1 department of computer science university of virginia new directions in reliability, security and...
TRANSCRIPT
1
Department of Computer Science
University of Virginia
New Directions in Reliability, Security and Privacy
in Radio Frequency Identification Systems
Leonid Bolotnyy
[email protected] www.cs.virginia.edu/~lb9xk
Gabriel Robins
[email protected] www.cs.virginia.edu/robins
2
Talk Outline• Introduction to RFID
• Reliable Object Identification– Multi-Tag RFID Systems
• Physical Security and Privacy– PUF-Based Algorithms
• Inter-Tag Communication– Generalized Yoking-Proofs
• Common Themes and Conclusion
3
Talk Outline• Introduction to RFID
• Reliable Object Identification– Multi-Tag RFID Systems
• Physical Security and Privacy– PUF-Based Algorithms
• Inter-Tag Communication– Generalized Yoking-Proofs
• Common Themes and Conclusion
4
General RFID System
Tag IDTag ID
TagsReader
Local Server
5
Introduction to RFID
passive semi-passive active
• Tags types:
• Frequencies: Low (125KHz), High (13.56MHz), UHF (915MHz)
• Coupling methods:
readerantenna
signal signal
Inductive coupling Backscatter coupling
6
RFID History
1935 1973
1999
199920042006
1960
What’s next?
7
Talk Outline• Introduction to RFID
• Reliable Object Identification– Multi-tag RFID Systems
• Physical Security and Privacy– PUF-Based Algorithms
• Inter-Tag Communication– Generalized Yoking-Proofs
• Common Themes and Conclusion
8
Obstacles of Reliable Identification
• Bar-codes vs. RFID– line-of-sight– scanning rate
• Object detection obstacles– radio noise is ubiquitous– liquids and metals are opaque to RF
• milk, water, juice• metal-foil wrappers
– temperature and humidity– objects/readers moving speed– object occlusion– number of objects grouped together– tag variability and receptivity– tag aging
9
Case Studies
• Defense Logistics Agency trials (2001)– 3% of moving objects did not reach destination– 20% of tags recorded at every checkpoint– 2% of a tag type detected at 1 checkpoint– some tags registered on arrival but not departure
• Wal-Mart experiments (2005)– 90% tag detection at case level– 95% detection on conveyor belts– 66% detection inside fully loaded pallets
10
Multi-Tag RFID
Use Multiple tags per object to increase reliability of object detection/identification
11
The Power of an Angle• Inductive coupling: distance ~ (power)1/6
• Far-field propagation: distance ~ (power)1/2
61.86
47.98
58.11
32.7
30
35
40
45
50
55
60
65
1 2 3 4# of Tags
Exp
ecte
d a
ng
le (
Deg
rees
)
22
1 20 0
180 1[ , ]sin( )
2
Max d d
22
0 0
180 1( )sin( )
2 2
d d
• Optimal Tag Placement:
1
4
32
B-field
β
power ~ sin2(β)
12
Equipment and Setup
• Setup– empty room– 20 solid non-metallic & 20 metallic and liquid objects– tags positioned perpendicular to each other– tags spaced apart– software drivers
• Equipment
x1
x1x8
x4
x100’s x100’s
13
Experiments• Read all tags in reader’s field• Randomly shuffle objects• Compute average detection rates
• Variables– reader type– antenna type– tag type– antenna power– object type– number of objects– number of tags per object– tags’ orientation– tags’ receptivity
14
Linear Antennas
Antenna Pair #1, Power = 31.6dBm
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Object Number
Det
ecti
on
Pro
bab
ilit
y
1Tag: 58%
2Tags: 79%
3Tags: 89%
4Tags: 93%
15
Circular Antennas
Antenna Pair #1, Power = 31.6dBm
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Object Number
Det
ecti
on
Pro
bab
ilit
y
1Tag: 75%
2Tags: 94% 3Tags: 98%
4Tags: 100%
16
Linear Antennas vs. Multi-tags
Power = 31.6dBm
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Object Number
De
tec
tio
n P
rob
ab
ilit
y
1 Reader, 1 Tag 58.0%
2 Readers, 1 Tag 64.9%
1 Reader, 2 Tags 79.3%
2 Readers, 2 Tags 84.5%
Δ=21.3%
Δ=19.8%Δ= 5.2%
Δ=14.4%
Δ= 6.9%
17
Importance of Tag Orientation
1 Tag 2 Tags 1 Tag 2 Tags180-same 0.55 0.37180-diff 0.74 0.5290-same 0.67 0.5290-diff 0.80 0.63
Circular Linear
0.47 0.3321%
-7%12%25%
18
Detection in Presence of Metals & Liquids
Power=31.6dBm, No Liquids/Metals Power=31.6dBm, With Liquids/Metals
Power=27.6dBm, No Liquids/Metals Power=27.6dBm, With Liquids/Metals
Circular Antenna
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 2 3 4
Number of Tags
Det
ecti
on
Pro
bab
ilit
y
• Decrease in solid/non-liquid object detection• Significant at low power• Similar results for linear antennas
19
Varying Number of Objects
Experiment 1: 15 solid non-metallic & 15 liquids and metals
Experiment 2: 20 solid non-metallic & 20 liquids and metals
Effect of the Number of Objects on Detection Probability
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1 Tag 2 Tags 3 Tags 1 Tag 2 Tags 3 Tags 1 Tag 2 Tags 3 Tags 1 Tag 2 Tags 3 Tags
1 Antenna 2 Antennas 3 Antennas 4 Antennas
Det
ecti
on
Pro
bab
ilit
y
15/15 experiment
20/20 experiment
15/15 experiment
20/20 experiment
Metals & Liquids∆ : 3%-13%
20
Applications of Multi-TagsReliability Availability
Safety
Localization
21
More Applications
Tagging Bulk MaterialsPackaging
Theft PreventionSecurity
22
Economics of Multi-TagsPassive Tag Cost Trend
$0.00$0.20$0.40$0.60$0.80$1.00
2001 2002 2003 2004 2005 2006 2007 2008 2011
Year
Ta
g C
os
t
Historical Cost Prediction Cost
2001 $1.042002 $0.812003 $0.452004 $0.192005 $0.132006 $0.082007 $0.062008 $0.052011 $0.01
Year Cost
• Rapid decrease in passive tag cost• 5 cent tag expected in 2008• 1 penny tag in a few years
23
Cost Trends
Time
24
Multi-Tag Conclusion• Unreliability of object detection
– radio noise is ubiquitous– liquids and metals are opaque to RF
• milk, water, juice• metal-foil wrappers
– temperature and humidity– objects/readers moving speed– object occlusion– number of objects grouped together– tag variability and receptivity– tag aging
• Many useful applications
• Favorable economics$0.00
$0.20
$0.40
$0.60
$0.80
$1.00
2001 2002 2003 2004 2005 2006 2007 2008 2011
Historical Cost Prediction Cost
25
Talk Outline• Introduction to RFID
• Reliable Object Identification– Multi-tag RFID Systems
• Physical Security and Privacy– PUF-Based Algorithms
• Inter-Tag Communication– Generalized Yoking-Proofs
• Common Themes and Conclusion
26
Motivation• Digital crypto implementations require 1000’s of gates
• Low-cost alternatives– Pseudonyms / one-time pads– Low complexity / power hash function designs– Hardware-based solutions
MD4
7350
MD5
8400
SHA-256
10868
Yuksel
1701
AES
3400
algorithm
# of gates
27
PUF-Based Security
• Physical Unclonable Function [Gassend et al 2002]• PUF security is based on
– wire delays– gate delays– quantum mechanical fluctuations
• PUF characteristics– uniqueness– reliability– unpredictability
• PUF assumptions– Infeasible to accurately model PUF– Pair-wise PUF output-collision probability is constant– Physical tampering will modify PUF
28
Individual Privacy in RFID
• Privacy
A B C
Alice was here: A, B, C
privacy
29
Hardware Tampering Privacy Models
1. Restrict memory tampering functions- allow bit flips
read-proof
tamper-proof
Allow adversary to tamper with tag’s memory
3. Detect privacy compromise - detect PUF modification
2. Purely physical privacy - no digital secrets
Cannot provide privacy without restricting adversary - simple secret overwrite allows tag tracking
30
Private Identification Algorithm
• Assumptions– no denial of service attacks (e.g., passive adversaries, DoS
detection/prevention mechanisms)– physical compromise of tags not possible
• It is important to have – a reliable PUF– no loops in PUF chains– no identical PUF outputs
ID
Requestp(ID)
ID
Database
ID1, p(ID1), p2(ID1), …, pk(ID1)
...IDn, pn(IDn), pn
2(IDn), …, pnk(IDn)
31
PUF-Based Ownership Transfer
• Ownership Transfer
• To maintain privacy we need– ownership privacy– forward privacy
• Physical security is especially important
• Solutions– public key cryptography (expensive)– knowledge of owners sequence– short period of privacy– trusted authority
32
PUF-Based MAC Algorithms
• MAC based on PUF– Motivation: “yoking-proofs”, signing sensor data– large keys (PUF is the key)– cannot support arbitrary messages
• MAC = (K, τ, υ)
K
K
• valid signature σ : υ (M, σ) = 1
• forged signature σ’ : υ (M’, σ’) = 1, M = M’
• Assumptions– adversary can adaptively learn poly-many (m, σ) pairs– signature verifiers are off-line– tag can store a counter (to timestamp signatures)
33
Large Message Space
σ (m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)
Assumption: tag can generate good random numbers (can be PUF-based)
Signature verification• requires tag’s presence• password-based or in radio-protected environment (Faraday Cage)• learn pc(ri, m), 1 ≤ i ≤ n• verify that the desired fraction of PUF computations is correct
To protect against hardware tampering• authenticate tag before MAC verification• store verification password underneath PUF
Key: PUF
34
Small Message SpaceAssumption: small and known a priori message space
Key[p, mi, c] = c, pc(1)(mi), ..., pc
(n) (mi)
PUFmessage
counter
σ(m) = c, pc(1)(m), ..., pc
(n) (m),
..., c+q-1, pc+q-1
(1)(m), pc+q-1(n)(m)
sub-signature
Verify that the desired number of sub-signatures are valid
PUF reliability is again crucial
35
Attacks on MAC Protocolsoriginal clone
• Impersonation attacks– manufacture an identical tag– obtain (steal) existing PUFs
• Hardware-tampering attacks– physically probe wires to learn the PUF– physically read-off/alter keys/passwords
• Side-channel attacks– algorithm timing– power consumption
• Modeling attacks– build a PUF model to predict PUF’s outputs
36
Conclusions and Future Work
Hardware primitive for RFID security
Identification, MAC, Ownership Transfer, and Tag Authentication Algorithms
• Properties:– Physical keys– Protect tags from physical attacks– New attack models
• Future Work:– Design new PUF– Manufacture and test PUF– Develop PUF theory– New attack models
37
Talk Outline• Introduction to RFID
• Reliable Object Identification– Multi-tag RFID Systems
• Physical Security and Privacy– PUF-Based Algorithms
• Inter-Tag Communication– Generalized Yoking-Proofs
• Common Themes and Conclusion
38
Inter-Tag Communication in RFID
• Idea: Heterogeneity in ubiquitous computing
• Applications:
39
“Yoking-Proofs”
• Applications – verify that:– medicine bottle sold together with instructions– tools sold together with safety devices– matching parts were delivered together
– several forms of ID were presented
• Problem Statement: Generate proof that a group of passive tags were identified nearly-simultaneously
• Key Observation: Passive tags can communicate with each other through reader
• Yoking: joining together / simultaneous presence of multiple tags
40
Assumptions and Goals• Assumptions
– Tags are passive– Tags have limited computational abilities– Tags can compute a keyed hash function– Tags can maintain some state– Verifier is trusted and powerful
• Solution Goals– Allow readers to be adversarial– Make valid proofs improbable to forge– Allow verifier to verify proofs off-line– Detect replays of valid proofs
• Timer on-board a tag– Capacitor discharge can implement timeout
41
Generalized “Yoking-Proof” Protocol
1
3
2
45
Anonymous Yoking: tags keep their identities private
Idea: construct a chain of mutually dependent MACs
42
Related Work on “Yoking-Proofs”
• Saito and Sakurai [2005]– solution relies on timestamps generated by trusted database– violates original problem statement– one tag is assumed to be more powerful than the others– vulnerable to “future timestamp” attack
• Piramuthu [2006]– discusses inapplicable replay-attack problem of Juels’ protocol– independently observes the problem with Saito/Sakurai protocol– proposed fix only works for a pair of tags– violates original problem statement
• Juels [2004]– protocol is limited to two tags
– no timely timer update (minor/crucial omission)
43
Talk Outline• Introduction to RFID
• Reliable Object Identification– Multi-tag RFID Systems
• Physical Security and Privacy– PUF-Based Algorithms
• Inter-Tag Communication– Generalized Yoking-Proofs
• Common Themes and Conclusion
44
Generalized “Yoking-Proofs”
Multi-Tags PUF-BasedSecurity and Privacy
RFID
Common Themes
45
Conclusion and Future Research
• Contributions
• Future Research– More multi-tag tests– Object localization using multi-tags– Split tag functionality between tags– Prevent adversarial merchandize inventorization– PUF design– More examples of inter-tag communication– Applications of RFID
46
Publications• L. Bolotnyy and G. Robins, Multi-tag Radio Frequency Identification Systems, IEEE Workshop on Automatic
Identification Advanced Technologies (Auto-ID), Oct. 2005.
• L. Bolotnyy and G. Robins, Randomized Pseudo-Random Function Tree Walking Algorithm for Secure Radio-Frequency Identification, IEEE Workshop on Automatic Identification Advanced Technologies (Auto-ID), Oct. 2005.
• L. Bolotnyy and G. Robins, Generalized “Yoking Proofs” for a Group of Radio Frequency Identification Tags , International Conference on Mobile and Ubiquitous Systems (Mobiquitous), San Jose, CA, July 2006.
• L. Bolotnyy and G. Robins, Physically Unclonable Function -Based Security and Privacy in RFID Systems , IEEE International Conference on Pervasive Computing and Communications (PerCom), New York, March 2007.
• L. Bolotnyy, S. Krize, and G. Robins, The Practicality of Multi-Tag RFID Systems, International Workshop on RFID Technology - Concepts, Applications, Challenges (IWRT), Madeira, Portugal, June 2007.
• L. Bolotnyy and G. Robins, The Case for Multi-Tag RFID Systems, International Conference on Wireless Algorithms, Systems and Applications (WASA), Chicago, Aug. 2007.
• L. Bolotnyy and G. Robins, Multi-Tag RFID Systems, International Journal of Internet and Protocol Technology, Special issue on RFID: Technologies, Applications, and Trends, 2(3/4), 2007.
• 1 conference and 1 journal paper in submission
• 2 invited book chapters in preparationSecurity in RFID and Sensor Networks, to be published by Auerbach Publications, CRC Press, Taylor&Francis Group
47
More Successes
• Deutsche Telekom (largest in EU) offered to patent our multi-tags idea.
• Received $450,000 NSF Cyber Trust grant, 2007 (PI: Gabriel Robins).
• Technical Program Committee member:International Workshop on RFID Technology - Concepts, Applications, Challenges (IWRT), Barcelona, Spain, June 2008.
• Our papers and presentation slides used in lecture-based undergraduate/graduate courses (e.g., Rice University,
George Washington University).
48
49
Thank You!
Questions?
Dissertation Committee: Gabriel Robins (advisor), Dave Evans, Paul Reynolds, Nina Mishra, and Ben Calhoun
Stephen Wilson, Blaise Gassend, Daihyun Lim,Karsten Nohl, Patrick Graydon, and Scott Krize
[email protected] www.cs.virginia.edu/~lb9xk
50
BACK UP SLIDESNOT USED DURING
PRESENTATION
51
Types of Multi-Tags
• Triple-Tags
• n-Tags
• Dual-Tags– Own Memory Only– Shared Memory Only– Own and Shared Memory
• Redundant Tags
• Complimentary Tags
52
Controlling Variables1. Radio noise
2. Tag variability
3. Reader variability
4. Reader power level
5. Distance to objects &type, # of antennas
53
Circular Antennas vs. Multi-Tags
Power = 31.6dBm
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Object Number
Det
ecti
on
Pro
bab
ility
1 Reader, 1 Tag 75.9%
2 Readers, 1 Tag 91.0%
1 Reader, 2 Tags 94.2%
2 Readers, 2 Tags 99.4%
Δ=18.3%
Δ=8.4%Δ= 5.2%
Δ=3.2%
Δ= 15.1%
54
Linear Antennas
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
31.6 30.6 29.6 28.6 27.6 26.6 25.6
Power (dBm)
Det
ectio
n P
rob
abili
ty
Circular Antennas
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
31.6 30.6 29.6 28.6 27.6 26.6 25.6
Power (dBm)D
etec
tion
Pro
bab
ility
1 Tag 2 Tags 3 Tags 4 Tags
Power
• Decrease in detection with decrease in power• More rapid decrease in detection for circular antennas
55• Low detection probabilities• Drop in detection at low power
• Linear antennas outperform circular• Multi-tags better than multiple readers
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1 Tag 2 Tags 3 Tags 1 Tag 2 Tags 3 Tags 1 Tag 2 Tags 3 Tags
Antenna #1 Antenna #2 Antenna #1 and #2
Number of Tags
De
tec
tio
n P
rob
ab
ilit
y
Power=31.6dBm, Circular AntennasPower=31.6dBm, Linear AntennasPower=27.6dBm, Circular AntennasPower=27.6dBm, Linear Antennas
Multi-Tags on Metals and Liquids
56
Detection Delta
Change in Detection Based on # of Antennas and Tags
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
1 Antenna 2 Antennas 3 Antennas 4 Antennas
Ch
ang
e in
Det
ecti
on
Pro
bab
ilit
y
1 tag
2 tags
3tags
1 tag
2 tags
3tags
1 tag
2 tags
3tags
1 tag
2 tags
3tags
0.036
0.030
0.029
0.014
57
Anti-Collision Algorithms
Binary No Effect No Effect
Binary Variant No Effect No Effect
Randomized Linear Increase** No Effect*
STAC Causes DoS No Effect*
Slotted Aloha Linear Increase** No Effect*
Algorithm Redundant Tags Connected-Tags
* Assuming tags communicate to form a single response** If all tags are detected
58
Business Case for RFID
• Costs & benefits (business case)– Moore’s law– higher employee productivity– automated business processes– workforce reduction
• Tag manufacturing yield and testing– 30% of chips damaged during manufacturing– 15% damaged during printing [U.S. GAO]– 20% tag failure rate in field [RFID Journal]– 5% of tags purchased marked defective
59
RFID Tag Demand
• Demand drivers– tag cost– desire to stay competitive
• Cost effective tag design techniques– memory design (self-adaptive silicon)– assembly technology (fluidic self assembly)– antenna design (antenna material)
Increase in RFID tag demand
Decrease in RFID tag cost
60
Thesis
Multi-tags can considerably improve reliability in RFID systems at a reasonable cost;
effective PUF implementations can enable hardware-tampering resistant algorithms for RFID security and privacy;
generalized yoking-proofs can provide auditing mechanisms for the near-simultaneous reading of multiple RFID tags.
61
Related Work on PUF
• Optical PUF [Ravikanth 2001]
• Silicon PUF [Gassend et al 2002]– Design, implementation, simulation, manufacturing– Authentication algorithm– Controlled PUF
• PUF in RFID– Identification/authentication [Ranasinghe et al 2004]– Off-line reader authentication using public key cryptography
[Tuyls et al 2006]
62
Privacy Model
1. A passive adversary observes polynomially-many rounds of reader-tag communications with multiple tags
2. An adversary selects 2 tags
3. The reader randomly and privately selects one of the 2 tags and runs one identification round with the selected tag
4. An adversary determines the tag that the reader selected
Experiment:
Definition: The algorithm is privacy-preserving if an adversary can notdetermine reader selected tag with probability substantially greater than ½
Theorem: Given random oracle assumption for PUFs,an adversary has no advantage in the above experiment.
63
Improving Reliability of Responses• Run PUF multiple times for same ID & pick majority
μm(1-μ)N-m )kR(μ, N, k) ≥ (1 - ∑
N Nm
N+12
m=
number of runs
chain lengthunreliabilityprobability
overallreliability
R(0.02, 5, 100) ≥ 0.992
• Create tuples of multi-PUF computed IDs &identify a tag based on at least one valid position value
∞expected numberof identifications
S(μ, q) = ∑ i [(1 – (1-μ)i+1)q - (1 – (1-μ)i)q]i=1
tuple size
S(0.02, 1) = 49, S(0.02, 2) = 73, S(0.02, 3) = 90
(ID1, ID2, ID3)
64
Choosing # of PUF Computations
α < probv ≤ 1 and probf ≤ β ≤ 1
0 ≤ t ≤ n-1
i=t+1
μi(1-μ)n-iprobv(n, t, μ) = 1 - ∑
nni
j=t+1
τj(1-τ)n-jprobf(n, t, τ) = 1 - ∑
nnj
probv(n, 0.1n, 0.02)
probf(n, 0.1n, 0.4)
65
MAC Large Message Space Theorem
Given random oracle assumption for a PUF, the probability that an adversary could forge a signature for a message is bounded from above by the tag impersonation probability.
66
MAC Small Message Space Theorem
Given random oracle assumption for a PUF, the probability that an adversary could forge a signature for a message is bounded by the tag impersonation probability times the number of sub-signatures.
67
Purely Physical Ownership Transfer
oid = h(counter)
r1, a = hs(r0, r1)
r0, c1, ..., cn
(r1, a)
Challenges sent to tag in increasing order
counter = counter - 1hs(r1, new)
• Properties:– All PUF computations must be correct– PUF-based random number generator– Physical write-once counter– oid is calculated for each identification– Inherently limited # of owners
s = poid(v1) ... poid(vn)
v1 = h(c1), ..., vn = h(cn)
++
68
s2,4
s1,2
s3,9
s2,5
s3,10s3,8
Using PUF to Detect and Restore Privacy of Compromised System
1. Detect potential tag compromise2. Update secrets of affected tags
s1,0
s2,0
s1,1
s2,1
s3,1
s2,2 s2,3
s3,0 s3,4 s3,5s3,2 s3,3 s3,7s3,6
69
PUF vs. Digital Hash Function
• Reference PUF: 545 gates for 64-bit input– 6 to 8 gates for each input bit– 33 gates to measure the delay
• Low gate count of PUF has a cost– probabilistic outputs– difficult to characterize analytically– non-unique computation– extra back-end storage
• Different attack target for adversaries– model building rather than key discovery
• Physical security– hard to break tag and remain undetected
MD4
7350
MD5
8400
SHA-256
10868
Yuksel
1701
PUF
545
AES
3400
algorithm
# of gates
70
PUF Design• Attacks on PUF
– impersonation– modeling– hardware tampering– side-channel
• Weaknesses of existing PUF
• New PUF design– no oscillating circuit– sub-threshold voltage
• Compare different non-linear delay approaches
reliability
71
PUF Contribution and Motivation
Contribution• Physical privacy models• Privacy-preserving tag identification algorithm• Ownership transfer algorithm• Secure MAC algorithms• Comparison of PUF with digital hash functions
Motivation• Digital crypto implementations require 1000’s of gates• Low-cost alternatives
– Pseudonyms / one-time pads– Low complexity / power hash function designs– Hardware-based solutions
72
Speeding Up The Yoking Protocol
starting / closing tags
Idea: split cycle into several sequences of dependent MACs
Requires– multiple readers or multiple antennas
– anti-collision protocol