-level tracking in EPCglobal Network 4 Tags are transported from Partner A to Partner B Authorized User 1.Publish: (EPC1, L1, T1) … 2.Publish: (EPC1, L2, T2) … 3.Query: EPC1 4.Reply: (,, …) Supply Chain Partner A Supply Chain Partner B (EPC1, L1, T1) (EPC1, L2, T2) … Discovery Service Database Records on Discovery Service:

Unauthorized tracking by RFID discovery service through tag identifier grouping Tag ID LocationTime EPC1L1… EPC1L2… EPC2L1… The adversary knows: A tag with tag ID EPC1 was transported from L1 to L2. Database Table

Unauthorized tracking by RFID discovery service through timestamp correlating Tag ID LocationTime P1L1T1 P2L1T1 P3L2T2 P4L2T2 Database Table The adversary knows: A batch of two tags with pseudonyms P1, P2, P3, and P4 may have been transported from L1 to L2.

Threat Model – a semi-trusted RFID discovery service RFID discovery service will obey the regulations but try to learn the tracking information. It is always able to – understand the system design – read static contents of database

Threat Model – other roles Other outliers (weaker than RFID discovery service) – Only be able to eavesdrop network messages Supply chain partners and authorized users (Trusted) – Do not disclose the secret keys. – Do not collude with the adversaries.

Basic ideas to mitigate this threat For tag identifier grouping: – Minimize the correlation between records – by using different pseudonym to index multiple records of the same tag For timestamp correlating: – Hide plaintext timestamps – by storing the ciphertext timestamps

Pseudonym Indexing Location records of each individual tag indexed by multiple pseudonyms. Pseudonym = Func (original tag ID, secret key) Func is a pseudonym generation function – Deterministic – Unlinkable – e.g. HMAC

Timestamp Encryption Supply chain partner should publish the encrypted timestamps to RFID discovery service. – RFID discovery service should not log the record creation time. Timestamp is not a index field. – apply non-deterministic encryption algorithms., e.g. CPA-secure encryption algorithms, AES-CBC – Easy for key management.

Revised Operation Model (Publish and Query) Tags are transported from Partner A to Partner B Authorized Discovery Service User 1.Publish: (P1<-EPC1, L1, ET1) (P2<-EPC2, L1, ET1) 2.Publish: (P3<-EPC1, L2, ET2) (P4<-EPC2, L2, ET2) 3.Query: {P1, P3} 4.Reply: (,, …) Supply Chain Partner A Supply Chain Partner B Database Records on Discovery Service: (P1, L1, ET1) (P2, L1, ET1) (P3, L2, ET2) (P4, L2, ET2) … Discovery Service

Scheme I: Supporting flexible tag level tracking KeyAKeyBKeyCKeyDKeyE KeyA, KeyD, KeyE

Drawbacks of Scheme I Security manager has to be online – Who will be the security manager, after all? – Applies to static user group – User revocation is not supported To support user revocation – Assign new keys to supply chain partners – However, key update can not be handled well if user group is large with frequent revocations. – How about periodic updating? Not so good, either.

Key Primitive Used in Scheme II Security manager could be offline, we use Proxy Re-encryption – Proxy re-encryption allows a proxy to transform a ciphertext computed under Alice's public key into one that can be decrypted using Bob's private key. During ciphertext transformation, referred to as re-encryption, the proxy learns nothing about the underlying plaintext. – A proxy re-encryption scheme is represented as a tuple of (possibly probabilistic) polynomial time algorithms (KG, RG, E, R, D):

Scheme II: Supporting user revocation without online TTP 1. Supply chain structure or access control policies change. 4. Get the session keys by decrypting the ciphertext using his own private key. 3. Retrieve the encrypted session keys after proxy re-encryption. 2. Send new access control policies and update re-encryption keys. Security Manager stays offline if no structure or policies changes. The only online service is discovery service that tells authorized users session keys by re-encrypting ciphertext of session keys. Use random session keys for pseudonym indexing and timestamp encryption. (generated by supply chain partners)

Scheme II: When a user is granted for certain privilege, 1. Generate a key pair. 2. Send pk u 3. Generate re-encryption key rk SM->u from pk u, pk SM, and sk SM. 4. Send rk SM->u and updates of granting involved access control policies. (If rk SM->u has been generated, Step 1~3 can be skipped.)

Scheme II: When a user is revoked for certain privilege, 1. Updates of revoking involved access control policies.

Other Privacy Issues Tracking information disclosure from access patterns – Split related pseudonyms into separate queries – Introduce delays or dummy data in publishing location records to Discovery Service Tracking information disclosure from collusion attack – Trusted Computing Technique (use TPMs) The accomplices can use the secrets with knowing them.

Conclusion This work – Identified the threat of unauthorized tracking by RFID discovery service. – Proposed pseudonym-based solutions to mitigate this threat.