privacy issues in rfid banknote protection schemes
TRANSCRIPT
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Cardis, August 23-26, 2004
Privacy Issues in RFID Banknote Protection Schemes
Gildas Avoine
EPFL
Lausanne, Switzerland
ÉCOLE POLYTECHNIQUEFÉDÉRALE DE LAUSANNE
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Outline
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Radio Frequency Identification (RFID) Technology
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
RFID Systems
reader
tag
tag
tag
tag
reader
database
Identification:-1- A reader broadcasts a request in its communication zone.-2- Each tag sends back its answer.-3- The answers are sent to the database.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Emergence of the RFID Technology
The RFID technology is not new, e.g., contactless smartcards werealready RFID devices (public transport, tollways).
The Auto-ID center has been created in 1999 at the MIT in or-der to promote and establish standards on small and cheap RFIDtechnology.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
RFID Characteristics
Extremely limited storage and computation capabilities
Not tamper-resistant
No battery
Reader-to-Tag channel: up to 100 meters
Tag-to-Reader channel: up to a few meters
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
RFID Systems vs Bar-Code Systems
RFID tags could replace the bar-codes in the near future. RFIDtags and bar-codes differ from several points:
A tag can be remotely read without optical access.
Several tags can be read at the same time.
While a bar-code represents a lot of items, an RFID tag hasits own unique identifier.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Applications and Issues
These properties open the door to new applications:
Management of stocks and stocktakings
Speed up the checkouts in the shops
Libraries
Recycling
Anti-counterfeiting
Sensor networks
Pets identification
But they also open the door to new security issues, in particular theproblem of traceability.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
The Juels–Pappu Banknote Protection Scheme
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Why?
The European Central Bank said (rumor?) it wants to embedRFID tags into Euro notes.
To avoid banknote counterfeiting and to track illicit monetaryflows by authorized parties (e.g. airport controls), such thatbanknotes can not be traced by unauthorized parties.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Who?
Central bank (B) creates the banknotes and... hates forgers
Law enforcement agency (L) aims at tracking illicit monetaryflows
Banknote bearers want to preserve their privacy and......to earn as much money as possible
Merchants want to preserve their clients and therefore theyagree to collaborate to ensure the client’s privacy
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
How?
Serial number of a banknote is signed by B (anti-counterfeiting)
When requested, the tag of a banknote sends the encryptedvalue of the serial number and not the serial number itself(anti-traceability).
Periodic probabilistic re-encryptions of the serial number areperformed (by the merchants).
Re-encryptions require an optical contact with the banknote:a key, printed on the banknote, is needed to access the contentof the tag.
L can access the content of the tag without this key.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Tags’ requirements
Tags must have an EEPROM consisting of (at least) 780 bits.
Tags must supply the intructions read, write, keyed-read,and keyed-write.
RFIDγ: read / keyed-write δ: keyed-read / keyed-write
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Banknote Creation by B
1 Select a serial number S and compute Σ = Sign(SKB,S ||den)
2 Compute an access-key D such that D = h(Σ)
3 Encrypt C = Enc(PKL,Σ||S , r) where r is a random number
4 Put C into γ-cell and r into δ-cell
5 Print S and Σ on the banknote
Optical S Σ
RFIDγ: read / keyed-write δ: keyed-read / keyed-write
C r
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Re-Encryption by Merchants
1 Read S and Σ and compute D = h(Σ)
2 Read C and keyed-read r using D
3 Check that Enc(PKL,Σ||S , r) = C
4 Choose randomly a new r and keyed-writes it into δ
5 Compute the new C := Enc(PKL,Σ||S , r) and put it into γ
Optical S Σ
RFIDγ: read / keyed-write δ: keyed-read / keyed-write
C r
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Banknote Tracing by L
1 Obtain freely C from cell γ
2 Decrypt C using SKL and obtain Dec(SKL,C ) = Σ||S3 Check whether or not Σ is a valid signature
Optical S Σ
RFIDγ: read / keyed-write δ: keyed-read / keyed-write
C r
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Encryption Scheme
Juels and Pappu suggest to use an ElGamal-based encryptionscheme (over elliptic curves).
Let G denote an elliptic-curve-based group with prime orderq and let P be a generator of G. Let SKL = x ∈R Zq be the lawenforcement private key and PKL = Y = xP the correspondingpublic key. A message m is encrypted with the ElGamal schemeunder the random number r as follows:
Enc(PKL,m, r) = (m + rY , rP).
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Fujisaki/Okamoto Integration Method
With the Fujisaki/Okamoto secure integration method, a messagem is encrypted with the public key pk as follows:
E ∗(pk ,m) = (E asym(pk , r , h1(r ,m)) , E sym(h2(r),m))
Where
E sym(key ,mes) is a symmetric encryption of mes with key .
E asym(key ,mes, rand) is an asymmetric encryption of meswith key and a random value.
h1 and h2 denote hash functions.
In our case, E asym is the ElGamal encryption scheme and E sym isthe ⊕ operation.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Privacy Issues in the Juels–Pappu Scheme
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Attacks
Pickpocketing attack
Denial of service attack
Sleeping and dead banknotes
Cookies threat
Access-key tracing
Data recovery attack
Ciphertext tracing
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Access Key Tracing
Goal: Tracing a banknote that the attacker saw once.
Sketch: If the attacker can have an optical contact with thebanknote once then thanks to the access-key D (which is a statickey) he is able to trace the banknote by just trying to readthe δ-cell: the tag responds if and only if the key D is the goodone; we determine so whether or not the banknote is the traced one.
Moral of the story: As soon as a tag owns a unique access-key andresponds if and only if the key sent by the reader is the good one,this key can be used to trace the tag.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Data Recovery Attack
Goal: Obtaining the serial number of the banknote without opticalaccess.
Sketch:
Step 1: Obtaining the access-key D and then the randomnumber r which is stored in the δ-cell;
Step 2: Exploiting a misapplication of the secure integrationmethod of Fujisaki and Okamoto used with a probabilistic en-cryption scheme, in order to recover S and Σ.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Data Recovery Attack (Step 1)
A merchant who is willing to re-encrypt the banknote sends theaccess-key D = h(Σ) (obtained by optical reading): the attackercan just eavesdrop this (static) key (channel from reader-to-tag ismuch easier to eavesdrop than the tag-to-reader channel).
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Data Recovery Attack (Step 2)
By (freely) reading the γ-cell, we obtain C = Enc∗(PKL,m, r)where m = Σ||S . We have:
Enc∗(PKL,m, r) = (E asym(pk , r , h1(r ,m)) , E sym(h2(r),m))
= (Enc(PKL, r , h1(r ||m)) , h2(r)⊕mh2(r)⊕m︸ ︷︷ ︸ξ
)
We have Σ||S = ξ ⊕ h2(r) where ξ, r , and h2 are known (r issupplied by Step 1).
Moral of the story: We should never use the Fujisaki/Okamotointegration method with a probabilistic encryption scheme whenthe random value is public.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Ciphertext Tracing (Example)
“Bar X wishes to sell information about its patrons to local Mer-chant Y. The bar requires patrons to have their drivers’ licensesscanned before they are admitted [...].At the same time, Bar Xscans the serial numbers of the RFID tags of banknotes carried byits patrons, [...] Merchant Y similarly records banknote serial num-bers of customers from RFID tags. Bar X sells to Merchant Y theaddress and birth-date data it has collected [...]. In cases where BarX and Merchant Y hold common serial numbers, Merchant Y cansend mailings directly to customers [...].”
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Ciphertext Tracing
We consider firstly a milder version of the attack: bar X cannot readthe optical data on the banknotes of his customers. But, he storesin a database all the γ-values (i.e., C = Enc(PKL,Σ||S , r)) thathe is able to collect matched with the name and address of theirhandlers. Merchant Y also reads the γ-values of his clients andstores them. Bar X and merchant Y can merge their databases: ifa γ-value appears in both databases, they can be almost sure thatit is the same client.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Ciphertext Tracing
We consider now a stronger attack: when bar X gives back changeto a client, he re-encrypts banknotes with a fixed random number,denoted r0 also known by merchant Y.
When a customer arrives in Merchant Y’s store, Y reads theγ-values of the customer’s banknotes and computes Σ0 using r0
(thanks to the misapplication of the integation method). He thencomputes D0 = h(Σ0) and tries to read δ with D0; if the tagagrees this means that r0 was the appropriate random number andmerchant Y can be almost sure that this client comes from Bar X.
Note that Merchant Y does not “touch” the banknotes here: hehas just to scan the people when their pass through the store doorfor instance.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Ciphertext Tracing
Moral of the story: Since re-encryptions cannot be performedwith sufficient frequency, it is possible to trace the tags with the(encrypted) RFID values universally readable (even if this attackercannot obtain the plain value).
Note that even with a higher frequency, the attack still remains ifthe re-encryptions are performed by the merchants, and not by theusers themselves.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Conclusion
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Conclusion
Several mistakes have been done in the design of this scheme.In this state, the scheme is null and void and should not be used.
The fact that the re-encryption comes from an external entity(and not the tag itself) allow to trace the tag between twocorrect re-encryptions (i.e., performed by honest parties)and brings out potential weaknesses: [Henri, Muller], [Golle,Jakobsson, Juels, Syverson], and [Saito, Ryou, Sakurai]
The fact that a predetermined access-key is used transforms thetag into an oracle which says whether or not it is the tracedtag.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) TechnologyThe Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu SchemeConclusion
Conclusion (Cont.)
Only few works tried to prove the security or to exhibitweaknesses in the existing RFID protocols.
Formalization of the privacy and of the adversary model.
Gildas Avoine Privacy Issues in RFID Banknote Protection Schemes