Presentation is loading. Please wait.

Presentation is loading. Please wait.

Revisting Unpredictability-Based RFID Privacy Models

Published byÉlodie Sergerie Modified over 5 years ago

Similar presentations

Presentation on theme: "Revisting Unpredictability-Based RFID Privacy Models"— Presentation transcript:

1 Revisting Unpredictability-Based RFID Privacy Models
Junzuo Lai, Robert Deng, Yingjiu Li Singapore Management University 2018/11/19

2 Radio Frequency IDentification (RFID)
Radio signal (contactless) Range: from 3-5 inches to 3 yards Database Match tag IDs to physical objects Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Reader (transceivers) Read data off tags without direct contact Range can be 100 meters Perfect working conditions for attackers! 2018/11/19

3 RFID Privacy Issues  Allows creation & misuse of user profiles
Unauthorized tracking at the physical level Disclosure of the tag identity Linkability of the transactions of a tag Unauthorized tracking at the system level  Allows creation & misuse of user profiles Privacy has been one of the most important concerns in the deployment of RFID systems. Most of the privacy concerns are related to unauthorized tracking of RFID tags, which allows creation and misuse of user profiles. Such unauthorized tracking may take place at the physical level or the system level. We looked at both issues, but this talk will focus at the unauthorized tracking at the physical level. 2018/11/19

4 RFID Privacy Techniques
Physical Privacy-Enhancing Methods Kill commoand, active jamming, passive jamming Cryptographic Protocols for RFID Privacy Numerous lightweight RFID protocols for low-cost tags have been proposed They use simple operations (XOR, bit inner product, CRC, etc) Many have been broken (T. van Deursen and S. Radomirovic: Attacks on RFID Protocols, ePrint Archive: Report 2008/310) Many protocols have been broken. The same as other cryptographic protocols, we need to have formal modes and formal proofs. 2018/11/19

5 Outline Existing unpredictability based RFID privacy models
Unp-privacy model Unp’-privacy model A new unpredictability based model Relationship with Ind-privacy model Summary There are other RFID privacy models, such as Vaudenay, Vaudenay & Paise models. They are outside the scope of the paper. 2018/11/19

6 RFID System Model T = {T1,…,Tn} a set of tags R/D – reader/database
The adversary A has complete control over communications between R and T, while the communications between R and D are over a secure channel. 2018/11/19

7 A Canonical RFID Protocol 
Tag T Reader R c  C r  R f  F (optional) Shorthand notation: (c, r, f) ← (R, T) 2 round if only tag authentication. 2018/11/19

8 Query Types Available to Adversary
Launch(R): return a session id sid and the 1st message c. SendTag(sid, c, T): return the 2nd message r, response of tag T. SendReader(sid, r): return the 3rd message f, response of Reader. Reveal(T): return the secret of tag T. O1, O2, O3, O4 denote, Launch, SendTag, SendReader, Reveal oracles, respectively. The interaction between adversary A and the protocol participants R and T occurs only via oracles, which model the adversary capabilities in real attacks. The four kinds of queries above can be used to model most, if not all, of the attacks to RFID communications or tags, including eavesdropping, alteration of communication messages, replay attacks, corruption of tags. 2018/11/19

9 Ind-privacy: indistinguishability of two tags (Jules & Weis, ePrint 2006, PerCom 2007)
Ind-Game {Ti, Tj} ← A1O1,O2,O3,O4(R, T); ∈{0, 1}; If  = 0 then Tc = Ti, else Tc= Tj; T’ = T - {Ti, Tj}; ’ ←A2O1,O2,O3,O4(R, T’, Tc). A1 not allowed to query O4 on Ti and Tj A2 not allowed to query O4 on Tc A1 learning stage; A2 guessing stage 1) The information learnt by A1 is internally carried over to A2. This definition is not easy to work with – if a protocol does not satisfy ind-privacy, then the definition can be used to verify that fact; however, it’s difficult to prove if a protocol indeed is ind-privacy. To our knowledge, no mutual authentication RFID protocol has been proven directly to be ind-privacy. Juels and Weis prove the ind-privacy of the randomized hash-lock RFID protocol by showing that no adversary can distinguish the real output of a tag from a random value. So they in fact prove the unp-privacy of the randomized hash-lock. Adversary A wins the game if ’ =  The advantage of adversary A = |Pr['=]-1/2| Drawback: Not easy to work with 2018/11/19

10 Unp-privacy: unpredictability of protocol (Ha, Moon, Zhou & Ha, ESORICS 2008)
Unp-Game Tc← A1O1,O2,O3,O4(R, T); ∈ {0, 1}; If  = 1, r is taken from (c, r, f) ← (R, Tc); else r ← random; ’ ← A2 (r). A1 not allowed to query O4 on Tc The advantage of adversary A = |Pr['=]-1/2| Drawback – A2 does not get the full transcript of the protocol but only r. As a result,  protocols meeting Unp-privacy but with known weakness in privacy (Deursen & Radomirovic, ePrint Archive: Report 2008/477) A1 learning stage A2 guessing stage 2018/11/19

11 Unp’-privacy: unpredictability of protocol (Ma, Li, Deng & Li, CCS 2009)
Unp’-Game {Tc, c}← A1O1,O2,O3,O4(R, T); ∈ {0, 1}; If  = 1 then (c, r, f) ← (R, Tc), else (r, f) ← random; T’ = T – {Tc} ’ ← A2O1,O2,O3,O4(R, T’, r, f). A1 not allowed to query O4 on Tc The advantage of adversary A = |Pr['=]-1/2| Drawback: A2 is not allowed to query O2 (SendTag) oracle on Tc 2018/11/19

12 A Counterexample The protocol is unp’-privacy but a tag can be traced by tracing its state s The adversary can modify r2 to find out the state of tag, i.e., s is 0 or 1. That is, First assume the tag is in state s=0 (i.e., reader and tag in synchronization). The attacker modifies r2 in message 2. then the modified r2 is not used by reader in tag verification. The reader will accept the tag and computes f using the modified r2 and f to tag. Tag can not verify f and will reject the reader. Now the tag is in state s=1. During next round of protocol, since the tag is state s=1, tag computes r1 as a function of r2 and sends them to reader. The attacker modifies r2 again. Now the tag and reader is not in synchronization, and the modified r2 is used in verifying r1 by the reader. Of course r1 can not be verified since r2 is modified. The reader will reject the tag.The attacker knows that the tag was in state s=1. 2018/11/19

13 Outline Existing unpredictability based RFID privacy models
Unp-privacy model Unp’-privacy model A new unpredictability based model Relationship with Ind-privacy model Summary 2018/11/19

14 Unp*-privacy Unp*-Game Tc ← A1O1,O2,O3,O4(R, T); ∈ {0, 1};
’ ← A2O1,O2,O3(R, Tc). When A2 makes queries to O1, O2, O3 on Tc If = 1, return oracles’ responses Else ( = 1) return c R C if query O1 return r R R if query O2 Return f R F if query O3 A1 not allowed to query O4 on Tc In this new model, if b = 0, return real oracle responses (the queries are made to Tc) If b = 1: return random values. The above queries are made many times, limited only in polynomial size. The model has a flavor of both ind-privacy and unp-privacy. The advantages of the new model: 1) It's easy to work with. We have a protocol which is shown meets Unp’'-privacy 2) It avoids the problem of unp-privacy definition since we allow A2 to query O2 on Tc 3) It avoids the problem of PV08, since there is no contraction between reader authentication and privacy notion 2018/11/19

15 A Protocol with Unp*-Privacy
Note: when the reader fails to identify a tag, it does not simply abort, but responds with a random message. Unp*-privacy is given in the full paper. 2018/11/19

16 Outline Existing unpredictability based RFID privacy models
Unp-privacy model Unp’-privacy model A new unpredictability based model Relationship with Ind-privacy model Summary 2018/11/19

17 Relation Between Unp*-Privacy and Ind-privacy models
Ind-privacy  Unp*-privacy Assume that (c, r, f) (R, T) is Ind-privacy. Let (c, r|r, f)  ’(R,T). ’(R,T) is Ind-privacy, but it is not Unp*-privacy. Ind-privacy  Unp*-privacy See paper 2018/11/19

18 A Minimal Condition (not in paper)
Minimal requirement for RFID systems to achieve Unp*-privacy Unp”-privacy PRF 2018/11/19

19 Summary Existing privacy models Ind-privacy, unp-privacy, unp’-privacy
A new model: Unp*-privacy Relations Unp*-privacy Ind-privacy PRF Forward security – knowing present state, can not distinguish past protocol messages Backward security – knowing present state, can not distinguish future protocol messages (this assumes that an adversary knows the present state of a tag, but cannot know the future states of the tag) Future work including privacy models and design of efficient protocols 2018/11/19

20 Thank You! 2018/11/19

Download ppt "Revisting Unpredictability-Based RFID Privacy Models"

Similar presentations

Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠.

1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the.

1 Key-Exchange Protocol Using Pre-Agreed Session-ID Kenji Imamoto, Kouichi Sakurai Kyushu University, JAPAN This research was partly supported from the.
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.

Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.

A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Security in RFID Presented By… NetSecurity-Spring07

Security in RFID Presented By… NetSecurity-Spring07
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
RFID Security and Privacy Part 2: security example.

RFID Security and Privacy Part 2: security example.
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.

1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.

Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.

YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.

Similar presentations

Ads by Google