RFID SECURITY

How Does RFID Work? Tags (transponders) Reader (transceiver) Database 02.3DFEX4.78AF51 EasyToll card #816 Radio signal (contactless) Range: from 3-5 inches to 3 yards Tags (transponders) Attached to objects, call out their (unique) name and/or static data on a special radio frequency Reader (transceiver) Reads data off the tags without direct contact Database Matches tag IDs to physical objects

Asymmetric channels Range of Reader (Forward Channel) ~100 m TAG EAVESDROPPER ~5 m Tag’s Range (Backward Channel)

Applications Tracking/Identification Library Books Children Pets Auto Parts Inventory management in a Supply Chain Contactless Smart Cards

A Generic Supply Chain Retailers Wholesalers Manufacturers Suppliers Manufacturers Wholesalers Retailers goods, invoices Purchase orders, payments Supply web (retail customers not shown)

Key Decisions When to order How much to order From whom to order As order quantity increases, holding cost increases As order quantity decreases, stockout cost increases From whom to order

The Problem - Motivation Basic problem with RFID tags Can be remotely scanned Respond to query by any reader This leads to security and privacy risk Resource constraints Limited power and computing resources Hence classical cryptographic mechanisms not feasible The RFID security challenge How to obtain maximum security with almost no resources?

The Problems of Privacy and Security RFID privacy concerns the problem of misbehaving readers harvesting information from well-behaving tags. Risks : Leakage of personal information (prescriptions, brand/size of clothes etc.). Location privacy: Tracking the physical location of individuals by their RFID tags. RFID authentication concerns the problem of well behaving readers receiving information from misbehaving tags, particularly counterfeit ones. Risks: Forgery Sabotage

Cost and capability The strength and flavor of proposed security solutions will depend on the allowed tag cost for different applications 50+ cent tags. Low-end tags will be 10 cent, 5 cent and 2 cent in about 5 years

Challenge Tens of research ideas have been proposed in the past two years Propose improvements over the existing privacy enhancing protocols for the extremely resource constrained RFID systems

Security Attacks Spoofing Denial of Service Man in the middle attack Imitating the behavior of a genuine tag Denial of Service Man in the middle attack Modify the response of the tag to the reader or vice versa Replay Attack Eavesdrop message from the tag (reader) & re-transmit the message to the legitimate reader (tag). Traffic Analysis Monitoring of comm. between reader & tag allows adversary to perform traffic analysis & generate statistical data.

Security and Privacy Requirements Anonymity Tag output should not give idea about ID Untraceability Tag output should be varying Indistinguishibility Tag output should be truly random, i.e. variation should not be predictable Forward Security Adversary should not be able to associate the current output with past output Mutual Authentication Tag-to-reader and reader-to-tag authentication

Backend Requirements Efficiency and scalability Flexibility Order of computation/precomputation required as a function of number of tags Flexibility Changes required with addition/removal of tags

Hash Lock Reader RFID tag Goal: Authenticate reader to the RFID tag [Rivest, Weis, Sharma, Engels] Goal: Authenticate reader to the RFID tag Reader “Who are you?” RFID tag metaID key Compute hash(key) and compare with stored metaID “My real ID is…” Stores metaID=hash(key) Stores key; hash(key) for any tag Unique key for each tag

Hash Lock Analysis PROS CONS Relatively cheap to implement : Tag has to store hash function implementation and metaID Security based on weak collision-resistance of hash function Scalable due to low key look-up overhead CONS Constant tag output – enables traceability Motivates Randomization Too many messages/rounds Requires reader to know all keys

Randomized Hash Lock Reader RFID tag [Weis et al.] Goal: Authenticate reader to the RFID tag Reader RFID tag “Who are you?” Generate random R R, hash(R,IDk) Compute hash(R,IDi) for every known IDi and compare “You must be IDk” Stores its own IDk Stores all IDs: ID1, … ,IDn

Randomized Hash Lock Analysis PROS Randomized response prevents tracking Tag needs to store hash implementation and pseudo-random number generator CONS Inefficient brute force key look-up No Forward security Motivates updating tag ID on each read Security Flaw - Adversary can impersonate tag by learning a valid tag response.

OSK Scheme [Ohkubo, Suzuki and Kinoshita] Goal: Enable reader to identify the RFID tag, change tag identifier on each read Database Reader Tag Query Ai=G(Si) Ai=G(Si) Compute Hash Chain Si+1=H(Si) Tag ID

OSK Analysis Motivates reducing computation time at reader/backend PROS Different random like values on every read operation prevents tracking Forward Security ensured due to one way hash property Tag needs to store only 2 hash implementations, hence low cost Minimal number of transmissions CONS Not scalable for large scale applications due to brute force search Motivates reducing computation time at reader/backend Susceptible to DoS attacks May lead to problem due to hash collisions.

Summary RFIDs have many useful applications related to tracking and identification But there are some important issues of security and privacy Small number of gates for S/P makes the design of such protocols challenging Tens of schemes proposed for security/privacy but subtle drawbacks with many of them. Much more work needed in this area