New Directions in Detection, Security and Privacy for RFID
Leonid Bolotnyy and Gabriel Robins Department of Computer Science,
UVa Hello. Thank you for coming to my proposal presentation,
entitled New Directions in Detection, Security and Privacy for
RFID. Thesis Multi-tags, yoking-proofs, and physical unclonable
functions can improve reliability, security, and privacy in radio
frequency identification (RFID) systems. My one-sentence thesis
statement is Multi-Tags, Yoking-Proofs, and PUFs can improve
reliability, security, and privacy in RFID Systems. In the next 20
minutes I hope to convince you of this. Progress L. Bolotnyy and G.
Robins, Multi-Tag Radio Frequency Identification Systems, IEEE
Workshop on Automatic Identification Advanced Technologies
(AutoID), pp , 2005 L. Bolotnyy and G. Robins, Randomized
Pseudo-Random Function Tree Walking Algorithm for Secure Radio
Frequency Identification, IEEE Workshop on Automatic Identification
Advanced Technologies (AutoID), pp , 2005 L. Bolotnyy and G.
Robins, Generalized Yoking-Proofs for a Group of RFID Tags, IEEE
International Conference on Mobile and Ubiquitous Systems
(Mobiquitous), 2006 L. Bolotnyy and G. Robins, PUF-Based Security
and Privacy in RFID Systems, IEEE International Conference on
Pervasive Computing (PerCom), 2007 Several additional papers in
progress NSF Cyber Trust proposal (submitted January 2007) Deutsche
Telekom (largest in EU) offered to patent our multi-tags idea Our
progress to date is as follows. We published four refereed papers
in premier IEEE conferences with several more papers in
preparation. Our work has also formed the basis of an NSF Cyber
Trust proposal submitted last week. In addition, Deutsche Telekom,
the largest telecommunications company in the European Union, has
offered to patent our multi-tags idea for commercialization.
Introduction RFID Tags types:
passive semi-passive active Frequencies: Low (125KHz), High
(13.56MHz), UHF (915MHz) Coupling methods: Reader antenna signal
Inductive coupling Backscatter coupling I will start with a brief
introduction to RFID and its history. RFID stands for radio
frequency identification, which uses radio signals to uniquely
identify objects. An RFID System consists of readers, tags, and
back-end servers for information processing. There are three
general types of RFID tags: passive, semi-passive, and active.
Passive tags have no batteries on-board. They use power from the
reader for computation and for communication. Semi-passive tags
have batteries on-board, however the batteries are used for data
processing only. The power harvested from the reader is still used
for communication. Active tags have batteries on-board and they can
use them for both computations and communications. The three major
RFID frequencies are: Low frequency of 125kHz, High of MHz, and
ultra high of 915 MHz in the US. Two main coupling mechanisms used
for read-tag communication. In inductive coupling, the reader
creates a magnetic field between itself and the tag, and the tag
harvests the power from its field for its operation.In backscatter
coupling, or far-field propagation as it is sometimes called, the
reader sends a signal to the tag, which tag backscatters back to
the reader. I placed several tags, readers and antennas on this
table please feel free to play with them. History Radar invented -
1935 EAS invented - early 1960s
First RFID patent filed First RFID book published Auto-ID Center
formed RFID technology originated with Radar, which was invented in
1935. Electronic Article Surveillance was invented in the early
60s. In the 70s, first patent on access control technology using
RFID was filed. In 1999 the first book on RFID was published. In
the same year, the Auto-ID Center was formed at MIT, for developing
protocols and standards for Electronic Product Code (EPC), to be
used as a substitute for bar-code. Over 100 large companies and
organizations, including Wal-Mart and the US Department of Defense,
financed these efforts. In 2004 the Auto-ID center was transformed
into a newly formed non-profit EPCglobal organization. At the end
of 2006, the first RFID-enabled game console was marketed.
EPCglobal formed First RFID game marketed Thesis Proposal Improve
tag detection Improve security and privacy
Auditing algorithms for RFID Yoking-Proofs Our proposal spans three
intertwined areas: tag detection, security and privacy in RFID.
Traditional RFID systems have one tag per object. We propose
tagging objects with multiple tags, to improve tag detection. This
will benefit applications that require high tag detection rate, tag
reliability and durability. We will compare our multi-tag approach
with systems using single-tagged objects, as well as with
multiple-readers systems. We will also analyze various combinations
of these two approaches. On the security front, we will devise RFID
auditing algorithms, such as Yoking-Proofs. Yoking-Proof protocols
generate proofs which guarantee that groups of tags were read
nearly-simultaneously. We will create a framework for inter-tag
communication in which passive/battery-less tags communicate with
each other through the reader. We will define privacy in RFID in a
way that takes physical attacks into consideration. We will also
design algorithms for security and privacy in RFID, based on
physically unclonable functions, and design and evaluate PUF
prototypes that avoid the drawbacks of previous approaches.
Inter-tag communication Definition of privacy PUF-based security
Algorithms PUF design Why Multi-Tag RFID? Bar-codes vs. RFID
Unreliability of tag detection
line-of-sight scanning rate Unreliability of tag detection radio
noise is ubiquitous liquids and metals are opaque to RF milk,
water, juice metal-foil wrappers Wal-Mart experiments (2005) 90%
tag detection at case level 95% detection on conveyor belts 66%
detection of individual items inside fully loaded pallets Our
preliminary experiments support data above Bar-code scanning
requires a line-of-sight visibility, and the scan rate is at most a
few bar-codes per second. On the other hand, RFID does not require
line-of-sight, and hundreds of RFID tags can be read per second.
However, these benefits have a price. RFID tag detection is
unreliable due to the ubiquitous radio noise permeating the
environment, which can interfere with the readers ability to
successfully identify tags. In addition, liquids such as milk,
water, juice etc., or metals, can absorb or reflect radio waves, in
ways that impede tag detection. In 2005, Wal-Mart conducted tag
detection experiments that showed only 90% tag detection rate at
case level, 95% tag detection rate on conveyor belts, and only 66%
tag detection rate of individual items inside fully loaded pallets.
Our preliminary experimental data with commercial RFID equipment
supports these results. If objects are tagged with multiple tags,
the detection rate will be higher. Applications of Multi-Tags
Some applications of multi-tags include supply chain management,
access control (especially for disabled people), luggage tracking,
embedding tags into trees to help detect and discourage illegal
deforestation. The Power of an Angle Inductive coupling: voltage ~
sin(),distance ~ (power)1/6 Far-field propagation: voltage ~
sin2(), distance ~ (power)1/2 B-field Optimal Tag Placement: 1 4 3
2 One of the reasons multi-tags are effective in improving tag
detection is improved expected tag orientation to the reader. Let
beta be the angle between the readers signal and the tag. The
voltage generated on-board a tag is proportional to sin(beta) for
inductive coupling and to sin^2(beta) for far-field propagation.
The distance at which the reader can detect the tag is proportional
to the sixth root of the voltage for inductive coupling, and to the
square root of the voltage for far-field propagation. Therefore, it
is important to make the angle beta as close to 90 degrees as
possible. To maximize the grazing angle beta, it is best to
position the tags perpendicular to each other for two and three tag
ensembles and to position four tags ensembles parallel to the faces
of a tetrahedron, a platonic solid. For this tag positioning, the
expected grazing angle beta is as shown on the graphs, assuming
uniform signal distribution. You can see the sharp double digit
increase in the expected angle value when the number of tags is
increased from one to two and from two to three, but only a single
digit angle increase from three tags to four tags. This suggests
that the law of diminishing returns comes into effect pretty
quickly. We computed the expected angle using simulation 1 to 4
tags and analytics for one and for two tags. Benefits and Costs of
Multi-Tags
PROS increases expected induced voltage on tag increases
operational range of system increases memory per object improves
availability improves reliability improves durability provides
potential security enhancement new applications CONS increases
system cost modestly complicates manufacturing potentially
increases tags interrogation time Here is a summary of some of the
benefits and costs of multi-tags. Multi-tags increase the expected
induced voltage aboard a tag which increases the expected
communication distance. Multi-tags increase the amount of memory
per object, increase probability of object detection, improve
reliability, and durability of the system. Multi-tags can also
enhance security and enable new applications. The cost of these
improvements is the increased system cost, modest complication of
manufacturing process for some types of multi-tags, and potential
increase of tags interrogation time, depending on the
anti-collision algorithm. Experimental Apparatus and Experiments
with Multi-Tags
Equipment Experiments Measure detection of ~20 multi-tagged objects
With/without metals and liquids Rotate multi-tagged object mixes 1,
2, 3, & 4 tags per object Vary tag, reader, and antenna types
Vary distances, geometry, power Multi-tags vs. multiple readers We
will experimentally evaluate multi-tags using equipment from
different manufacturers to ensure impartiality of results. We will
use readers by Alien Technology and ThingMagic, and tags by Alien
Technology and UPM Raflatac, the leading tag manufacturer is the
world. We will determine tag detection for a cart full of
non-metallic and non-liquid objects, about of them. We will repeat
the experiments for metal and liquid objects. To determine the
detection probability, we will rotate a cube with tags attached to
its faces in different planes, and perform similar experiments for
tetrahedra. In our experiments, we will vary distances between
objects and the reader antennas, vary reader antennas geometry, and
vary readers emitted power. We will compare multi-tags with
single-tags and multiple readers. Preliminary Experimental
Results
1 0.9 0.8 0.7 0.6 Average Detection Probability 0.5 0.4 0.3 =4.0% 2
Readers,2 Tags86.6% Preliminary representative experimental results
with commercial RFID equipment support our theoretical
expectations. The four curves here show the detection probabilities
for all combinations of 1 and 2 tags and 1 and 2 readers, averaged
over multiple experiments. The X axis represents the objects, and
the Y axis represents the average object detection probabilities.
The lowest, dark blue curve shows the detection probabilities of
traditional RFID systems with one reader and one tag per object,
yielding an average detection probability of 57.8%. The yellow
curve shows the detection probabilities for two readers and one tag
per object, with an average detection probability of 63.9%. the
orange curve shows the detection probabilities for one reader and
two tags per object, with an average detection probability of
82.6%. and the blue curve shows the detection probabilities for two
readers and two tags per object, with an average detection
probability of 86.6%. As you can see, the difference of adding an
extra reader is relatively small: about 6 percent in the 1-tag
case, and 4% in the 2-tag case. However, the difference of adding
an extra tag is quite dramatic: about 24.8 percent in the 1-reader
case, and 22.7% in the 2-reader case. This data clearly indicates
that adding a tag is substantially more beneficial than adding a
reader, by a factor of 4 to 5 in terms of detection improvements.
This experiment also demonstrates that two tags and one reader
outperform one tag and two readers by 18.7% in terms of detection
probability. =22.7% 0.2 1 Reader,2 Tags82.6% =18.7% =24.8% 2
Readers,1 Tag % 0.1 = 6.1% 1 Reader,1 Tag % 1 2 3 4 5 6 7 8 9 10 11
12 13 14 15 16 17 18 19 20 Object Number Security and Privacy in
RFID
B C Alice was here: A, B, C We now turn to the issues of security
and privacy in RFID systems. As Alice carries insecure RFID tags
from A to B to C, her movements may be tracked surreptitiously,
violating her privacy. Privacy-preserving RFID algorithms try to
prevent illicit tag tracking. privacy Security and Privacy in
RFID
Privacy: difficult to track tags Security Secure Identification
f(c) f(r, ID) Tag Authentication c Message Authentication m (m) The
term security in RFID is often overloaded to include privacy.
Before describing our proposed contributions to RFID security and
privacy, I will first explain these concepts. Tag identification is
secure if an adversary cannot determine a tags ID. The
identification is also private if in addition to the tag hiding its
ID from an adversary, an adversary cannot associate multiple tag
readings with the same tag. Tag authentication algorithms ensure
that the tag is authentic, in other words, that it is not a clone.
In message authentication algorithms, the tag signs a message that
it receives from the reader, or that it receives via sensors.
Recent work shows that passive/powerless RFID tags can perform
sensing by harvesting the energy from the readers. Ownership
transfer algorithms securely and privately transfer tags from one
owner to another. The goal of secure ownership transfer algorithms
is to ensure that tag owners cannot be tracked. Auditing algorithms
verify that readers comply with the data collection policy.
Ownership Transfer Auditing Yoking-Proofs Yoking: joining together
/ simultaneous presence of multiple tags Key Observation: Passive
tags can communicate with each other through reader Problem
Statement: Generate proof that a group of passive tags were
identified nearly-simultaneously Yoking-Proofs protocols belong to
the category of auditing algorithms, however they also have roots
in message authentication algorithms. The term yoking refers to
joining together, or simultaneous presence of multiple tags. Yoking
proofs try to yoke/join reading of multiple tags. The key
observation in yoking-proofs is that passive tags can communicate
with each other through the reader. I will say more about this
interesting new communication paradigm later. The problem statement
in yoking-proofs is the following. The reader should identify a
group of tags nearly-simultaneously (i.e., within some
predetermined time period t), and generate an unforgeable proof
that this was the case. Applications of yoking proofs include:
Verifying that a medicine bottle was sold together with the
instruction leaflet; or that tools were sold together with the
safety devices; or verifying that matching parts were delivered
together, etc. Applications verify that: medicine bottle sold
together with instructions tools sold together with safety devices
matching parts were delivered together several forms of ID were
presented a group of people was present at a meeting Assumptions
and Goals Assumptions Solution Goals Timer on-board a tag
Tags are passive Tags have limited computational abilities Tags can
compute a keyed hash function Tags can maintain some state Verifier
is trusted and powerful Solution Goals Allow readers to be
adversarial Make valid proofs improbable to forge Allow verifier to
verify proofs off-line Detect replays of valid proofs We postulate
the following assumptions and solution goals. We assume that tags
are passive (i.e., they have no batteries on-board), and have
limited computational abilities, but they can compute a keyed hash
function. We also assume that tags can maintain some state between
protocol runs, and that the verifier is trusted and reasonably
powerful (i.e., a PC or server). The protocols should allow readers
to be adversarial and make it infeasible for readers to forge valid
proofs. We want our protocols to allow the verifier to be off-line,
and detect replays of valid proofs by adversarial readers. To
ensure near-simultaneous reading of tags, the protocol can rely on
FCC RFID regulations which require protocol termination within
400ms. If the an adversarial reader violates these regulations, a
tag can use an on-board capacitor discharge to implement timeout.
Yoking proofs formulations were invented by Ari Juels who gave a
protocol for a pair of tags, and left the problem of generalizing
the protocol to more than two tags open for future research. Aside
from generalizing this yoking protocol to arbitrary numbers of
tags, we also found and fixed flaws in previous papers on this
topic. Timer on-board a tag FCC regulations: protocol termination
< 400ms Capacitor discharge can implement timeout Generalized
Yoking-Proof Protocol
Idea: construct a chain of mutually dependent MACs 1 2 3 5 4 The
idea of our generalized yoking proof protocol is to construct a
chain of mutually dependent message authentication code
computations. The reader accesses the first tag that computes a MAC
of its state and starts the timer, then the reader passes the value
computed by the tag to the next tag, which computes its own MAC,
and so on. After reading the last tag, the reader passes the
computed value back to the first tag, which closes the chain. We
can prove that it is infeasible for the reader to forge a proof. We
also define anonymous yoking - a new class of privacy-preserving
yoking-proofs, and we propose new private yoking protocols. We can
show how yoking proofs can be sped up by splitting this chain into
multiple arcs, where each arc is constructed independently, and
then arcs are joined together. Anonymous Yoking: tags keep their
identities private Speedup yoking protocols by splitting chain into
arcs Inter-Tag Communication in RFID
Idea: heterogeneity in ubiquitous computing Yoking proofs
Battery-less sensing Tags as mailboxes Tags as proxies Location
access control Tags partitioned into groups Group leader in charge
of authentication and access control Subordinate reader-tag
authentication As mentioned before, passive tags can communicate
with each other through the reader. We believe that this
communication paradigm will add heterogeneity in ubiquitous
computing frameworks, with both active and passive devices
communicating with each other. We showed that yoking-proofs rely on
this paradigm, and propose to develop new applications of inter-tag
communication. Battery-less sensing can be performed with powerless
RFID tags, and inter-tag communication can allow tags to share
sensor information. Tags can be used as mailboxes or proxies for
reader-to-reader communication. Tags can also communicate location
information or ensure simultaneous reader authentication, etc.
PUF-Based Security and Privacy
Digital crypto implementations require 1000s of gates Low-cost
alternatives Pseudonyms / one-time pads Low complexity / power hash
function designs Hardware-based solutions Definition of privacy
that incorporates hardware attacks PUF definition Security is based
on: wire delays gate delays quantum mechanical fluctuations PUF
characteristics uniqueness reliability unpredictability Known
digital cryptographic function implementations require thousands of
gates. RFID researchers are looking for low-complexity and
consequently low-cost solutions to security and privacy in RFID.
Some low-complexity solutions include: use of pseudonyms or
one-time pads, and minimal complexity and power hash functions. In
this proposal we concentrate on solutions that rely on hardware
support. We believe that for low-complexity implementations we need
to utilize randomness that is an inherent part of any chip design.
For some protocols a combination of physical and digital
cryptography can be used. As part of our quest for hardware-based
solutions to security and privacy in RFID, we propose to give a
definition of privacy for RFID taking physical attacks into
account. Our work so far has been based on physically unclonable
functions, PUFs for short. Security of a PUF is based on wire
delays, gate delays, and quantum mechanical fluctuations that are
inherent in chip designs today. A PUF can be characterized by its
uniqueness, which is probability that it computes a value different
from the value computed by another PUF for the same input. A PUF
can also be characterized by its reliability, which is the
probability that the PUF will output the value observed in the
reference environment (i.e., the one with no power or temperature
fluctuations). Another characteristic of a PUF is unpredictability,
which is the characteristic of how hard it is to predict a PUFs
output for a never before tried input. In essence, this is a
characteristic of how hard it is to model a PUF. We propose to more
precisely define this characteristic. My thesis proposal writeup
details previous works on PUFs, and we will design PUFs that avoid
the drawbacks of previous methods. PUF-Based Algorithms
Identification Sequence: ID, p(ID), , pk(ID)
It is important to have a reliable PUF no loops in PUF chains no
identical PUF outputs no impersonation attacks Authentication
Pairs: c1, p(c1), c2, p(c2), ..., cn, p(cn) Verify that at least
the desired fraction ofchallenge-response pairs is correct MAC
based on PUF Motivation: yoking-proofs, signing sensor data large
keys cannot support arbitrary messages Large message set Small
message set We propose RFID identification, authentication, and MAC
algorithms based on PUFs. To privately identify a tag, the tag will
send its ID to the reader and update its ID using the PUF.For this
algorithm to work, it is important for the PUF to be reliable. For
privacy, it is important to have no loops in the desired chain, and
no PUF outputs should collide. We assume that an adversary cannot
physically overwrite an ID of another PUF with observed tag ID.
Otherwise, an adversary will gain considerable tracking advantage.
The main point is that from a single ID, a PUF can extract multiple
pseudo-IDs that it can use for identification. For a
non-privacy-preserving authentication, the reader can send multiple
challenges to a tag. The tag will compute PUF values for these
challenges and send them to the reader. The reader will verify that
at least the desired fraction of values is correct. PUFs can also
be used to sign messages. For example, yoking proofs require
messages to be signed and PUFs can also sign sensitive sensor data
such as temperature. MAC protocols that we propose are different
from standard cryptographic MAC protocols. Our MAC protocols
require large keys whereas standard MAC protocols have short keys,
and our MACs cannot be used in all scenarios. We will design MAC
protocols for large and small message spaces. PUF-Based Ownership
Transfer
To maintain privacy we need ownership privacy forward privacy
Physical security is especially important Solutions public key
cryptography knowledge of owners sequence trusted authority short
period of privacy Ownership transfer in RFID occurs when a tag
changes hands, which can occur in case of a sale or rental, for
example. It is desired to preserve the privacy of tag owners. Past
owners should not be able to track current and future owners, and
current and future owners should be able to track previous owners
back in time. When tags can change owners, physical security
becomes especially important since current owners can tamper with
their own tags in order to track future owners. We propose to
devise new PUF-based privacy-preserving ownership transfer
protocols that rely on knowledge of the sequence of owners, trusted
authority, or short period of privacy. Comparison of PUF With
Digital Hash Functions
MD4 7350 MD5 8400 SHA-256 10868 Yuksel 1701 PUF 545 AES 3400
algorithm # of gates Reference PUF: 545 gates for 64-bit input 6 to
8 gates for each input bit 33 gates to measure the delay Low gate
count of PUF has a cost probabilistic outputs difficult to
characterize analytically non-unique computation extra storage
Different attack target for adversaries model building rather than
key discovery Physical security hard to break tag and remain
undetected In terms of gate count, a PUF compares favorably to
known cryptographic hash functions that require thousands of gates
to implement. In contrast, existing PUFs require only about 550
gates for a 64-bit input an order of magnitude improvement over
standard hash functions. Of course, the PUFs low gate count comes
at a cost. In particular, the PUFs output is only probabilistically
accurate, and it is hard to analytically characterize a PUF, making
it difficult to assess its complexity and security. Also several
different PUFs may produce identical outputs for the same input,
requiring algorithms to protect against impersonation attacks. PUFs
also require extra storage at the back-end database to store all
the challenge response pairs recorded for each tag. Plus, PUFs
create a different attack target for adversaries. Instead of trying
to recover a key for keyed hash functions, an adversary would try
to model the PUF based on the known challenge response pairs. In
addition, PUFs add physical security to otherwise vulnerable RFID
tags. With PUFs it is much more difficult for an adversary to break
the tag, or create a clone of the PUF/tag and remain undetected.
PUF Design Attacks on PUF Weaknesses of existing PUF New PUF
design
impersonation modeling hardware tampering side-channel Weaknesses
of existing PUF reliability A good PUF design and PUF-based
algorithms should make it difficult for an adversary to use a clone
PUF for impersonation. A good PUF should be resistant to modeling
attacks. A PUF should resist hardware-tampering attacks that
attempt to measure wire delays and/or try to learn secret data
stored underneath the PUFs wires. PUFs should not leak substantial
information about its computation through side channels. Existing
PUF has some weaknesses. It has an oscillating counting circuit
which computes the delay by counting and increases the tag
manufacturing cost. In addition, the delay values of this PUF
follow a Gaussian distribution, requiring filtering of some
challenges and longer computation times. The reliability of
existing PUFs is also relatively low. We propose to design and
evaluate better PUF prototypes in collaboration with our EE
colleagues. We will design a sub-threshold voltage PUF without an
oscillating circuit, which will require less time to run. We will
also include non-linear delays in our PUF circuit, to make modeling
difficult. New PUF design no oscillating circuit sub-threshold
voltage Compare different non-linear delay approaches Conclusion
and Research Plan
Contributions Multi-Tags tag objects with multiple tags to improve
detection Security and Privacy Yoking proofs Inter-tag
communication Hardware-based security PUFs Plan for the next 5
months finish multi-tag experiments define privacy w.r.t. physical
attacks design / evaluate improved PUF circuits publish more papers
In conclusion, we propose tagging objects with multiple-tags to
improve object detection and the reliability of the system in
general. On the security front, we design generalized yoking-proofs
for RFID auditing. We propose a new inter-tag communication
framework and its applications. We also propose secure and private
RFID algorithms based on physical unclonable functions. In the next
five months, we plan to complete our experiments with multi-tags,
develop new privacy definitions for RFID, design and evaluate new
improved PUF circuits, and publish additional papers on these
topics. Thank you. Bolotnyy and Robins, Multi-Tag Radio Frequency
Identification Systems,IEEE Workshop on Automatic Identification
Advanced Technologies (AutoID), pp , 2005 Bolotnyy and Robins,
Randomized Tree Walking Algorithm for Secure RFID, IEEE Workshop on
Automatic Identification Advanced Technologies (AutoID), pp , 2005
Bolotnyy and Robins, Generalized Yoking-Proofs for a Group of RFID
Tags, IEEE International Conference on Mobile and Ubiquitous
Systems (Mobiquitous), 2006 Bolotnyy and Robins, PUF-Based Security
and Privacy in RFID Systems, IEEE International Conference on
Pervasive Computing (PerCom), 2007 Back Up Slides Related Work on
Multi-Tags
Two-antennas per tag to determine location Four tags per object to
determine movement direction Multiple tags to increase reliability
(for visually impaired) Random placement of two tags on playing
cards Splitting tag ID into Class ID and Pure ID Up to three tags
to determine object-person interaction Some works observed the need
for better object detection. X uses two antennas per object to
better determine a tags location. Y places four differently
positioned tags on an object to determine its moving direction. Z
mentions that multiple tags per object can be used to increase
reliability to help visually impaired. Q randomly places two tags
on playing cards to increase cards detection. The work of W splits
tag ID into two parts: Class ID and Pure ID. At sale time Pure ID
is pilled off leaving only Class ID to enhance individual privacy.
E uses up to three tags to better determine object-person
interaction. In contrast to these works, we take a systematic
approach to developing a theory of multi-tags, proposing optimal
tag placement, quantify improvements obtained with multi-tags,
analyzing effect of multi-tags on different tag interrogation
algorithms, suggest ways to enhance security with multi-tags, and
offer appealing new applications. Types of Multi-Tags Redundant
Tags Complimentary Tags Dual-Tags
Own Memory Only Shared Memory Only Own and Shared Memory
Triple-Tags We define different types of multi-tags. Redundant tags
are identical disconnected tags attached to an object.
Complimentary tags are disconnected tags having distinct
functionality that compliment each other for the common purpose
(e.g., to speed up parallelizable computation or subdivide function
computation). Dual-Tags is a pair of connected tags. Triple-Tags
and n-Tags in general refer to n inter-connected tags. n-Tags
Detection Distance with Multi-Tags Effects of Multi-Tags on
Anti-Collision Algorithms
Redundant Tags Dual-Tags Binary No Affect Binary Variant Randomized
Doubles Time** No Affect* STAC Causes DOS Slotted Aloha *If
Dual-Tags communicate to form a single response **Assuming an
object is tagged with two tags Related Work on Yoking-Proofs
Juels [2004] protocol is limited to two tags no timely timer update
(minor/crucial omission) Saito and Sakurai [2005] solution relies
on timestamps generated by trusted database violates original
problem statement one tag is assumed to be more powerful than the
others vulnerable to future timestampattack Piramuthu [2006]
discusses inapplicable replay-attack problem of Juels protocol
independently observes the problem with Saito/Sakurai protocol
proposed fix only works for a pair of tags violates original
problem statement Speeding Up The Yoking Protocol
Idea: split cycle into several sequences of dependent MACs starting
/ closing tags Requires multiple readers or multiple antennas
anti-collision protocol Related Work on PUF Optical PUF [Ravikanth
2001]
Silicon PUF [Gassend et al 2002] design, implementation,
simulation, manufacturing authentication algorithm controlled PUF
PUF in RFID off-line reader authentication using public key
cryptography [Tuyls et al 2006] The concept of a physical
unclonable function was introduced by Ravikanth in his Ph.D. thesis
in 2001. His work is mainly structured around optical PUFs. Silicon
PUFs were introduced by Gassend and others in 2002. They designed a
PUF, characterized its operation under changing voltage and
temperature values, and showed how it can be used for circuit
authentication. They have also introduced controlled PUFs that use
cryptographic hash functions. A couple of works mentioned possible
PUF application to RFID. Tuyls and others gave an off-line reader
authentication algorithm using PUFs. Their algorithm relies on a
public key cryptography, which may be expensive to implement aboard
low-cost tags. PUF-Based Authentication
Reader Tag < probv 1 and probf 1 0 t n-1 probv(n) probf(n) i=t+1
i(1-)n-i probv = 1 - n i j(1- )n-j probf = 1 - j=t+1 j . GetID
GetResponse(c1) GetResponse(cn) ID p(c1) p(cn) PUF-Based
Identification Algorithm
Tag stores its identifier: ID Database stores: ID, p(ID), , pk(ID)
Upon readers query, the tag responds with p(ID) updates its ID with
p(ID) It is important to have a reliable PUF no loops in PUF chains
no identical PUF outputs Assumptions passive adversaries
(otherwise, denial of service possible) physical compromise of tags
not possible reliable PUF PUF-Based MAC Algorithms
MAC = (K, , ) K valid signature :(M, ) = 1 forged signature : (M, )
= 1, M = M Need to protect against replay attacks MAC based on PUF
large keys cannot support arbitrary messages Motivational example:
buyer/seller (m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m) Large
message set Small message set (m) = c, pc(1)(m), ..., pc(n) (m),
..., c+q-1, pc+q-1(1)(m), pc+q-1(n)(m) Using PUF to Detect and
Restore Privacy of Compromised System
Detect potential tag compromise Update secrets of affected tags