Presentation is loading. Please wait.

Presentation is loading. Please wait.

Feasible Privacy for Lightweight RFID Systems David Evans work with Karsten Nohl University of Virginia SPAR Seminar Johns Hopkins University 17 October.

Published byGeorgina Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "Feasible Privacy for Lightweight RFID Systems David Evans work with Karsten Nohl University of Virginia SPAR Seminar Johns Hopkins University 17 October."— Presentation transcript:

1 Feasible Privacy for Lightweight RFID Systems David Evans work with Karsten Nohl University of Virginia SPAR Seminar Johns Hopkins University 17 October 2007

2 2 www.cs.virginia.edu/evans/talks/spar07 UPC Bar CodeEPC Gen 2 RFID Identities8-12 digits (product identity) 64-128 bits (item identity) ReadingOptical ScannerWireless Reader Tag CostInk, Paper ($0.00001?) Circuit, Antenna ($0.05)

3 3 www.cs.virginia.edu/evans/talks/spar07 Photo by Bill Bryant Protest at Texas Wal-Mart

4 4 www.cs.virginia.edu/evans/talks/spar07 “More-Efficient Mugging” From Ari Juels USENIX Security 2004 talk http://www.usenix.org/events/sec04/tech/slides/juels.htm “Just in case you want to know, she’s got 700 Euro and 8 World Cup tickets…”

5 5 www.cs.virginia.edu/evans/talks/spar07 Realistic Threats Corporate Espionage Profiling/Tracking

6 6 www.cs.virginia.edu/evans/talks/spar07 RFID Shield ($9.99) Tin Foil Solutions for Paranoids

7 7 www.cs.virginia.edu/evans/talks/spar07 Basic Hash Protocol key: K nonce: R R, HK(R)R, HK(R) N tags N hashes Stephen Weis, Sanjay Sarma, Ronald Rivest, and Daniel Engels. Security in Pervasive Computing, March 2003

8 8 www.cs.virginia.edu/evans/talks/spar07 Scalability Privacy Robustness Basic Hash Protocol YA-TRAP [Tsudik 06] Tree-Hash Protocol Insubvertible Encryption [Ateniese, Camenisch, de Medeiros CCS 2005]

9 9 www.cs.virginia.edu/evans/talks/spar07 Tree-Hash Protocol k 1,1 k 2,0 k 2,1 k 2,2 k 2,3 T1T1 T2T2 T3T3 T4T4 k 1,0 Basic Hash Protocol at each level Reader computes up to b log b N hashes David Molnar and David Wagner. CCS 2004.

10 10 www.cs.virginia.edu/evans/talks/spar07 Analysis of Tree Protocol Attacker wants traces of individuals Attacker can easily acquire tags and break their secrets Assume no side channels: only protocol layer leaks Assume a good cryptographic hash function –Second part of the talk is about whether this is reasonable

11 11 www.cs.virginia.edu/evans/talks/spar07 Shared Secrets 3 n Group of n tags Stolen secret Broken tag 12 48 192 Each broken tag enables attacker to group intercepted tags using shared secrets Information theoretic measure of privacy based on the group size

12 12 www.cs.virginia.edu/evans/talks/spar07 Groups and Leakage

13 13 www.cs.virginia.edu/evans/talks/spar07 Cost Trade-Off

14 14 www.cs.virginia.edu/evans/talks/spar07 Low-Leakage Tree Protocol Avoid small groups Leads to two-level tree for systems with billions of tags Opposite of originally proposed binary tree … ……… Reader computes up to  N hashes 1B tags ~ 31K hashes

15 15 www.cs.virginia.edu/evans/talks/spar07 Tree-Hash Protocol Feasible? Random Number Hash function (rest of this talk...) An RN16 drawn from a Tag’s RNG... shall not be predictable with a probability greater than 0.025% if the outcomes of prior draws from the RNG, performed under identical conditions, are known. EPC Class 1 Gen 2 Standard ~12 good bits out of 16

16 16 www.cs.virginia.edu/evans/talks/spar07 Implementing Hash Functions 10k gates SHA-256 4k gates AES 2k gates RFID tag Power consumption scales with gates, not “Moore’s Law”. Reading distance is inverse square-cube of power needed.

17 17 www.cs.virginia.edu/evans/talks/spar07 Cryptographic Hash Functions Pre-image resistance –Given H(x) it is hard to find x Second pre-image resistance –Given y hard to find x such that H(x) = y Collision resistance –Hard to find x and y such that H(x) = H(y) Not necessary for privacy! Hardest Not sufficient for privacy!

18 18 www.cs.virginia.edu/evans/talks/spar07 Non-Private Strong Hash H(x) = G(x) || x where G is a strong, cryptographic hash function

19 19 www.cs.virginia.edu/evans/talks/spar07 Private Hash Function H(R,K) R : (non-secret) nonce K : key shared with reader Correctness: given H(R,K), R, and key set easy to find K Privacy: given a set of tuples it is hard to identify two tuples generated by the same key (without knowing key set)

20 20 www.cs.virginia.edu/evans/talks/spar07 Abstract Design D(r, k) is a “Distortion Function” with: Even output distribution Black-box function with poly-time reversing oracle that outputs set of k ’s producing a given output H(R, K) = D(R 1, K 1 )  …  D(R n, K n ) where R = R 1 || … || R n K = K 1 || … || K n independent nonce/key shares

21 21 www.cs.virginia.edu/evans/talks/spar07 Security Argument: 2-split X = D(R 1, K 1 )  D(R 2, K 2 ) …… K 1 =0 K 1 =1 K 1 = 2 n/2 -1 Precompute one sideTry values to find match  Brute force attack:  (2 n ) Meet-in-middle attack:  (2 n/2 ) space, time n = total key bits, divided between K 1 and K 2

22 22 www.cs.virginia.edu/evans/talks/spar07 Concrete Abstract Design 3-split: D(R 1, K 1 )  D(R 2, K 2 )  D(R 3, K 3 ) Implementable Distortion Function –Even output distribution oBlack-box function with reverse oracle  Implementable function such that attacker cannot find correlations: no easier way to break than by finding the intermediate values

23 23 www.cs.virginia.edu/evans/talks/spar07 CRC Cyclic Redundancy Check Already required on EPC tags Designed [Peterson, 1961] to be easy to implement in hardware, error- checking code (no crypto goals) CRC g (X) = remainder of polynomial division X by g in GF(2)

24 24 www.cs.virginia.edu/evans/talks/spar07 Implementing CRC … data input generator input  

25 25 www.cs.virginia.edu/evans/talks/spar07 Attempted CRC Privacy Protocol Fixed (standard) generator polynomial K changes when updated by legitimate reader Nguyen Duc, Park, Lee, and Kim. Enhancing Security of EPCglobal Gen-2 RFID Tag against Traceability and Cloning. Symposium on Cryptography and Information Security, 2006.

26 26 www.cs.virginia.edu/evans/talks/spar07 CRC Properties

27 27 www.cs.virginia.edu/evans/talks/spar07 CRC Does Not Provide Privacy If two readings were from same tag: 0 Otherwise, non-zero (with high probability)

28 28 www.cs.virginia.edu/evans/talks/spar07 Private Hash Function Distortion Function Required Properties Confusion: changing one input bit flips each output bit with probability ½ Diffusion: changing one generator bit flips each output bit with probability ½ Even distribution: all outputs are equally likely Complexity: hard to correlate better than black box D(R 1, K 1 )  D(R 2, K 2 )  D(R 3, K 3 )

29 29 www.cs.virginia.edu/evans/talks/spar07 Proof Sketches Confusion and Diffusion –Requires: Hamming weight of generator is ½ length –Proof: Follow bit probabilities through CRC Even Distribution –CRC provides even outputs over [0,g-1] But not over all output bits –To get approximately even distribution: use only i low-order output bits, and combine outputs (second is reversed)

30 30 www.cs.virginia.edu/evans/talks/spar07 Attacks on Complexity Most known crypto attacks don’t apply No chosen plaintext makes differential/linear cryptanalysis infeasible –Recall assumption: if attacker has physical access they can just extract key Statistical Attacks (e.g., distinguishing attacks) fail because output is evenly distributed and no state is kept

31 31 www.cs.virginia.edu/evans/talks/spar07 Algebraic Attacks Create and solve system of equations for bits Successfully break many stream ciphers (and some block ciphers) Even partial knowledge of single key bit can weaken privacy No general defense exists

32 32 www.cs.virginia.edu/evans/talks/spar07 3-bit CRC Complexity + k1k1 ++ k2k2 k3k3 k4k4 k5k5 k6k6 g3g3 g2g2 g1g1 k1k1 k1k1 g1g1 g2g2 g3g3 k2(g1k1)k2(g1k1) k3(g2k1)k3(g2k1) k4(g3k1)k4(g3k1) k1g1g2  k1g3  k2g2  k4k1g1g2  k1g3  k2g2  k4 k1g1g2  k1g1g3  k2g1g2  k1g2  k2g3  k3g2  k5k1g1g2  k1g1g3  k2g1g2  k1g2  k2g3  k3g2  k5 After 5 shifts:

33 33 www.cs.virginia.edu/evans/talks/spar07 Algebraic Attacks Difficulty depends on complexity: –Degree determines feasibility of linear system solving –Density determines possibility for simplifications Degree > 6 considered practically unsolvable [Courtois and Meier, EuroCrypt 2003]

34 34 www.cs.virginia.edu/evans/talks/spar07 Shifting 250 times provides sufficient degree (key + 0s) Distortion Complexity

35 35 www.cs.virginia.edu/evans/talks/spar07 Implementation CRC with fixed generator already included on tags (required by EPC Class 1 standard) Extend to support variable generator: 130 gates (355 total GE) –Smallest known AES: 3400 gates Reader: simple implementation can do 10x (AES) - 40x (SHA-256) as many hashes as alternatives

36 36 www.cs.virginia.edu/evans/talks/spar07 Summary Cheap RFIDs are expensive bar codes, not little computers –Can’t do division, encryption, cryptographic hashing, etc. Privacy does not require strong crypto hashing –Very simple, inexpensive functions may be sufficient for privacy

37 37 www.cs.virginia.edu/evans/talks/spar07 “We cannot even answer the most basic questions because we don’t know enough about you. That is the most important aspect of Google’s expansion.” Eric Schmidt (Google’s CEO) May 2007

38 38 www.cs.virginia.edu/evans/talks/spar07 For more information: evans@cs.virginia.edu http://www.cs.virginia.edu/evans Karsten Nohl and David Evans. Private Hash Functions: Lightweight Protection for RFID Systems. (In submission, request by email) Karsten Nohl and David Evans. Optimizing Secret Trees for Privacy. (In submission, request by email) Karsten Nohl and David Evans. Quantifying Information Leakage in Tree-Based Hash Protocols. ICICS 2006.

Download ppt "Feasible Privacy for Lightweight RFID Systems David Evans work with Karsten Nohl University of Virginia SPAR Seminar Johns Hopkins University 17 October."

Similar presentations

Noise, Information Theory, and Entropy (cont.) CS414 – Spring 2007 By Karrie Karahalios, Roger Cheng, Brian Bailey.

Noise, Information Theory, and Entropy (cont.) CS414 – Spring 2007 By Karrie Karahalios, Roger Cheng, Brian Bailey.
Computer Interfacing and Protocols

Computer Interfacing and Protocols
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Class 25: Security through Complexity? Karsten Nohl cs302: Theory of Computation University of Virginia, Computer Science PS6 is due today. Lorenz cipher.

Class 25: Security through Complexity? Karsten Nohl cs302: Theory of Computation University of Virginia, Computer Science PS6 is due today. Lorenz cipher.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.

Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Similar presentations

Ads by Google