Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories.

Published byJonathan Keeton Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories."— Presentation transcript:

1 Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories

2 All slides © 2006 RSA Laboratories

3 Recall these RFID applications “ Not Really Mad ” Livestock Housepets The cat came back, the very next day… 50 million+

4 Human location tracking Schools Amusement parks Hospitals

5 ??? A riddle… +=

6 ??? Human-implantable RFID += VeriChip TM

7 NEW Subdermal Biochip Implant for Cashless Transactions - is it the Mark? The mark is a microchip assembly which will be implanted under the skin of the right hand. Later on, the mark will be implanted under the forehead, so people who have no right hand could also have the mark. The microchip assembly, called radio frequency identification (RFID) is already used in animals. In dogs, the RFID is placed between the shoulder blades, and in birds it is implanted under the wing. Now there is a one for humans called VeriChip™. www.rapturechrist.com/666.htm

8 Human-implantable RFID += VeriChip TM Excellent test bed for privacy and security concepts! Proposed for medical-patient identification Also proposed and used as an authenticator for physical access control, a “prosthetic biometric” –E.g., Mexican attorney general purportedly used for access to secure facility What kind of cryptography does it have? –None: It can be easily cloned –[Halamka et al. ‘06] So shouldn’t we add a challenge-response protocol? Cloning may actually be a good thing

9 Human-implantable RFID Physical coercion and attack –In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric- enabled Mercedes –What would happen if the VeriChip were used to access ATM machines and secure facilities? Perhaps better if tags can be cloned! Tags should not be used for authentication—only for identification

10 Cloneability + privacy Privacy means no linkability or information about identities If a tag can be cloned, does that mean it can’t provide privacy? –Surprisingly, no! A very simple scheme allows for simultaneous cloneability and privacy

11 Cloneability + privacy Homomorphic public-key cryptosystem (e.g., El Gamal) Private / public key pair (SK, PK) Randomized scheme: C = E PK,r [m] Semantic security: Adversary cannot distinguish C = E PK,r [“Alice”] from C’*= E PK,s [“Bob”] Re-encryption property: Given C only, can produce randomized C* = E PK,s [m], without knowing m

12 Cloneability + privacy The scheme: When read, tag chooses fresh r and outputs C = E PK,r [“name”] Then: Reader with SK can decrypt name Semantic Security: Adversary cannot distinguish among tags, i.e., infringe privacy Re-encryption property: Adversary can clone a tag: records C and outputs randomized C*

13 The covert-channel problem Suppose there is an identification / authentication system… Authorized Employees Only Who’s there? E[“Alice”] It ’ s Alice!

14 The covert-channel problem Suppose there is an identification / authentication system… Authorized Employees Only Who’s there? E[“Alice” + ?] Alice has low blood pressure and high blood-alcohol Alice recently passed a casino ’ s RFID reader. Mercury switch indicates that Alice napped on job

15 How can we assure Alice of no covert channels? Outputs must be deterministic –Randomness always leaves room for covert emissions Could give Alice a secret key to check that outputs are formatted correctly –E.g., pseudorandom-generator seed for device But we don’t want Alice (or a third party) to have to manage sensitive keying material. Again, key management is the problem! Can we enable Alice (or anyone else) to verify covert- freeness publicly, i.e., without exposing secret keys? Simultaneous publicly verifiable covert-freeness and privacy are impossible!

16 Here’s why… Suppose there were a public CC detector… X18 Ultra CC-Detector TM A1A1 A2A2 No CC Yes, CC!

17 Here’s a covert channel! 1.Create identity for user “Bob” Bob could be fictitious Just need output sequence B 1, B 2, … 2.Alice’s chip does following: If no nap, output A 1, A 2, A 3, etc. with Alice’s identity If Alice has taken a nap, then flip to Bob’s identity, i.e., output A 1, A 2 … B 1, B 2

18 Suppose we detect this covert channel X18 Ultra CC-Detector TM A1A1 A2A2 No CC B1B1 Yes, CC

19 Now if there really is a user Bob, we have a problem... X18 Ultra CC-Detector TM A1A1 A2A2 No CC

20 Alice followed by Bob yields “Yes” X18 Ultra CC-Detector TM A1A1 B1B1 Yes, CC

21 BobAlice Privacy is broken: We can distinguish between identities! X18 Ultra CC-Detector TM Yes X18 Ultra CC-Detector TM No

22 So public CC-verifiability + privacy is impossible But we can achieve it anyway… Idea: change the definition of privacy –Weaken localized privacy, e.g., eliminate privacy across pairwise values –Allow localized CC-checking, e.g., pairwise –Localized privacy is least important type of privacy Now we can do spot CC-checking… A1A1 A2A2 A3A3 A4A4 A5A5 A6A6 A7A7 A8A8 A9A9 X18 Ultra CC-Detector TM yes / no

23 So public CC-verifiability + privacy is impossible Now let’s show how to achieve it anyway… Idea: change the definition of privacy –Weaken localized privacy, e.g., eliminate privacy across pairwise values –Allow localized CC-checking, e.g., pairwise –Localized privacy is least important type of privacy Now we can do spot CC-checking… A1A1 A2A2 A3A3 A4A4 A5A5 A6A6 A7A7 B1B1 B2B2 X18 Ultra CC-Detector TM yes / no

24 So public CC-verifiability + privacy is impossible Now let’s show how to achieve it anyway… Idea: –Weaken privacy definition to exclude localized privacy, e.g., privacy across pairwise values –Allow localized CC-checking, e.g., pairwise –Localized privacy is least important type of privacy Now we can do spot CC-checking… A1A1 A2A2 A3A3 A4A4 A5A5 A6A6 A7A7 A8A8 A9A9 ???

25 Still a difficult problem Constructing a deterministic sequence whose values are: –Publicly, pairwise verifiable –Otherwise unlinkable Again, use bilinear maps (with non- standard hardness assumption…) We have only solved the problem of covert channels in explicit logical-layer problem –Timing or power side-channel?

26 Wrapping up

27 Key Idea 1 Tracking privacy is futile –(Unless you’re looking to publish papers) Content privacy is still important

28 Key Idea 2 EPC tags can’t do crypto Some tags can do crypto, but key management remains hard –Crypto is not a cure-all!

29 Key Idea 3 RFID is an amorphous label Also exciting research to be done on: –CRFID –NFC –Implantable medical devices –Etc., etc.

30 Some noteworthy results Extraction of kill PINs from first-generation EPC tags via remote power analysis –Oren & Shamir ’07 Breaks of Philips Mifare (of which billions of chips have been sold) –Garcia et al. ’08 –Courtois et al. ’08 Implemented relay attacks –Kfir & Wool ’05 On-tag crypto implementation –Chae et al. ‘07 See Gildas Avoine’s excellent RFID Security & Privacy bibliography at http://www.avoine.net/rfid/

31 List of referenced papers K. Koscher, A. Juels, V. Brajkovic, and T. Kohno: EPC RFID Tag Security Weaknesses and Defenses: Passport Cards, Enhanced Drivers Licenses, and Beyond. ACM CCS '09.EPC RFID Tag Security Weaknesses and Defenses: Passport Cards, Enhanced Drivers Licenses, and Beyond A. Juels, B. Parno, and R. Pappu. Unidirectional Key Distribution Across Time and Space with Applications to RFID Security. USENIX Security. 2008.Unidirectional Key Distribution Across Time and Space with Applications to RFID Security D. Bailey, D. Boneh, E.-J. Goh, and A. Juels. Covert Channels in Privacy- Preserving Identification Systems. ACM CCS ’07.Covert Channels in Privacy- Preserving Identification Systems A. Juels, P. Syverson, and D. Bailey. High-Power Proxies for Enhancing RFID Privacy and Utility. PET ’05.High-Power Proxies for Enhancing RFID Privacy and Utility. S. Bono et al. Security Analysis of a Cryptographically-Enabled RFID Device. USENIX Security ’05.Security Analysis of a Cryptographically-Enabled RFID Device A. Juels and J. Brainard. Soft Blocking: Flexible Blocker Tags on the Cheap. WPES ’04.Soft Blocking: Flexible Blocker Tags on the Cheap A. Juels, R. L. Rivest, and M. Szydlo. The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy. ACM CCS '03.The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy

Download ppt "Introduction to RFID Security and Privacy Ari Juels Chief Scientist RSA, The Security Division of EMC RFIDSec 2011 Tutorial All slides © 2011, RSA Laboratories."

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
RFID and SECURITY All slides © 2008 RSA Laboratories.

RFID and SECURITY All slides © 2008 RSA Laboratories.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.

UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Similar presentations

Ads by Google