enabling secure secret updating for unidirectional key distribution in rfid-enabled supply chains...
TRANSCRIPT
Enabling Secure Secret Updating for Unidirectional Key Distribution in
RFID-Enabled Supply Chains
Shaoying Cai1, Tieyan Li2, Changshe Ma1, Yingjiu Li1, Robert H. Deng1
1Singapore Management University (SMU)2Institute for Infocomm Research (I2R)
15 Dec. 2009
ICICS 2009, Beijing, China
ICICS’09 - RFID Security
2
Project Summary - why should it be done?Outline
• Introduction
• The problem– Security requirements in RFID-enabled supply chains– Secret sharing approach and JPP mechanism– Our observations
• The protocol– Secure secret updating protocol– Security properties– Comparisons – Implementation considerations– Security proof
• Conclusions
ICICS’09 - RFID Security
3
Introduction• RFID systems
• RFID technology has greatly facilitated the supply chains.– All evidences (standardizations; big promoters, adopters, …)
show a new age is coming.– Security, visibility and efficiency are three equally important
requirements.
Reader (transceiver)Reads data off the tagswithout direct contact
Radio signal (contactless)Range: from 3-5
inches to 100 yards
DatabaseMatches tag IDs tophysical objectsTags (transponders)
Attached to objects, “call out” identifying dataon a special radio frequency
Perfect working conditions for attackers!
ICICS’09 - RFID Security
4Source: Lyngsoe
Increase visibility
Lower uncertainty
Prevent loss
Reduce counterfeiting
Improve efficiency
RFID-Enabled Supply Chain
ICICS’09 - RFID Security
5
The problem• Usually, EPC tags are used in supply chains
– They are extremely cheap, where no true cryptographic functionality can be implemented.
– Maintaining a synchronized and ubiquitous database is truly hard.– Thus, almost all privacy enhanced authentication protocols (more than hundreds)
fail on practicability.
• Only explicit EPC privacy feature: Kill– On receiving tag-specific Kill PIN, tag self-destructs.– Who will own these Kill PINs? Or who will kill the tags, at the end of the supply
chain or the end users?
• But supply chain partners:– Don’t want to manage Kill PINs, and how?– Have no channel to communicate secret keys downstream in supply chain.
• Key distribution is an essential problem!
ICICS’09 - RFID Security
6
Supply chain characteristics
• An RFID-enabled supply chain typically features:
– None pre-existing trust relationship: a case might comes from or goes to any non-trusted parties.
– Unidirectional downsizing: de-packing and re-packing into smaller sized aggregates at downstream parties.
– Compulsory processing orders: only dispersion, no combination
Upstream Party
Downstream Parties
De-packing Re-packingCurrentOwner
A case with 10x10 items
ICICS’09 - RFID Security
7
Secret sharing approachIdea: Apply secret sharing to spread a secret key
across multiple tags, E.g., (s1, s2, s3, …)
s1
s2
s3
Collecting enough shares can recover the
key
Individual shares / small sets reveal no
information
ICICS’09 - RFID Security
8
JPP mechanism (Juels et al. Usenix Sec. 08)
Encrypt tag data under secret key Apply secret sharing to spread key across tags in case
E.g., (s1, s2, s3, …)
E (m1) s1
E (m2) s2
E (m3) s3
Supersteroids 500mg; 100 countSerial #87263YHGMfg: ABC Inc.Exp: 6 Mar 2010
ICICS’09 - RFID Security
9
JPP mechanism (Juels et al. Usenix Sec. 08)SWISS (Sliding Window Information Secret-
Sharing)
Given 2 out of 4 si, get corresponding i
s1 s2 s3 s4 s5 s6
Given 2 out of 4 si, get corresponding i
Given 2 out of 4 si, get corresponding i
1 2 3 4 5 6
ICICS’09 - RFID Security
10
Our observations• JPP mechanism is vulnerable to tracking:
– A tag Ti always sends the same reply (Si, Mi) to any reader who queries it. Although an adversary may not get enough shares to decrypt the content of the tag, the never-changing reply can be used by the adversary to track the tag.
• JPP mechanism is vulnerable to counterfeiting:– As the public accessible message (Si, Mi) is used for a reader to
identify the tag Ti, an adversary can easily fabricate a tag that also sends (Si, Mi), and replace the tagged item with the fabricated tag.
• JPP mechanism features monopolistic key assignment model: – A monopoly (typically the manufacturer of the goods) pre-
assigns all the keys (shares) to the tags according a fixed secret sharing scheme with conjectured parameters.
– The one-size-fits-all solutions restrict the realistic deployment of JPP mechanism.
ICICS’09 - RFID Security
11
Secret updating protocol• JPP mechanism
– A tag Ti stores (Si, Mi) only.– Where Si is the share of Ti and Mi is the (encrypted ) information
carried on the tag.
• Our protocol– A tag Ti stores (Si, Mi, ci). – Where ci is the individual secret key of Ti, derived from the
common secret k, for the purpose of authenticating the reader.
• During updating– Old secret key k is replaced with a new secret key k’;– Old (t, n) threshold scheme is replaced with new (t’, n’)
scheme, according to new requirements;– Old share Si is replaced with new share S′i; – Old values (Si, Mi, ci) of a tag Ti is updated with new values (S′i,
M′i, c′i).
ICICS’09 - RFID Security
12
Secret updating protocol
ICICS’09 - RFID Security
13
Security properties• Authoritative access to RFID tags
– The security of the secret update protocol relies on the confidentiality of the shared secret ci.
– Given an update message (A, B, C), only the one who knows the value of ci can obtain the new values (S′i, M′i, c′i).
• Authenticity of tags– A tag Ti is authenticated with any privacy-enhanced
authentication scheme (E.g., a challenge-response authentication protocol).
• Forward secrecy– A tag Ti is updated with new values (S′i, M′i, c′i), which are totally
independent from its previous values (Si, Mi, ci).
• Untraceability– The protocol messages are updated in different sessions.– However, active adversary is possible to correlate identifiers (S i or
S’i).
ICICS’09 - RFID Security
14
Comparison
[4] A. Juels, R. Pappu, and B. Parno, Unidirectional key distribution across time and space with applications to RFID security. USENIX Security’08.
[10] Y. Li and X. Ding, Protecting RFID Communications in Supply Chains. ASIACCS’07.
[11] David Molnar and David Wagner. Privacy and Security in Library RFID: Issues, Practices, and Architectures. ACM CCS 2004.
[12] Miyako Ohkubo, Koutarou Suzuki, and Shingo Kinoshita. Efficient Hash-Chain Based RFID Privacy Protection Scheme. Ubicomp 2004.
ICICS’09 - RFID Security
15
Implementation considerations• JPP mechanism implemented a (15, 20) threshold secret sharing scheme.
– For 20 available tags, a reader needs to collect at least 15 tags’ shares to successfully recover the secret key and decrypt the encrypted information.
– It employs a “Alien Squiggle” Gen2 tag, of which 16 bits are used for storing a single share and 80 bits are used for storing the encrypted identity.
– WORM memory (Write-once, Read-many times) is required.
• In our protocol, (Si, Mi) is replaced with (S’i, M’i, c’i), requires additional memory space for storing c’i message – It is equivalent to 160 bits, can be put into the “User” memory bank.– Rewritable memory, perhaps needs “access password” to access the memory.– Access password can be derived from the decrypted key “k”.
• How to determine the threshold in the real applications? – Less than certain upper bound to maximally tolerate reading or erasure errors– Greater than certain lower bound to guarantee the robustness on recovering
key
ICICS’09 - RFID Security
16
Security proof (sketch)1. The privacy game:
1. Setup phase: the game initializes the RFID system.
2. Learning phase: the adversary A performs a series of queries to enlarge its knowledge base about the RFID system.
3. Challenge phase: the adversary A chooses two tags. Then, a tag is chosen by randomly updating one of the two tags. After this, the updated tag is given to the adversary as a challenging tag for him to distinguish it from the original two tags.
2. We conclude that an RFID system is private if there exists no polynomial probabilistic time adversary A whose advantage is non-negligible to win the privacy game.
3. We then prove that the secret sharing scheme is private.
4. Theorem: the proposed RFID protocol is private if the underlying secret sharing scheme is private.
ICICS’09 - RFID Security
17
Conclusions• We tackle the key distribution problem in RFID-enabled supply
chains.
• We investigate the secret sharing approaches and particularly the JPP mechanism.
• We propose a secure and flexible secret updating protocol to improve the original JPP mechanism.
• Our protocol provides sound security properties, desirable flexibility and with proved privacy.
• However, our protocol requires more powerful tags to pay for additional security and functionality.
• Future points: i.e., Verifiable Secret Sharing; Confidentiality + Access Control; Real experiments/deployments; etc.
ICICS’09 - RFID Security
18
Q & A ?
Contact: [email protected] (for Post-doc position)
Web: http://icsd.i2r.a-star.edu.sg/staff/tieyan/SecureRFID
Call for participants: RFIDsec’10 Asia, 22-23 Feb. 2009, Singapore
Thank you!