• Nem Talált Eredményt

RFID privacy

N/A
N/A
Protected

Academic year: 2023

Ossza meg "RFID privacy"

Copied!
23
0
0

Teljes szövegt

(1)

RFID privacy

Foundations of Secure e-Commerce (bmevihim219)

Dr. Levente Buttyán Associate Professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS) buttyan@hit.bme.hu, buttyan@crysys.hu

Outline

- RFID applications - RFID architecture

- security and privacy threats

- prevention of tracking at the application layer

- privacy problems at lower layers

(2)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 3

Budapesti Műszaki és Gazdaságtudományi Egyetem

Introduction

ƒ RFID = Radio-Frequency Identification

ƒ allows us to identify objects or subjects with neither physical nor visual contact

• need to place a transponder on or in the object and query it remotely using a reader

ƒ RFID technology is fundamentally not new

• identify-friend-or-foe system of the Royal Air Force in WWII to distinguish allied aircrafts from enemy aircrafts

• motorway tolls, ski lifts, identification of livestock and pets, automobile ignition keys …

ƒ RFID is becoming interesting due to the ability to develop very small and cheap transponders called “electronic tags”

• offer only weak computation and storage capabilities

• passively powered by the reader’s electromagnetic field

• communication distance is relatively short (a few meters)

• when outside of the reader’s field, tags are inert

• low cost, small size Æcan be deployed at very large scale

• pose new security and privacy problems!

Example applications

ƒ access control

• current access control systems in buildings often use RFID- based wireless tokens, e.g., cards or badges

ƒ RFID in the automobile sector

• keyless entry using a key fob that contains an active RFID tag

• passive entry systems automatically unlock doors when the driver carrying a passive RFID tag approaches the car

• appeared recently, e.g., on Renault Laguna, Mercedes-Benz S- class, CL-class, and Toyota Lexus LS430

• many car keys have an RFID device integrated into them which activates the fuel injection system (anti-theft measure)

• car keys can be replaced with cards that stay in the drivers

pocket

(3)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 5

Budapesti Műszaki és Gazdaságtudományi Egyetem

Example applications (cont’d)

ƒ

supply chain

• the idea is to replace barcodes with low cost RFID tags

• advantages

• tags can be scanned quickly in large quantities

• no need for visual channel

• tags can be placed right on or in objects, instead of the packaging

• tags may contain unique identifiers for individual objects

• facilitates management of objects throughout the entire supply chain (manufacturing, storage, distribution, … )

• stock and inventories in supermarkets and warehouses is a primary application domain (e.g., Wal-mart, Metro, Migros, …)

ƒ

RFID in libraries

• a tag in each volume makes borrowing and returning books easier

• inventories can be carried out without taking books from the shelves

• examples: K.U. Leuven (Belgium), Santa Clara (United States), Heiloo (Netherlands), Richmond Hill (Canada), …

Example applications (cont’d)

ƒ

subdermal tags

• RFID based identification of domestic animals is done routinely today

• identification of people ???

• nightclubs (e.g., Baja Beach Club, Barcelona)

• VIPs (e.g., members of a special organization)

• prisoners

ƒ

electronic IDs (passports, ID cards)

• already in use today

• chip in the passport contains biometric information of the bearer

ƒ

electronic payments systems

• electronic toll collection (e.g., EZ Pass)

• automated fare collection (AFC) in public transport systems

• contactless payment cards (e.g., Mastercard PayPass)

(4)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 7

Budapesti Műszaki és Gazdaságtudományi Egyetem

Applications in the future

ƒ smart and easy shopping

• fast check-out at point-of-sale terminals

• terminal reads all tags in the shopping cart in a few seconds

• payment can be speeded up using contactless credit cards

• return items without receipt

• no need to keep receipts of purchased items

• tracking faulty or contaminated products

• object IDs can serve as indices into purchase records

• one can easily list all records that contain IDs belonging to a particular set of products and identify consumers that bought those products

ƒ smart household appliances

• washing machine can select the appropriate program by reading the tags attached to the clothes

• refrigerator can print shopping lists automatically or even order food on-line

ƒ interactive objects

• consumers can interact with tagged objects through their mobile phones acting as an RFID reader (NFC – Near Field Communications technology)

• the mobile phone can download and display information about scanned objects (e.g., movie poster, furniture, etc.)

RFID system architecture

ƒ RFID system elements

• RFID tags + RFID reader(s) + back-end infrastructure

ƒ RFID tag = microcircuit + RF antenna

request

response (ID) ID

reader tags

back-end infrastructure and

processing RF communications

(5)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 9

Budapesti Műszaki és Gazdaságtudományi Egyetem

RFID tag characteristics

ƒ

power

• active tags have their own battery

• passive tags have no internal energy source

• obtain energy from the reader’s electromagnetic field

• reflect reader’s RF signal and modulate it with information to be sent

• semi-passive tags have battery but use it only for internal calculations

• power for communication is obtained from the reader

ƒ

communication range

• depends on frequency and transmission power

• low frequency (LF) and high frequency (HF) tags: few decimeters

• ultra-high frequency (UHF) tags: several meters

• note: by using specific antennas and transmission powers above the legal limits, we can largely surpass these ranges

• note: information sent by a reader (forward channel) can be

captured at a distance far superior than that sent by a tag (backward channel)

RFID tag characteristics (cont’d)

ƒ

memory

• tags contain a minimum number of memory bits to store their identifier (between 32 and 128 bits)

• depending on the target application, tags can have ROM, EEPROM, RAM or SRAM

• electronic anti-theft devices (EAS, Electronic Article Surveillance) that can be found on many items, require only one bit (enabled EAS / not enabled EAS)

• they do not really allow object identification, only detection

ƒ

computing power can vary in a wide range:

• no computational capabilities, only memory that can be remotely accessed

• only simple logical operations (e.g., XOR and AND)

• a few thousand logical gates that allow for symmetric key encryption and hash

• more evolved tags could use asymmetric key crypto, but those are

expensive

(6)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 11

Budapesti Műszaki és Gazdaságtudományi Egyetem

RFID tag characteristics (cont’d)

ƒ physical characteristics

• typically antenna size determines the size of the tag

• antenna size depends on the communication range and frequency

• smallest tag today is µ-tag from Hitachi (~0.4 mm)

ƒ tamper resistance

• infeasible for low cost tags (low cost ~ few Euro cents)

Some specific examples

(7)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 13

Budapesti Műszaki és Gazdaságtudományi Egyetem

Various RFID tags

Logistic and industry

Key fob CD label

Nail tag Life stock and pets

Logistic and industry (naked)

Various RFID readers

(8)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 15

Budapesti Műszaki és Gazdaságtudományi Egyetem

Related standards

ƒ ISO

• 14443: proximity cards (A – Mifare, B – Calypso)

• 15693: vicinity cards (can be read from a larger distance than proximity cards)

• 18000: describes a series of diverse RFID technologies, each utilizing a unique frequency band

ƒ EPC (Electronic Product Code)

• established by EPCGlobal, a non profit organization made up of several companies and academics

• promotes very low cost RFID technology with the goal of integrating it into supply chains

• Class 1: unique identifier (a code that allows the identification of the product to which the tag is attached), and a function permitting the definitive destruction of the tag

• Class 2: more memory and authentication functions

• Class 3: semi-passive tags

• Class 4: active tags, which can potentially communicate with each other

• currently only Class 1 is fully specified ÆISO 18000-6

Objectives: identification and authentication

ƒ (mutual) authentication

• an authentication protocol allows a reader to be convinced of the identity of a queried tag

• in case of mutual authentication, the protocol allows a tag to be convinced of the identity of a querying reader

ƒ identification

• an identification protocol allows a reader to obtain the identity of a queried tag, but no proof is required

• in many cases, identification is sufficient (e.g., inventory in a

warehouse), although requirements also depend on the

adversary model

(9)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 17

Budapesti Műszaki és Gazdaságtudományi Egyetem

Basic protocols

ƒ identification

R(eader) Æ T(ag): request T Æ R: ID

ƒ authentication

R: pick a random number N R Æ T: N

T: compute F(ID, N) T Æ R: ID, F(ID, N)

where F is some (not necessarily strong) crypto function, e.g., an encryption or a keyed hash

Security threats

ƒ

impersonation

• the adversary can (with non-negligible probability) successfully complete the authentication protocol in the name of a tag

• relevant only for authentication protocols, because identification protocols are trivially vulnerable to impersonation (no proof of identity is required)

• countermeasures need strong crypto and proper key management

• all tags sharing the same crypto key is not a good approach – tags are not tamper resistant

– compromising a single tag allows the adversary to impersonate any other tag

• tags must have individual keys

– key diversification techniques are applicable

– once the tag identifies itself, the reader (back-end system) can look-up the tag key in a database, or compute it on-the-fly using some master key

(10)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 19

Budapesti Műszaki és Gazdaságtudományi Egyetem

Security threats (cont’d)

ƒ relay (wormhole) attack

• the adversary relays messages between a legitimate reader and a legitimate tag that is remote

• all systems that assume that successful run of the protocol via the RF interface means that the tagged object or person is present are defeated (e.g., access control systems, car anti- theft systems, inventory systems, …)

• the feasibility of such relay attacks has been demonstrated

• defense is difficult, crypto alone does not help

• distance-bounding protocols have been proposed …

Distance-bounding protocols

ƒ estimate the distance between the parties from the round trip time

• rapid bit exchange in multiple rounds

• essentially, no computation during the distance estimation phase

• challenge-response principle to avoid that one party can send earlier than the reception of the other’s last message

• estimated distance is only an upper bound on the real distance (because any party can always delay responses)

• if the parties are really far away, then estimated distance cannot be small (it is larger than the real distance) Æ relay attack is detected

• however, false positives are possible

(11)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 21

Budapesti Műszaki és Gazdaságtudományi Egyetem

Example: Hancke-Kuhn protocol

ƒ protocol:

R : pick a nonce r and generate bits C1, …, Cn R ÆT : r

T : compute h(K|r) and split result into R(0)1, …, R(0)n, R(1)1, …, R(1)n T ÆR : ID

R ÆT : C1 T ÆR : R(C1)1

R ÆT : Cn T ÆR : R(Cn)n

R : look up K that belongs to ID, compute h(K|r) and split result into R’(0)1,

…, R’(0)n, R’(1)1, …, R’(1)n, and for all i, compare R(Ci)iwith R’(Ci)i

ƒ properties:

• tag authentication (prob. 1-(1/2)n) with distance bounding (prob. 1-(3/4)n)

• tag does not need to do computation during the distance estimation phase distance estimation phase

An attack on the H-K protocol

R : pick a nonce r and generate bits C

1

, …, C

n

R Æ A(T) : r

A(R) Æ T : r

T : compute h(K|r) and split result into R

(0)1

, …, R

(0)n

, R

(1)1

, …, R

(1)n

T Æ A(R) : ID

A(R) sends 0, …, 0 to T and receives R

(0)1

, …, R

(0)n

A(R) Æ T : r

T : compute h(K|r) and split result into R

(0)1

, …, R

(0)n

, R

(1)1

, …, R

(1)n

T Æ A(R) : ID

A(R) sends 1, …, 1 to T and receives R

(1)1

, …, R

(1)n

, A(T) Æ R : ID

A(T) responds to any challenge C

i

of R without communicating remotely with T

verification at R is successful, distance bounding is defeated

(12)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 23

Budapesti Műszaki és Gazdaságtudományi Egyetem

Privacy threats

ƒ in most of the applications, RFID tags respond to the reader’s query automatically, without authenticating the reader (only the tag authenticates itself)

ƒ interaction usually reveals tag specific information (typically the ID stored in the tag, or even more) Æ clandestine scanning of tags is a plausible threat

ƒ two particular privacy problems:

• inventorying

• tracking

Inventorying

– a reader can silently determine what objects a person is carrying

• reader-tag interaction may reveal more than an ID (e.g., title of a tagged book, name of a tagged medicine, …)

• object can be identified by resolving the ID read from the tag

watch: Casio

book: Applied Cryptography

shoes: Nike suitcase:

Samsonite jeans: Lee Cooper

(13)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 25

Budapesti Műszaki és Gazdaságtudományi Egyetem

Tracking

– set of readers can determine where a given person is located

• trivial if tags use unique identifiers

• even if tag response is not unique, it is possible to track a constellation of a set of particular tags (or tag types/standards!!!)

IDs: 12, 34, 56, 78

@ 7:32

IDs: 12, 34, 56, 78

@ 7:45 IDs: 12, 34,

56, 78

@ 8:03

IDs 12, 34, 56, 78

@ 8:21

Is this really a problem?

ƒ

other technologies also permit the tracking of people (e.g., video surveillance, GSM, Bluetooth)

ƒ

however, consider the following:

• RFID tags permit everybody to track people using low cost equipment

• tags cannot be switched off easily

• physical or electronic destruction of tags during checkout

• but how to verify that operation was successful???

• tags can be easily hidden, their lifespan is not limited, and analyzing the collected data can be efficiently automated

• although nominal reading distance is only a few decimeters or meters, a more efficient antenna and larger power could be used to go beyond the presupposed limits

• in many cases, an adversary can get close enough (e.g., public transport)

• current trend is towards UHF systems, where the communication

distance is larger than in LF/HF systems

(14)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 27

Budapesti Műszaki és Gazdaságtudományi Egyetem

Is this really a problem?

ƒ http://www.boycottbenetton.com/

• Press release: Benetton selects Philips to introduce smart labels across 5,000 worldwide stores

• Press release: Hidden sensors in clothing may fuel global surveillance network

• Press release: Benetton has publicly retreated from plans to fit clothing with tiny remote surveillance and tracking chips

ƒ http://www.boycottgillette.com/spychips.html

• Gillette has been caught hiding tiny RFID surveillance chips in the

packaging of its shaving products. These tiny, high tech spy tags are being used to trigger photo taking of unsuspecting customers!

"The world's stupidest anti-shoplifting campaign"-CommsWorld

ƒ http://www.bigbrotherawards.org/

• In their "Future Store", a supermarket of the "Extra" chain in Rheinberg near Duisburg (opened in April 2003 with a well-advertised event featuring Claudia Schiffer), the Metro Group are trialing the use of transponders or so-called RFIDs ("Radio Frequency Identification" devices).

• For its instigation and the related marketing concepts, the Metro Group is receiving an exemplary and future-oriented Big Brother Award.

Dead tags tell no tales

ƒ idea: permanently disable tags with a special “kill” command

ƒ part of the EPC specification

ƒ advantages:

• simple

• effective

ƒ disadvantages:

• eliminates all post-purchase benefits of RFID for the consumer and for society

• no return of items without receipt

• no smart house-hold appliances

• …

• cannot be applied in some applications

• library

• e-passports

• banknotes

ƒ similar approaches:

• put RFID tags into price tags or packaging which are removed and discarded

(15)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 29

Budapesti Műszaki és Gazdaságtudományi Egyetem

“Sleep” command

ƒ idea:

• instead of killing the tag definitively, put it in sleep mode

• tag can be re-activated if needed

ƒ advantages:

• simple

• effective

ƒ disadvantages:

• difficult to manage in practice

• tag re-activation must be password protected

• how the consumers will manage hundreds of passwords for their tags?

• passwords can be printed on tags, but then they need to be scanned optically or typed in by the consumer

Other similar approaches

ƒ Faraday cage

• can be effective in some applications (e.g., passports, money wallets)

• may not be usable in others (e.g., clothes, subdermal)

ƒ clipped tags

• tag’s antenna can be physically separated from the chip

• reactivation of the tag can only be done intentionally

(16)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 31

Budapesti Műszaki és Gazdaságtudományi Egyetem

On crypto based approaches

ƒ tag should not send ID in clear

ƒ public key crypto would solve the problem

• ID is encrypted with the public key of the reader

• only the reader can decrypt it

but public key crypto is not available for low cost tags

ƒ symmetric encryption with a common shared key

• enough to compromise a single tag, and than all tags become traceable

ƒ symmetric encryption with individual tag keys

• encryption must be randomized !!!

• reader needs to search through the entire set of tag keys and attempt decryption with them (no hint on the key/identity can be provided to the reader)

ƒ ID refreshment (pseudonyms)

• adversary should not be able to tell the difference between the information sent by the tag and a random value

• information sent by the tag should only be used once

Weis-Sarma-Rivest-Engels protocol

ƒ setup

• each tag is initialized with a randomly chosen identifier ID

• system stores an entry for each tag in its database that contains ID

ƒ protocol

R ÆT : request

T : pick a random number r, and compute s = h(ID|r) T ÆR : r, s

R : search through the database for the ID for which h(ID|r) = s

ƒ an alternative

• in theory, the hash function may leak information about its input (e.g., certain bits)

• instead of hashing, s can be computed as s = ID XOR fK(r), where K is a key shared between T and R, and f.(.) is a pseudo random fn

ƒ a potential problem

• no authentication is provided Æan adversary can replay tag responses (impersonation)

(17)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 33

Budapesti Műszaki és Gazdaságtudományi Egyetem

Molnar-Wagner protocol

ƒ setup

• each tag is initialized with a randomly chosen identifier ID and a tag key K

• the system stores an entry for each tag in its database that contains both ID and K

ƒ protocol

R : pick a random number a R ÆT : a

T : pick a random number b, and compute s = ID XOR fK(0|a|b) T ÆR : b, s

R : search through the database for an (ID, K) pair for which ID XOR fK(0|a|b) = s; if found, then compute t = fK(1|a|b)

R ÆT : t

ƒ notes

• the protocol provides mutual authentications

• 0 and 1 serves as direction indicators

Ohkubo-Suzuki-Kinoshita protocol

ƒ setup

• each tag maintains a state variable s

• the system stores for each tag its ID and its initial state s0

• two hash functions h and g, and a system parameter m are agreed upon

ƒ protocol

R ÆT : request

T : compute response r = g(s) and new state s = h(s) T ÆR : r

R : search through the database and find the entry for which g(h(i)(s0)) = r for some 0 < i <= m

ƒ notes

• protocol provides forward privacy: even if a tag is compromised, its previous interactions cannot be associated with the tag (previous state of the tag cannot be computed due to the one-way property of h)

• no authentication is provided Æan adversary can replay tag responses (impersonation)

(18)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 35

Budapesti Műszaki és Gazdaságtudományi Egyetem

OSK protocol with authentication

ƒ setup

• same as before

ƒ protocol

R : pick a random number r R ÆT : r

T : compute response a = g(r XOR s) and new state s = h(s) T ÆR : a

R : search through the database and find the entry for which g(r XOR h(i)(s0)) = a for some 0 < i <= m; if found compute b = g(w XOR h(i+1)(s0)), where w is a fixed known value

R ÆT : b

ƒ notes

• both versions are vulnerable to a DoS attack where an adversary queries the tag more than m times; such a victim tag can no longer identify itself to the system

• if state is advanced only if a correct b is received from R, then privacy can be defeated by preventing T to receive b: state is not updated, and T gives the same response to the same r as before

The HB protocol

ƒ HB stands for Hopper and Blum’s secure human authentication protocol

• involves only simple operations that even a human can perform such as XOR and AND

ƒ basic idea:

• tag and reader share a secret value x of k bits

• reader sends a challenge a to the tag

• tag computes the binary inner product a.x (involves only XOR and AND) and sends the result back

• legitimate tag gives the right answer with prob. 1, while an impersonating adversary succeeds with probability ½

• repeating the procedure can reduce the success probability of the adversary arbitrarily ( (½)n )

• unfortunately, each run of the protocol leaks information about x, and ~k runs result in a s.l.e. that can be solved for x with Gaussian elimination

• to thwart this, the tag injects noise in its responses, and sends a wrong result with probability 0 < q < ½

• legitimate tag gives the right answer with prob. 1-q > ½, while an

impersonating adversary succeeds with probability ½Æstill distinguishable

(19)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 37

Budapesti Műszaki és Gazdaságtudományi Egyetem

The HB protocol (cont’d)

ƒ setup

• tag stores the secret value x (k bits long), and system parameter q

• system stores for each tag its x value

ƒ protocol

R : pick a from {0, 1}kuniformly at random R ÆT : a

T : pick v from {0, 1} such that Pr{v = 1} = q , and compute s = a.x + v T ÆR : s

R : for each entry x’ in the database, check if s = a.x’; after n rounds, the reader selects the entry that matches ~(1-q)n times

ƒ an active attack

• an adversary can challenge the tag n times with the same a

• tag responds with a.x ~(1-q)n > n/2 times and a.x + 1 ~qn < n/2 times Æ the value of a.x can be obtained

• repeat multiple times with different linearly independent a values Æsystem of linear equations can be solved for x

The HB + protocol (cont’d)

ƒ

setup

• tag stores secret values x and y (each of them is k bits long), and system parameter q

• system stores for each tag its (x, y) values

ƒ

protocol

T : pick b from {0, 1}

k

uniformly at random, and v from {0, 1} such that Pr{v = 1} = q

T Æ R : b

R : pick a from {0, 1}

k

uniformly at random R Æ T : a

T : compute s = a.x + b.y + v T Æ R : s

R : for each entry (x’, y’) in the database, check if s = a.x’ + b.y’;

after n rounds, the reader selects the entry that matches ~(1-q)n

times

(20)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 39

Budapesti Műszaki és Gazdaságtudományi Egyetem

The HB + protocol (cont’d)

ƒ an active (man-in-the-middle) attack is still possible

• active adversary modifies the reader’s challenge a to a’ = a+d

• tag responds with s = a’.x + b.y + v = a.x + b.y + v + d.x

• the same d is used in each of the n rounds

• if the tag is successfully authenticated, then d.x = 0. otherwise d.x = 1

• repeat the whole procedure for sufficiently many linearly independent d values, and solve the obtained system of linear equations for x

• once x is determined, an attacker can impersonate the tag by setting b = 0

• the adversary can select b, and respond to the reader’s challenge a with a.x + v (v is chosen according to the probability q)

• the same b is used in each of the n rounds

• if authentication is successful, then b.y = 0, otherwise b.y = 1

• repeat the whole procedure for sufficiently many linearly independent b values, and solve the obtained system of linear equations for y

Traceability in lower layers

ƒ collision avoidance layer

• responsible for selecting a single tag when multiple tags are in the reader’s range (singulation procedure)

• also uses identifiers (although these are not necessarily fixed)

• singulation procedure may reveal these identifiers

ƒ physical layer

• defines the physical air interface (frequency, modulation, data encoding, timings, etc)

• radio fingerprinting may be a problem here

(21)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 41

Budapesti Műszaki és Gazdaságtudományi Egyetem

Binary tree walking

ƒ a deterministic singulation procedure based on a depth first search in a binary tree, where the leaves are the singulation IDs

• in each step, the reader sends an ID prefix, and each tag whose ID starts with that prefix responds with the next bit of the ID

• if multiple tags respond with the same bit, then no collision will occur, and the reader can extend the prefix with the response bit

• otherwise, if some tags respond differently, then there’s a collision, and the reader recurses on both possible extensions of the prefix

reader: prefix “-” ? tags: collision reader: prefix “0” ? tags: 0 reader: prefix “00” ? tags: 1 reader: prefix “1” ? tags: 0 reader: prefix “10” ? tags: collision

-

0 1

00 01 10 11

000 001 010 011 100 101 110 111 100

101 001

The blocker tag

ƒ idea:

• tree is divided into two zones

• privacy zone: all IDs starting with 1

• upon purchase of a product, its tag is transferred into the privacy zone by setting the leading bit

ƒ the blocker tag is a special tag, such that when the prefix in the reader’s query starts with 1, it simulates a collision

• when the blocker tag is present, all IDs in the privacy zone will appear to be present for the reader

• when the blocker tag is not present, everything works normally

-

0 1

00 01 10 11

000 001 010 011 100 101 110 111

privacy zone

transfer to the privacy zone

(22)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 43

Budapesti Műszaki és Gazdaságtudományi Egyetem

Slotted Aloha

ƒ a probabilistic collision avoidance protocol

• time is divided into n slots, where n is chosen by the reader

• each tag randomly chooses one slot and responds to the reader when its slot arrives

• some collisions may occur

• to recover, the reader queries the tags again (until no collision occurs)

• it can mute the tags that have not brought out collisions by indicating their identifiers or the time slots during which they transmitted

• it can choose a more appropriate n

Privacy problems with Slotted Aloha

ƒ if the switch-off technique is used, the reader may mute correctly identified tags by broadcasting their identifier

• better to broadcast slot numbers instead of identifiers

ƒ an attack based on keeping a singulation session open is still possible:

• adversary sends a singulation request to a target tag, tag responds in slot s’

• adversary does not close the session (no ack is sent)

• later when the adversary suspects that the target tag is present, she can confirm this by sending a new singulation request indicating that only tags which transmitted during s’ must retransmit

• if a tag retransmits, there is a high probability that it is the adversary’s target tag

• another tag will respond to the second singulation request if and only if its last session also stayed opened and it also transmitted during s’

ƒ it is fundamental that singulation sessions cannot stay open

• use some internal timeout to abort singulation sessions with abnormal duration

• such timers can be implemented by loading a capacitor on the first request and close any open session when the capacitor is empty

(23)

RFID privacy © Buttyán Levente, Híradástechnikai Tanszék 45

Budapesti Műszaki és Gazdaságtudományi Egyetem

Radio fingerprinting

ƒ the transient behavior at the very beginning of a transmission will be slightly different for different

transceivers, especially if they are produced by different manufacturers

ƒ one person may carry RFID tags from many different manufacturers, and the particular constellation of brands may be unique to a person!

ƒ the same may be said about constellation of standards (that

differ in frequency band, modulation, and bit encodings)

Hivatkozások

KAPCSOLÓDÓ DOKUMENTUMOK

Article 12 of the Universal Declaration of Human Rights (United Nations, 1948), Article 17 of the International Covenant on Civil and Political Rights (United Nations, 1966),

Buttyán Levente, Híradástechnikai Tanszék 5 Budapesti M ű szaki és Gazdaságtudományi Egyetem.. Applications of

Key establishment in sensor networks © Buttyán Levente, Híradástechnikai Tanszék 3 Budapesti Műszaki és Gazdaságtudományi Egyetem.. Wireless sensor

Electronic Payment Systems © Buttyán Levente, Híradástechnikai Tanszék 3.. Budapesti Műszaki és

Levente Buttyán associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS) buttyan@hit.bme.hu,

A Budapesti Műszaki és Gazdaságtudományi Egyetem (anno Budapesti Műszaki Egyetem) Mezőgazdasági Kémiai Technológia Tanszék, „Non-food” kutatócsoportja 1999-ben

More specifically, I propose two privacy preserving aggregator node election protocols, a privacy preserving data aggregation protocol, and a corresponding privacy preserving

Elektronikus Aláírás Törvény (eat) © Buttyán Levente, HIT 3 Budapesti Műszaki és Gazdaságtudományi