Modelling Privacy for Off-line RFID Systems

Flavio GarciaRadboud University Nijmegen

together with Peter van RossumRFIDSec 2009

Outline

• Current RFID privacy models• A new model for off-line RFID systems that

considers reader corruption• Forward and self-stabilizing backwards privacy• Protocols• Conclusions

RFID Systems

Current RFID Models

Permanent secure

connexion

• Juels and Weis (2006)• Vaudenay (2007)•Avoine (2005)

Fwd-Privacy

Fwd-Privacy

Safe Un-SafeTime

Narrow-FWD Private protocol [OSK03]

Many real systems are more complex

Periodicconnexion

What kind of security can still be

guaranteed?

More information

on the readers

Consider off-line systems where readers can be compromised

An adversary is a PPTA with access to the set of oracles O:

• CreateReader(R)• CreateTag(T)• Launch(R)• Send(m,A)• Result()• CorruptTag(T)• Sync()O+ = O {DestroyReader(R)}

Fwd and Bwd-Privacy

Safe Un-Safe

Unachievable!

(Unless extra assumptions are made)

Safe

Forward privacy

Self-stabilizing backwards privacy

Forward and Self-stabilizing Backwards Private Protocol (idea)

new day!BO

K ← h(k’+1)K’ ← h(k’)

K ← h(k)K ← h(k)

MAC using k’K to `talk’ with the readerK’ to `talk’ with the BO

Forward and Self-stabilizing Backwards Private Protocol

Forward and Self-stabilizing Backwards Private Protocol

Verify key update

Improvement

Improving synchronization

But still de-syncs if a reader is compromised

Almost there

Improving synchronization

What to do

Take special measures when a reader is compromised.

Only update k’’s in BO if no reader corruption

Con: this extends the privacy lost by one time slot

Conclusions

• model for (off-line) RFID systems in the presence of reader corruption

• forward and self-stabilizing backwards private protocols that uses only hash functions.

• De-sync resilience