Security and privacy in RFID

Jihoon Cho

ISG PhD Student Seminar

Outline

1

_{RFID Primer}

2

Passive RFID tags

3

Issues on Security and Privacy

4

_{Basic Tags}

5

_{Symmetric-key Tags}

Outline

1

_{RFID Primer}

2

Passive RFID tags

3

Issues on Security and Privacy

4

_{Basic Tags}

5

_{Symmetric-key Tags}

Radio Frequency Identification

RFIDis a family of emerging technologies for automated identification of objects and people, and the system components are

1 _{RFID tag}

attached/embedded to/into items to be identified

transmits data over the air in response to interrogation by an RFID reader consists ofcoupling elementfor communications (and also possibly power supply) andmicrochip

2 _{RFID reader}

forms the radio interface to tags

provides high-level interface to a host computer system to transmit the captured tag data

3 _{Back-end Server}

Radio Frequency Identification

RFIDis a family of emerging technologies for automated identification of objects and people, and the system components are

1 _{RFID tag}

attached/embedded to/into items to be identified

transmits data over the air in response to interrogation by an RFID reader

consists ofcoupling elementfor communications (and also possibly power

supply) andmicrochip

2 _{RFID reader}

forms the radio interface to tags

provides high-level interface to a host computer system to transmit the captured tag data

3 _{Back-end Server}

Active vs. Passive

Active tags Passive tags

Power Source battery powered powered by radio waves

Life limited by battery unlimited

Range up to hundreds of meters up to 3-5m

Current RFID applications

1 _{Supply-chain/inventory management}

Electronic Product Code (EPC) tags (under development) containers and crates/pallets tracking

2 _{Asset-tracking system}

health-care information system (partly currently used) (drug/medicine identification and staff/patient tracking) e-passport (under development)

children and animal (pet) tracking library

baggage handling in airport

3 _{Access control}

proximity card car immobiliser

4 _{Contactless payment system}

RFID becomes ubiquitous

Advantages of RFID

RFID has been originally suggested as a successor to the optical barcode 1 _Automation

- no line-of-sight contact with readers and no human intervention 2 _{Unique identification}

- not only a generic product identifier but an individual serial number

What’s behind RFID

1 _{Efforts of large organisations such as WalMart, US DoD, and etc} 2 _{Tag cost dropping and RFID standardisation}

RFID becomes ubiquitous

Advantages of RFID

RFID has been originally suggested as a successor to the optical barcode

1 _Automation

- no line-of-sight contact with readers and no human intervention

2 _{Unique identification}

- not only a generic product identifier but an individual serial number

What’s behind RFID

1 _{Efforts of large organisations such as WalMart, US DoD, and etc} 2 _{Tag cost dropping and RFID standardisation}

RFID becomes ubiquitous

Advantages of RFID

RFID has been originally suggested as a successor to the optical barcode

1 _Automation

- no line-of-sight contact with readers and no human intervention

2 _{Unique identification}

- not only a generic product identifier but an individual serial number

What’s behind RFID

1 _{Efforts of large organisations such as WalMart, US DoD, and etc}

2 _{Tag cost dropping and RFID standardisation}

Electronic Product Code & EPCglobal

1 _{EPC tag is a Barcode-type RFID device}

2 _{EPCgolbal: an organization set up to achieve world-wide adoption and}

standardization of EPC technology

3 _{EPCglobal is currently working on}

reader and tag communication protocols

middleware between reader and enterprise systems Object Name Service (ONS) with VeriSign

RFID Standards

1 _{Standards for logistic applications}

ISO/IEC 18000 ISO/IEC 15961-15963 ISO/IEC 15418

2 _{Standards for automatic livestock identification}

ISO 11784-11785 ISO14223

3 _{Standards for vicinity coupling cards}

ISO/IEC 10373 ISO/IEC 10536 ISO/IEC 14443 ISO/IEC 15693

4 _{Supply-chain management}

Outline

1

_{RFID Primer}

2

Passive RFID tags

3

Issues on Security and Privacy

4

_{Basic Tags}

5

_{Symmetric-key Tags}

Issues on passive tags

1 _{Passive tagswith very limited memory and logical gates will be mostly deployed}

in mass market

2 _{Most of currentprivacy concernsfocus on applications usingpassive tags, and}

those include

smart check-out in supermarket RFID-enabled banknote medical drugs and luxury goods

human identification through tag injection under skin

3 _{Active tags are assumed to provide strong security and privacy protection with}

Coupling and Frequencies

1 _{Frequency bands}

LF (Low Frequency): 124-135 kHz HF (High Frequency): 13.56 MHz

UHF (Ultra High Frequency): 868/915 MHz MW (Microwave): 2.45 and 5.8 GHz

2 _{Due to process knowncoupling}

Inductive coupling within the near field region Electromagnetic coupling in the far field

Outline

1

_{RFID Primer}

2

Passive RFID tags

3

Issues on Security and Privacy

4

_{Basic Tags}

5

_{Symmetric-key Tags}

Read range issues

1 _{Nominal read range}

maximum distance at which a normally operating reader (with ordinary antenna and ordinary power output) can reliably scan tag data ex. ISO 14443 : 10cm

2 _{Rogue read range}

a determined attacker might still achieve longer distances using larger antenna and/or higher signal transmission power

ex. ISO 14443 : 50cm

3 _{Tag-to-reader eavesdropping read range}

once a tag is powered, a second reader can monitor resulting tag emissions without itself outputting signal

might be longer than rogue read range

4 _{Reader-to-tag eavesdropping read range}

Privacy (I)

Tags respond to reader interrogationwithout alerting their owners or bears, and

most tagsemit unique identifiers

1 _{Location privacy}

pooled several clandestine scans reveals a tag bearer’s whereabout along a tag reading infrastructure

2 _{Data privacy}

certain tags such as EPC tags carry information about items EPC tag bearers are subject to clandestine inventorying

Privacy, however, is not just consumer concerns - ex. military or company supply-chain management

Privacy (I)

Tags respond to reader interrogationwithout alerting their owners or bears, and

most tagsemit unique identifiers

1 _{Location privacy}

pooled several clandestine scans reveals a tag bearer’s whereabout along a tag reading infrastructure

2 _{Data privacy}

certain tags such as EPC tags carry information about items EPC tag bearers are subject to clandestine inventorying

Privacy, however, is not just consumer concerns - ex. military or company supply-chain management

Privacy (I)

Tags respond to reader interrogationwithout alerting their owners or bears, and

most tagsemit unique identifiers

1 _{Location privacy}

pooled several clandestine scans reveals a tag bearer’s whereabout along a tag reading infrastructure

2 _{Data privacy}

certain tags such as EPC tags carry information about items EPC tag bearers are subject to clandestine inventorying

Privacy, however, is not just consumer concerns - ex. military or company supply-chain management

Privacy (II)

1 _{Euro banknote}

in 2001, European Central Bank planed to embed RFID tags into banknote as anti-counterfeiting measure

it seems increasingly implausible due to technical difficulties

2 _{Human-implantable chips}

VeriChipTM_{for health-care information system}

flamed the passion of privacy advocates

3 _E-passport

ICAO (International Civil Aviation Organisation) promulgated the guideline for RFID-enabled passport

the US has mandated the adoption of these standards by ‘VISA-waiver’ countries

Authentication

1 _{Privacyconcerns thatbad readersharvest information fromgood tags, but} authenticationconcerns thatgood readersdetectbad tags

2 _{EPC tags are vulnerable to simple counterfeiting attacks}

3 _{Detect cloning by consistent and centralised data collection, but not always}

possible

Adversary Model

1 _{RFID system issecureandprivatefor what?}

formal model that characterises the capabilities of potential adversaries - as form of agamein cryptography

2 _{We need formulation of weakened security models that accurately reflects}

real-world threatandreal-world tag capabilities

3 _{Multiple communication layers in RFID systems}

cryptographic security models captures top-layer communication protocols between tags and readers

need to consider low layer and physical levels of communications

4 _{Security modelsin literatures}

Okubo, Szuki, and Kinoshita (’03) (symmetric-tags) Juels (’04) - Minimalist security model (basic tags)

Juels and Weis (’06) - Strong privacy model (symmetric-key tags) Avoine (’05)

Outline

1

_{RFID Primer}

2

Passive RFID tags

3

Issues on Security and Privacy

4

_{Basic Tags}

5

_{Symmetric-key Tags}

Killing

1 _{“Dead tags cannot talk”-Kill the TAG}

2 _{Currently in EPC Class-1 Gen-2 tags}

3 _{When an EPC tag receives a kill command from a reader, it renders itself}

permanently inoperative

4 _{Kill command is PIN-protected}

Re-naming approaches : Minimalist

1 _{Tags contain small collection of pseudonyms and release a different one upon}

each reader inquiry

2 _{Throttle tag replies}

to prevent rogue readers rapidly reading out all available pseudonyms of tags in a single sweep, it slows down response for quick interrogations

Re-naming approaches : re-encryption (I)

1 _{Juels and Pappu (’03) proposed public key re-encryption scheme to enhance}

consumer privacy for RFID-enabled banknote

2 _Scheme

law enforcement holds private/public key pair (x , y ) of ElGamal encryption scheme

banknote serial number s encrypted to c = Ey(s)

to prevent malicious tracing, c is periodically re-encrypted to c0

to prevent malicious writing, keyed writing by optical-scanning the banknote

3 _{They introduced the principle that cryptography can enhance tag privacy, even}

Re-naming approaches : re-encryption (II)

1 _{What about if we have multiple key pairs?}

2 _{Including a public key in tags, however, permits certain degree of malicious}

tracking and profiling

3 _{Universal re-encryptionpermits re-encryption without knowledge of the}

corresponding public key in public-key encryption schemes

4 _{Golle et al. (’04) proposed ElGamal-based universal re-encryption} 5 _{It suffers from serious attacks, since it does not preserve integrity}

Re-naming approaches: re-encryption (III)

1 _{Ateniese, Camenisch, and de Medeiros (’05)}

2 _{Insubvertible encryption schemewhich also permits universal re-encrpytion} 3 _{Ciphertext is digitally singed by a CA and permits anyone to verify the authenticity}

of the ciphertext

4 _{To prevent malicious tracing, the ciphertext as well as signature can be}

Proxy approach

Consumers carry their own privacy-enforcing devices (proxies) 1 _{Watchdog tags}

audit system for RFID privacy

monitor ambient scanning of tags and collect information form readers 2 _{RFID GuardianorRFID Enhancer Proxy (REP)}

batter-powered personal RFID firewall

intermediates reader request to tags and selectively simulates tags under its control

can implement sophisticated privacy policies

further research includes how a Guardian or REP should acquire and release control of tags and associated PINs and keys

Proxy approach

Consumers carry their own privacy-enforcing devices (proxies) 1 _{Watchdog tags}

audit system for RFID privacy

monitor ambient scanning of tags and collect information form readers

2 _{RFID GuardianorRFID Enhancer Proxy (REP)}

batter-powered personal RFID firewall

intermediates reader request to tags and selectively simulates tags under its control

can implement sophisticated privacy policies

further research includes how a Guardian or REP should acquire and release control of tags and associated PINs and keys

Distant measurement

1 _{The distance between tags and readers serve as a metric for trust}

2 _{Fishkin, Roy, and Jiang (’04)}

signal-to-noise ratio of reader signal provides rough metric of distance when scanned in a distance, expose little information

Blocking tags

1 _{It jams tree-based anti-collision protocols, thus making impossible to read out}

tags nearby

2 _{As cheap to manufacture, it could be integrated into paper bags}

Outline

1

_{RFID Primer}

2

Passive RFID tags

3

Issues on Security and Privacy

4

_{Basic Tags}

5

_{Symmetric-key Tags}

Assumptions

1 _{Tags are assumed to performkeyed hash functionorhardware efficient}

symmetric encryption scheme(and also often assumed to have a pseudo random number generator)

2 _{We assume a centralised system, where readers have constant access to their}

back-end server

3 _Notations

we have n tags

Authentication

1 _{Simple challenge-response protocol preventscloning} Ti→ R : IDTi

Ti← R : P

Ti→ R : h(ki,P) or ek_i(P)

In practice, resource constraints in commercial tags sometimes leads to deployment of weak cryptographic primitives

2 _{Digital Signature Transponder (DST)}

currently a theft-deterrent in automobiles and SpeedPassTM

use the protocol described above

broken since they expectsecurity through obscurityto overcome short key-length

Authentication

1 _{Simple challenge-response protocol preventscloning}

Ti→ R : IDTi Ti← R : P

Ti→ R : h(ki,P) or ek_i(P)

In practice, resource constraints in commercial tags sometimes leads to deployment of weak cryptographic primitives

2 _{Digital Signature Transponder (DST)}

currently a theft-deterrent in automobiles and SpeedPassTM

use the protocol described above

broken since they expectsecurity through obscurityto overcome short key-length

Authentication

1 _{Simple challenge-response protocol preventscloning}

Ti→ R : IDTi Ti← R : P

Ti→ R : h(ki,P) or ek_i(P)

In practice, resource constraints in commercial tags sometimes leads to deployment of weak cryptographic primitives

2 _{Digital Signature Transponder (DST)}

currently a theft-deterrent in automobiles and SpeedPassTM

use the protocol described above

broken since they expectsecurity through obscurityto overcome short

Reverse-engineering & Side channels

1 _{Reverse engineering}

physical invasive attacks possible

tags are too inexpensive to include temper-resistance mechanism

2 _{Side channels- potentially serious threat in RFID} Timing attacks

- extract information based on variations in the rate of computation of target devices

- over-the-air timing attacks against tags :open research topic

Power analysis attacks

- measure electromagnetic emanation

Reverse-engineering & Side channels

1 _{Reverse engineering}

physical invasive attacks possible

tags are too inexpensive to include temper-resistance mechanism

2 _{Side channels- potentially serious threat in RFID} Timing attacks

- extract information based on variations in the rate of computation of target devices

- over-the-air timing attacks against tags :open research topic

Power analysis attacks

- measure electromagnetic emanation

Relay attacks

1 _{Relay attackis always possible no matter how well designed cryptographic}

protocols in RFID systems and no matter how strong cryptographic primitives are used

2 _{Often security based on assumption - limited read range of tags}

3 _{Attack allows proximity cards to open a door or RFID-based credit cards to effect}

payment from a kilometer away

RFID TAG

!

Leech

L9999K

Ghost

!

RFID Reader

Privacy

1 _Paradox

if a tag emits identifier in challenge-response protocol, no privacy if a reader does not know which tag it is interrogating, it cannot determine which key to use

2 _{Key search: straightforward but heavy solution} tag emits E = fki(P)

reader searches from the space of all keys K = {kj}jfor a key k ∈ K such

that fk(P) = E

3 _{Weis, Sarma, Rivest, and Engel (’03)}

4 _{The computational cost of key-search for the reader islinear in the number of} tags, thus key search is prohibitivelycostlyin large systems

Privacy

1 _Paradox

if a tag emits identifier in challenge-response protocol, no privacy if a reader does not know which tag it is interrogating, it cannot determine which key to use

2 _{Key search: straightforward but heavy solution}

tag emits E = fki(P)

reader searches from the space of all keys K = {kj}jfor a key k ∈ K such

that fk(P) = E

3 _{Weis, Sarma, Rivest, and Engel (’03)}

4 _{The computational cost of key-search for the reader islinear in the number of} tags, thus key search is prohibitivelycostlyin large systems

Privacy

1 _Paradox

if a tag emits identifier in challenge-response protocol, no privacy if a reader does not know which tag it is interrogating, it cannot determine which key to use

2 _{Key search: straightforward but heavy solution}

tag emits E = fki(P)

reader searches from the space of all keys K = {kj}jfor a key k ∈ K such

that fk(P) = E

3 _{Weis, Sarma, Rivest, and Engel (’03)}

4 _{The computational cost of key-search for the reader islinear in the number of} tags, thus key search is prohibitivelycostlyin large systems

Tree approach

1 _{Molnar and Wagner (’04)}

each node (or edge) is associated with a key each tag is assigned to a unique leaf

tag contains the keys defined from a root to the leaf

if we have a depth d and branching factor b, each tag contains d keys and

the scheme accommodates db_{tags in total}

2 _Efficiency

reader can identify a tag by means of a depth-first search of the tree search through at most db keys rather than db_keys

3 _Security

Synchronisation approach

1 _{Suppose that every tag Timaintains a counter ciand the tag outputs E = fk} i(ci) on interrogation

2 _{Provided that a reader knows the approximate value of c}

i, it can store a

searchable table of tag output values, i.e., reader maintains the output values fki(c 0 i),fki(c 0 i +1), · · · , fki(c 0 i+d ), for ci∈ [ci0,c 0 i +d ]

Outline

1

_{RFID Primer}

2

Passive RFID tags

3

Issues on Security and Privacy

4

_{Basic Tags}

5

_{Symmetric-key Tags}