rfid security issues

8/12/2019 RFID Security Issues

1/50

Chapter 1: RFID PrimerChapter 2: Classical Security Issues

Chapter 3: Privacy IssuesChapter 4: Adversarial Model

Lecture April 11th, 2005

RFID Security Issues

Gildas Avoine

Lecture Selected Topics on Security and Cryptography

EPFL, Lausanne, Switzerland

April 2005

(Pictures and videos have been removed from this downloadable version)

CO LE PO LY TECH N IQ U EFDRALE DE LAUSANNE

Gildas Avoine RFID Security Issues 1 / 50


2/50



Boom of the RFID Technology

Google outputs10800000links related to RFID.

More than 40 research papers related to security in RFIDsystems published between 2002 and 2005.

In 2004, Kevin Ashton, Co-founder of the Auto-ID Center,predicted that more thanhalf trilliontags would be consumedannually by 2010.

Every magazine or daily newspaper publishes articles on RFIDtechnology.



3/50



RFID in the press




4/50



First Questions

Who knows precisely what is the RFID technology?

What is the goal of the RFID technology?

Is it a new technology?

What are the capabilities of this technology?

What is the link between RFID and security?

What about privacy?


Ch 1 RFID P i


5/50



Outline

Chapter 1: RFID Primer

Chapter 2: Classical Security Issues

Chapter 3: Privacy Issues

Chapter 4: Adversarial Model


Ch t 1 RFID P i


6/50







7/50



RFID Systems

Radio Frequency Identification: Identification of objects remotelyby embedding in these objects tiny devices (tags) capable of trans-mitting data.

reader

tag

tag

tag

tag

tag

database

Security analysis considerdatabaseandreaderas a unique entity.




8/50



Current Trend

The RFID technology is not new e.g. military applications (fromseveral decades),commercial applications(from several years).

communication distance

computation

storage

symmetric

asymmetric

nothin

g

xor

verycheaptag

scheap

tags

The boom which RFID technology is enjoying today relies essen-tially on the willingness to developsmallandcheapRFID tags.




9/50



General Sketch

Most of the RFID protocols rely on a 3-round protocol.

request

TagSystem

information to identify the tag

additional message




10/50



RFID Characteristics

Frequency

Extremely limited storage and computation capabilities

No battery

Not tamper-resistant

Low cost




11/50

C pChapter 2: Classical Security Issues


Existing Tags





12/50

pChapter 2: Classical Security Issues


Applications

Management of stocks (Wal-Mart, Gillette, etc.)

Libraries (Santa Clara Library, University of Nevada, etc.)

Anti-counterfeiting

Pets identificationRecycling

Sensor networks (Michelins tyres, etc.)

Automobile ignition keys (Texas Instruments, etc.)

Localization of people (Amusement parks, etc.)




13/50

Chapter 2: Classical Security IssuesChapter 3: Privacy Issues


Authentication vs identification

Authentication: we want to be sure that we speak with the correctparty (proof required)

Identification: we want to know with who we speak (no proof re-quired)


Chapter 1: RFID PrimerC 2 C S


14/50



Chapter 2: Classical Security Issues


Chapter 1: RFID PrimerCh t 2 Cl i l S it I /


15/50



Security Threat 1/5

Physical denial of service: the attacker interferes on the frequencyband.

reader


Chapter 1: RFID PrimerCha ter 2: Classical Sec rity Iss es


16/50



Communication Model

physical

application

session

network

data link

presentation

transport

physical

application

communication

OSI RFID


Chapter 1: RFID PrimerChapter 2: Classical Security Issues S i Th 2/5


17/50



Security Threat 2/5

Denial of service in the communication layer:

reader

Who are you?0101

0100

1101

0111

1001

The computational power of the tags is very limited and they areunable to communicate with each other:

the reader must deal with the collision avoidance itself.



P b bili i C lli i A id


18/50



Probabilistic Collision Avoidance

The access to the communication channel is split into timeslots (slotted Aloha).

The number of slots is chosen by the reader which informs thetags they will have n slots to answer.

Each tag randomly chooses one slot among the n and respondswhen its slot arrives.

Collisions can occur.

In order to recover the missing information, the reader interro-

gates the tags one more time, possibly with a larger n.



D i i i C lli i A id


19/50



Deterministic Collision Avoidance

Deterministic protocols are based on a binary tree search which

represents the identifiers of the tags.

0 1

1010

0 1

1010

0 1

10101010

0 1 0 1

0 1

0 1

An attacker can simulate the whole tree. Blocker tags [JRS03]usethis technique to enforce privacy.


Chapter 1: RFID PrimerChapter 2: Classical Security Issues Security Threat 3/5


20/50



Security Threat 3/5

Destruction of tags: physical destruction, kill key, etc.

reader




21/50

p yChapter 3: Privacy Issues


Security Threat 4/5

Hiding the tags: Faraday cage, sleep key, etc.

reader




22/50


Security Threat 5/5

Impersonation of tags:

request

TagSystem


additional message

Easy if the information sent by the tag isstatic. Require totamperwiththe tag otherwise.


Chapter 1: RFID PrimerChapter 2: Classical Security Issues Example of Practical Attack 1/2


23/50


Example of Practical Attack 1/2

Attack of Bono et al. [BGSJRS05] against the Digital SignatureTransponder manufactured by Texas Instrument, used in automobileignition key (there exist more than130 millionssuch keys).

Key (RFID)Carr

kE (r)

Cipher (not public) uses 40 bit keys: active attack in less than 1minute(time-memory trade-offs)



Ch 3 P i I Example of Practical Attack 2/2


24/50


Example of Practical Attack 2/2




Ch t 3 P i I Moral of the Story


25/50


Moral of the Story

Cheap RFID tags (which are not tamper-resistant) are not suitedto authentication! Strong security has a cost!

Marketing pressure implies trade-off between security and cost.

Ratio cost / benefit e.g. we can not use a unique key in all the tagsbecause the cost is negligible compared with the benefit.





26/50





Chapter 3: Privacy Issues Threats on the Tags Bearers


27/50


eats o t e ag s ea e s

Privacy

Information Traceabilityleakage

Information leakage: The tag reveals some information related tothe object holder.

Traceability: An adversary could track the tag, and therefore itsbearer.



Chapter 3: Privacy Issues Privacy


28/50


y

Easier to track with RFID than other technologies

e.g. video, credit cards, GSM.Tags cannot beswitched-off

Tags can be almostinvisible

Easy toanalyze the logsof the readers (e.g. data mining)

Increasing of thecommunication range

Companies suffer from boycott campaigns



Chapter 3: Privacy Issues Solutions


29/50


Physical solutionse.g. Faraday cages, blocker tags, kill the

tag

Software solutionsbased on Cryptographic protocols

How designing an RFID protocol such that only anauthorized party is able toidentifya tag while an ad-versary is not able totrackit?



Chapter 3: Privacy Issues Protocols Sketches


30/50

p yChapter 4: Adversarial Model

Protocols forvery cheaptags

nocryptographic function in the tags (only xor)

Protocols forcheaptags

symmetriccryptographic functions in the tags



Chapter 3: Privacy Issues Very Cheap Tags


31/50

p yChapter 4: Adversarial Model

request

TagSystem


information to refresh the identifier

The information must be indistinguishable from a random valueThe information need to be refreshed each time the tag is

requestedAll these (analyzed) protocols suffer from weaknesses



Chapter 3: Privacy Issues Example of weak protocol


32/50


[GJJS04]based on a universal re-encryptionscheme i.e. a scheme

where re-encryptions of a messagemare performed neither requiringnor yielding knowledge of the public key.LetEbe the ElGamal encryption scheme, and Ube the correspond-ing re-encryption scheme, we have U(m) := [E(m); E(1G)]. Let qbe the order ofG, and ga generator.

Key generation: private key x Zand public key y=gx.

Encryption: let (r0, r1) be a random element picked in Z2q.

U(m) = [(0, 0); (1, 1)] = [(myr0 , gr0 ); (yr1 , gr1 )].

Decryption: given the ciphertext [(0, 0); (1, 1)], if

0,0,1,1 Gand 1/x1 = 1, then the plaintext is 0/x0 .

Re-encryption: let (r0, r1) be a random element picked in Z

2q.

The re-encrypted value of a ciphertext [(0, 0); (1, 1)] is

[(0r01, 0

r01); (

r11,

r11)].



Chapter 3: Privacy IssuesCh 4 Ad i l M d l

Protocol


33/50


request

System Tag

[(0, 0); (1, 1)]

[(0r01 , 0

r01 ); (

r11 ,

r11 )]

If an attacker sends a fake re-encrypted identifier to the tag, thedatabase will not be able to identify the tag in the future.

[GJJS04] claims that this attack does not allow the tag to betraced, at the most it will harm the normal functioning of thesystem.

Attacks in[SRS04]and[Avo05].



Chapter 3: Privacy IssuesCh t 4 Ad i l M d l

Cheap Tags


34/50


System

request

Tag

kE (r), r

The key k is the identifier of the tag. The second message mustbe indistinguishable (by an attacker) from a random value. Thusthe protocol can be proven to be secure.

The main difference with well-known authentication protocols is

that the system does not know with which party it speaks with andtherefore does not know which key k it should use.

The system carries out an exhaustive search over all the symmetrickeys it stores.


Chapter 1: RFID PrimerChapter 2: Classical Security IssuesChapter 3: Privacy Issues


First Issue: Past Events


35/50


Problem: If an attacker is able to tamper with the tag, she can

track its past events.

Exercise: Propose a protocol which thwarts this problem. Insteadof using an encryption function, use hash chains.




Second Issue: Complexity


36/50


System

request

Tag

kE (r), r

We assume that the system manages n tags.k is the same for all tag:

To identify one tag: O(1)

kis different for each tag:

To identify one tag: O(n)

To identify the whole system i.e. n tags: O(n2)




Complexity Improvements


37/50


[OSK04]degrades the privacy compared with[OSK03]: if an

attacker can tamper with the tag, she can track (a givennumber of) its past events.

[AO05] improved[OSK03]: it does not degrade privacy but

requires memory and pre-computations.

[MW04]reduces the complexity of the identification of onetag from O(n) to O(log n)but...




Molnar and Wagner


38/50


ID2ID1

ID5

ID7

ID3 ID4

ID6

Identification of one tag: O(log n) requests, O(log n) identifiersstored in the tag, O(log n)decryptions.




Molnar and Wagner


39/50

C apte : Adve sa a ode

Exercise:

1 Why can we say that this technique degrades the privacy?

2 How can an attacker track tags probabilistically?





40/50

p





Modeling the System


41/50

reader

tag

tag

tag

tag

tag

database

The sources of information which can benefit an adversary are lim-ited to the channels between the reader and the tag i.e., forwardchannelandbackward channel, as well as the contents of themem-ory of the tag.




Information Channels


42/50

Backward Channel

Forward Channel

Reader Adversary Tag

Memory Channel




Means of the Adversary


43/50

Query(iT,m): A requestsTthrough the forward channel and

sending him the message m after having received its answer.Send(jR,m): Asends the message m to R through the back-ward channel and receiving its answer.

Execute(iT, jR): A executes an instance ofP betweenT and

R, obtaining so the messages exchanged on both the forwardand the backward channels.Reveal(iT): Aobtains the content ofTs memory channel.

Reader

information

data to refresh the information

Tag

request




Goal of the Adversary


44/50

After having interacted with a target tag Tand possibly some read-ers and thus obtaining aninteractionI(T), an adversary Aneedsto find his target among two tags T1 and T2 which are presentedto him. In order to do this, he can query both T1 and T2, thusobtaining two interactions I1 (T1) and I2 (T2).

T2T1

R

A outputs T {T1, T2}

I1 (T1)

{S}

I2 (T2)

{Q, E, R}TinteractionI(T)




Advantage


45/50

Theadvantageof the adversary for a given protocol P is:

AdvUNTP (A)= 2 Pr(T =T) 1

IfAs advantage is negligible,Pis said to beUNT-Osecure, whereO {Q, S,E,R}.




Relations


46/50

One can mix and match thegoals {Existential-UNT, Forward-UNT,Universal-UNT} of the adversary and hismeans O {Q,S, E,R}.

(O,O {Q,S, E,R},O O) = (UNT-O UNT-O)

Existential-UNT Forward-UNT

Universal-UNT

UNT-QSER

UNT-QSE

UNT-E

UNT-Q




Results


47/50

Protocol is is not

Golle et al. Existential-UNT-Q

Existential-UNT-E

Saito et al. Existential-UNT-Q

Saito et al., reloaded Universal-UNT-QS

Henrici and Muller Existential-UNT-Q

Universal-UNT-QE

Weis et al. Existential-UNT-QSE Forward-UNT-QSER

Ohkubo et al. Existential-UNT-QSE

Forward-UNT-QSER





48/50

Conclusion




Current Works


49/50

Design of not too bad RFID protocols suited to very cheaptags.

Reduction of the complexity of the RFID protocols suited tocheap tags.

Formalization of the notion ofprivacy.




Further Readings


50/50

Sanjay Sarma, Stephen Weis, and Daniel Engels. RFIDsystems and security and privacy implications.

David Molnar and David Wagner. Privacy and Security inLibrary RFID: Issues, Practices, and Architectures.

Miyako Ohkubo, Koutarou Suzuki, and Shingo Kinoshita.Cryptographic Approach to Privacy-Friendly Tags.

Gildas Avoine. Adversarial Model for Radio Frequency Identi-

fication.

http://lasecwww.epfl.ch/gavoine/rfid/

http://lasecwww.epfl.ch/~gavoine/rfid/http://lasecwww.epfl.ch/~gavoine/rfid/http://lasecwww.epfl.ch/~gavoine/rfid/http://lasecwww.epfl.ch/~gavoine/rfid/

rfid security issues

Documents