modelling privacy for off-line rfid systems
DESCRIPTION
Modelling Privacy for Off-line RFID Systems. Flavio Garcia Radboud University Nijmegen together with Peter van Rossum RFIDSec 2009. Outline. Current RFID privacy models A new model for off-line RFID systems that considers reader corruption Forward and self-stabilizing backwards privacy - PowerPoint PPT PresentationTRANSCRIPT
Modelling Privacy for Off-line RFID Systems
Flavio GarciaRadboud University Nijmegen
together with Peter van RossumRFIDSec 2009
Outline
• Current RFID privacy models• A new model for off-line RFID systems that
considers reader corruption• Forward and self-stabilizing backwards privacy• Protocols• Conclusions
RFID Systems
Current RFID Models
Permanent secure
connexion
• Juels and Weis (2006)• Vaudenay (2007)•Avoine (2005)
Fwd-Privacy
Fwd-Privacy
Safe Un-SafeTime
Narrow-FWD Private protocol [OSK03]
Many real systems are more complex
Periodicconnexion
What kind of security can still be
guaranteed?
More information
on the readers
Consider off-line systems where readers can be compromised
An adversary is a PPTA with access to the set of oracles O:
• CreateReader(R)• CreateTag(T)• Launch(R)• Send(m,A)• Result()• CorruptTag(T)• Sync()O+ = O {DestroyReader(R)}
Fwd and Bwd-Privacy
Safe Un-Safe
Unachievable!
(Unless extra assumptions are made)
Safe
Forward privacy
Self-stabilizing backwards privacy
Forward and Self-stabilizing Backwards Private Protocol (idea)
new day!BO
K ← h(k’+1)K’ ← h(k’)
K ← h(k)K ← h(k)
MAC using k’K to `talk’ with the readerK’ to `talk’ with the BO
Forward and Self-stabilizing Backwards Private Protocol
Forward and Self-stabilizing Backwards Private Protocol
Verify key update
Improvement
Improving synchronization
But still de-syncs if a reader is compromised
Almost there
Improving synchronization
What to do
Take special measures when a reader is compromised.
Only update k’’s in BO if no reader corruption
Con: this extends the privacy lost by one time slot
Conclusions
• model for (off-line) RFID systems in the presence of reader corruption
• forward and self-stabilizing backwards private protocols that uses only hash functions.
• De-sync resilience