jaap-henk hoepman tno ict, groningen, the netherlands [email protected] digital security...
TRANSCRIPT
![Page 1: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/1.jpg)
Jaap-Henk Hoepman
TNO ICT, Groningen, the Netherlands [email protected]
Digital Security (DS)Radboud University Nijmegen, the Netherlands
[email protected] / www.cs.ru.nl/~jhh
Privacy & The Internet of ThingsHow to keep the good
and make the bad less ugly
![Page 2: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/2.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things5-2-2010
![Page 3: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/3.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Paradigm shift
5-2-2010
![Page 4: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/4.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
RFID = a lot of things.....
5-2-2010
NFC
![Page 5: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/5.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
The Internet Of Things
5-2-2010
The virtual world and the real world are no
longer seperated
![Page 6: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/6.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Where do I come from....
5-2-2010
![Page 7: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/7.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
The good
5-2-2010
Timo Arnall : http://www.elasticspace.com/
http://www.nabaztag.com//
![Page 8: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/8.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
... and where may this all go to?
5-2-2010
![Page 9: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/9.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
The bad
5-2-2010
![Page 10: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/10.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy
Privacy concerns
xx-xx-xxxx
orwell / big brother chandler / little sister kafka / the trial
![Page 11: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/11.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Security concerns as well
Confidentiality● Corporate espionage
Integrity● Data out of sync
Authenticity● Cloning
● Detach/swap
Availability● Jamming
● ...
5-2-2010
![Page 12: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/12.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
EC Recommendation 12-5-2009
5-2-2010
Don’t kill the Internet of Things !
![Page 13: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/13.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
How to avoid the kill and make the bad less ugly
Give people agency● RFID Guardian
● Privacy Coach
Use privacy enhancing technologies● Mutual authentication
● Conditional access
● ...
5-2-2010
![Page 14: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/14.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Agency
5-2-2010
“Tags should not be used on people but
used by people”
former Commisioner Viviane Reding
![Page 15: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/15.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
The RFID Privacy Coach
04-12-2009
The RFID Privacy Coach
privacy preference
privacy policy
NFCenabledphone
Goal – give consumers control over RFID
http://www.privacy-coach.org
![Page 16: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/16.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Policies? Preferences?
Example of a policy● ACME Ltd registeres the type of pasta you buy
when buy a can of peeled tomatoes
● ACME Ltd will offer discounts to people that wear a FOOBAR watch
Example of a preference● I do not want offers based on the tags I carry
(note that FOOBAR watches should give permission to ACME Ltd for reading their tags)
● I allow anonymous profiling
04-12-2009
The RFID Privacy Coach
![Page 17: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/17.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
How does it work?
04-12-2009
The RFID Privacy Coach
network independentprivacy policyprovider
tag number
tag policy
RFID tag
databasetag policies
consumerpreference
![Page 18: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/18.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Privacy enhancing technologies
Limitations● limited resources
● no central authority
● practicalityno key search
Requirement● acknowledge lifecycle!
5-2-2010
![Page 19: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/19.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Object-oriented model
Object owner● grants permission to
object
tag owner● grants access to tag
5-2-2010
caller
![Page 20: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/20.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Practical authentication protocol
Symmetric key authentication● using diversified access key
Re-encryption of tag identifier t● ● ● new id becomes● tag only accepts when properly authenticated
Protection against stolen readers● Domain gets new re-encryption key for each epoch● Tag stores last seen epoch● Keep old keys for old
5-2-2010
![Page 21: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/21.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things5-2-2010
Reader Tag
![Page 22: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/22.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Properties
No trusted hardware for tags● Each tag has different symmetric key
Reader does not have to search all keys● Diversification
Tags untraceable before/after succesful authentication● Re-encryption
Any reader can update all identifiers● Universal re-encryption ● But reader needs to know at least one access key
5-2-2010
![Page 23: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/23.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
References
IFIP WG 11.2 “Pervasive systems security”● http://www.cs.ru.nl/ifip-wg11.2/
Council – a thinktank on the IoT● http://www.theinternetofthings.eu
5-2-2010
![Page 24: Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands jaap-henk.hoepman@tno.nl Digital Security (DS) Radboud University Nijmegen, the Netherlands jhh@cs.ru.nl](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551b1df8550346f70d8b6596/html5/thumbnails/24.jpg)
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Discussion
04-12-2009
The RFID Privacy Coach
[Monty Python’s Argument Clinic sketch]