new directions in detection, security and privacy for - uva
TRANSCRIPT
1
New Directions in Detection, Security and Privacy for RFID
Leonid Bolotnyy and Gabriel Robins
Department of Computer Science, UVa
2
Thesis
Multi-tags, “yoking-proofs”, and physical unclonable functions can improve reliability, security, and privacy in radio frequency identification (RFID) systems.
3
Progress
• L. Bolotnyy and G. Robins, Multi-Tag Radio Frequency Identification Systems, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 83-88, 2005
• L. Bolotnyy and G. Robins, Randomized Pseudo-Random Function Tree Walking Algorithm for Secure Radio Frequency Identification, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 43-48, 2005
• L. Bolotnyy and G. Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006
• L. Bolotnyy and G. Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007
• Several additional papers in progress
• NSF Cyber Trust proposal (submitted January 2007)
• Deutsche Telekom (largest in EU) offered to patent our multi-tags idea
4
Introduction• RFID
passive semi-passive active
• Tags types:
• Frequencies: Low (125KHz), High (13.56MHz), UHF (915MHz)
• Coupling methods:
Readerantenna
Readerantenna
signal signal
Inductive coupling Backscatter coupling
5
History
• Auto-ID Center formed - 1999
• EPCglobal formed - 2004
• Radar invented - 1935
• EAS invented - early 1960’s
• First RFID book published - 1999
• First RFID patent filed - 1973
• First RFID game marketed - 2006
6
Thesis Proposal• Improve tag detection
• Improve security and privacy
Inter-tag communication
Definition of privacy
Auditing algorithms for RFID “Yoking-Proofs”
PUF-based security Algorithms PUF design
7
Why Multi-Tag RFID?
• Bar-codes vs. RFID– line-of-sight– scanning rate
• Unreliability of tag detection– radio noise is ubiquitous– liquids and metals are opaque to RF
• milk, water, juice• metal-foil wrappers
– Wal-Mart experiments (2005)• 90% tag detection at case level• 95% detection on conveyor belts• 66% detection of individual items inside fully loaded pallets
– Our preliminary experiments support data above
8
Applications of Multi-Tags
9
The Power of an Angle• Inductive coupling: voltage ~ sin(β), distance ~ (power)1/6
• Far-field propagation: voltage ~ sin2(β), distance ~ (power)1/2
32.7
58.11
47.98
61.86
30
35
40
45
50
55
60
65
1 2 3 4Number of Tags
Ex
pe
cte
d a
ng
le (
in D
eg
ree
s)
4 2
40[ (2 cos ) ( )(2 cos ) ] /
2
x x dx x x dx
2
0[ (2 cos ) ] /(2 )
x x dx
B-field
β
• Optimal Tag Placement:
1
4
32
10
Benefits and Costs of Multi-Tags
• PROS– increases expected induced voltage on tag– increases operational range of system– increases memory per object– improves availability– improves reliability– improves durability– provides potential security enhancement– new applications
• CONS– increases system cost– modestly complicates manufacturing– potentially increases tags’ interrogation time
11
Experimental Apparatus and Experiments with Multi-Tags
• Equipment
• Experiments– Measure detection of ~20 multi-tagged objects
• With/without metals and liquids
– Rotate multi-tagged object mixes• 1, 2, 3, & 4 tags per object
– Vary tag, reader, and antenna types– Vary distances, geometry, power– Multi-tags vs. multiple readers
12
Preliminary Experimental Results
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Object Number
Ave
rag
e D
etec
tio
n P
rob
abil
ity
1 Reader, 2 Tags 82.6%
2 Readers, 1 Tag 63.9%
2 Readers, 2 Tags 86.6%
1 Reader, 1 Tag 57.8%Δ=24.8%
Δ=22.7%Δ= 4.0%
Δ=18.7%
Δ= 6.1%
13
Security and Privacy in RFID
• Privacy
A B C
Alice was here: A, B, C
privacy
14
Security and Privacy in RFID
• Privacy: difficult to track tags• Security
– Secure Identification f(r, ID)
– Tag Authentication c
f(c)
m
σ (m)– Message Authentication
– Ownership Transfer
– Auditing
15
“Yoking-Proofs”
• Applications – verify that:– medicine bottle sold together with instructions– tools sold together with safety devices– matching parts were delivered together
– several forms of ID were presented– a group of people was present at a meeting
• Problem Statement: Generate proof that a group of passive tags were identified nearly-simultaneously
• Key Observation: Passive tags can communicate with each other through reader
• Yoking: joining together / simultaneous presence of multiple tags
16
Assumptions and Goals• Assumptions
– Tags are passive– Tags have limited computational abilities– Tags can compute a keyed hash function– Tags can maintain some state– Verifier is trusted and powerful
• Solution Goals– Allow readers to be adversarial– Make valid proofs improbable to forge– Allow verifier to verify proofs off-line– Detect replays of valid proofs
• Timer on-board a tag– FCC regulations: protocol termination < 400ms
– Capacitor discharge can implement timeout
17
Generalized “Yoking-Proof” Protocol
1
3
2
45
Anonymous Yoking: tags keep their identities private
Speedup yoking protocols by splitting chain into arcs
Idea: construct a chain of mutually dependent MACs
18
Inter-Tag Communication in RFID
• Idea: heterogeneity in ubiquitous computing• “Yoking proofs”• Battery-less sensing• Tags as mailboxes• Tags as proxies• Location access control• Tags partitioned into groups
– Group leader in charge of authentication and access control
• Subordinate reader-tag authentication
19
PUF-Based Security and Privacy• Digital crypto implementations require 1000’s of gates• Low-cost alternatives
– Pseudonyms / one-time pads– Low complexity / power hash function designs– Hardware-based solutions
• Definition of privacy that incorporates hardware attacks• PUF definition• Security is based on:
– wire delays– gate delays– quantum mechanical fluctuations
• PUF characteristics– uniqueness– reliability– unpredictability
20
PUF-Based Algorithms• Identification Sequence: ID, p(ID), …, pk(ID)• It is important to have
– a reliable PUF
– no loops in PUF chains
– no identical PUF outputs
– no impersonation attacks
• MAC based on PUF– Motivation: “yoking-proofs”, signing sensor data– large keys– cannot support arbitrary messages
• Large message set
• Small message set
• Authentication Pairs: c1, p(c1), c2, p(c2), ..., cn, p(cn)• Verify that at least the desired fraction of
challenge-response pairs is correct
21
PUF-Based Ownership Transfer
• Ownership Transfer
• To maintain privacy we need– ownership privacy– forward privacy
• Physical security is especially important
• Solutions– public key cryptography– knowledge of owners sequence– trusted authority– short period of privacy
22
Comparison of PUF With Digital Hash Functions
• Reference PUF: 545 gates for 64-bit input– 6 to 8 gates for each input bit– 33 gates to measure the delay
• Low gate count of PUF has a cost– probabilistic outputs– difficult to characterize analytically– non-unique computation– extra storage
• Different attack target for adversaries– model building rather than key discovery
• Physical security– hard to break tag and remain undetected
MD4
7350
MD5
8400
SHA-256
10868
Yuksel
1701
PUF
545
AES
3400
algorithm
# of gates
23
PUF Design• Attacks on PUF
– impersonation– modeling– hardware tampering– side-channel
• Weaknesses of existing PUF
• New PUF design– no oscillating circuit– sub-threshold voltage
• Compare different non-linear delay approaches
reliability
24
Conclusion and Research Plan• Contributions
– Multi-Tags• tag objects with multiple tags to improve detection
– Security and Privacy• Yoking proofs• Inter-tag communication• Hardware-based security
– PUFs
• Plan for the next 5 months– finish multi-tag experiments– define privacy w.r.t. physical attacks– design / evaluate improved PUF circuits– publish more papers
• Bolotnyy and Robins, Multi-Tag Radio Frequency Identification Systems,IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 83-88, 2005
• Bolotnyy and Robins, Randomized Tree Walking Algorithm for Secure RFID, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 43-48, 2005
• Bolotnyy and Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006
• Bolotnyy and Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007
26
Back Up Slides
27
Related Work on Multi-Tags
• Two-antennas per tag to determine location
• Four tags per object to determine movement direction
• Multiple tags to increase reliability (for visually impaired)
• Random placement of two tags on playing cards
• Splitting tag ID into Class ID and Pure ID
• Up to three tags to determine object-person interaction
28
Types of Multi-Tags
• Triple-Tags
• n-Tags
• Dual-Tags– Own Memory Only– Shared Memory Only– Own and Shared Memory
• Redundant Tags
• Complimentary Tags
29
Detection Distance with Multi-Tags
Expected Factor of Distance Increase
1
1.37
1.571.63
11.06 1.08 1.09
1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1 2 3 4
Number of Tags
Incr
ease
Fac
tor
Far-Field Propagation
Inductive Coupling
30
Effects of Multi-Tags on Anti-Collision Algorithms
Binary No Affect No Affect
Binary Variant No Affect No Affect
Randomized Doubles Time** No Affect*
STAC Causes DOS No Affect*
Slotted Aloha Doubles Time** No Affect*
Algorithm Redundant Tags Dual-Tags
*If Dual-Tags communicate to form a single response**Assuming an object is tagged with two tags
31
Related Work on “Yoking-Proofs”
• Saito and Sakurai [2005]– solution relies on timestamps generated by trusted database– violates original problem statement– one tag is assumed to be more powerful than the others– vulnerable to “future timestamp” attack
• Piramuthu [2006]– discusses inapplicable replay-attack problem of Juels’ protocol– independently observes the problem with Saito/Sakurai protocol– proposed fix only works for a pair of tags– violates original problem statement
• Juels [2004]– protocol is limited to two tags
– no timely timer update (minor/crucial omission)
32
Speeding Up The Yoking Protocol
starting / closing tags
Idea: split cycle into several sequences of dependent MACs
Requires– multiple readers or multiple antennas
– anti-collision protocol
33
Related Work on PUF
• Optical PUF [Ravikanth 2001]• Silicon PUF [Gassend et al 2002]
– design, implementation, simulation, manufacturing– authentication algorithm– controlled PUF
• PUF in RFID– off-line reader authentication using public key
cryptography [Tuyls et al 2006]
34
Reader Tag
PUF-Based Authentication
.
.
.
GetID
GetResponse(c1)
GetResponse(cn)
ID
p(c1)
p(cn)
α < probv ≤ 1 and probf ≤ β ≤ 1
0 ≤ t ≤ n-1
probv(n)
probf(n)
i=t+1
μi(1-μ)n-iprobv = 1 - ∑
n ni
τj(1- τ)n-jprobf = 1 - ∑
j=t+1
n nj
35
PUF-Based Identification Algorithm• Tag stores its identifier: ID• Database stores: ID, p(ID), …, pk(ID) • Upon reader’s query, the tag
– responds with p(ID)
– updates its ID with p(ID)
• Assumptions– passive adversaries (otherwise, denial of service possible)– physical compromise of tags not possible– reliable PUF
• It is important to have – a reliable PUF– no loops in PUF chains– no identical PUF outputs
PUF-Based MAC Algorithms
• MAC based on PUF– large keys– cannot support arbitrary messages– Motivational example: buyer/seller
• Need to protect against replay attacks
• MAC = (K, τ, υ)
K
K
• valid signature σ : υ (M, σ) = 1
• forged signature σ’ : υ (M’, σ’) = 1, M = M’
σ (m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)
• Large message set
• Small message setσ (m) = c, pc
(1)(m), ..., pc(n)
(m), ..., c+q-1, pc+q-1(1)(m), pc+q-1
(n)(m)
37
s2,4
s1,2
s3,9
s2,5
s3,10s3,8
Using PUF to Detect and Restore Privacy of Compromised System
1. Detect potential tag compromise2. Update secrets of affected tags
s1,0
s2,0
s1,1
s2,1
s3,1
s2,2 s2,3
s3,0 s3,4 s3,5s3,2 s3,3 s3,7s3,6