1 New Directions in Detection, Security and Privacy for RFID Leonid Bolotnyy and Gabriel Robins Department of Computer Science, UVa
Aug 07, 2015
1
New Directions in Detection, Security and Privacy for RFID
Leonid Bolotnyy and Gabriel Robins
Department of Computer Science, UVa
2
Thesis
Multi-tags, “yoking-proofs”, and physical unclonable functions can improve reliability, security, and privacy in radio frequency identification (RFID) systems.
3
Progress
• L. Bolotnyy and G. Robins, Multi-Tag Radio Frequency Identification Systems, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 83-88, 2005
• L. Bolotnyy and G. Robins, Randomized Pseudo-Random Function Tree Walking Algorithm for Secure Radio Frequency Identification, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 43-48, 2005
• L. Bolotnyy and G. Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006
• L. Bolotnyy and G. Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007
• Several additional papers in progress
• NSF Cyber Trust proposal (submitted January 2007)
• Deutsche Telekom (largest in EU) offered to patent our multi-tags idea
4
Introduction• RFID
passive semi-passive active
• Tags types:
• Frequencies: Low (125KHz), High (13.56MHz), UHF (915MHz)
• Coupling methods:
Readerantenna
Readerantenna
signal signal
Inductive coupling Backscatter coupling
5
History
• Auto-ID Center formed - 1999
• EPCglobal formed - 2004
• Radar invented - 1935
• EAS invented - early 1960’s
• First RFID book published - 1999
• First RFID patent filed - 1973
• First RFID game marketed - 2006
6
Thesis Proposal• Improve tag detection
• Improve security and privacy
Inter-tag communication
Definition of privacy
Auditing algorithms for RFID “Yoking-Proofs”
PUF-based security Algorithms PUF design
7
Why Multi-Tag RFID?
• Bar-codes vs. RFID– line-of-sight– scanning rate
• Unreliability of tag detection– radio noise is ubiquitous– liquids and metals are opaque to RF
• milk, water, juice• metal-foil wrappers
– Wal-Mart experiments (2005)• 90% tag detection at case level• 95% detection on conveyor belts• 66% detection of individual items inside fully loaded pallets
– Our preliminary experiments support data above
9
The Power of an Angle• Inductive coupling: voltage ~ sin(β), distance ~ (power)1/6
• Far-field propagation: voltage ~ sin2(β), distance ~ (power)1/2
32.7
58.11
47.98
61.86
30
35
40
45
50
55
60
65
1 2 3 4Number of Tags
Ex
pe
cte
d a
ng
le (
in D
eg
ree
s)
4 2
40[ (2 cos ) ( )(2 cos ) ] /
2
x x dx x x dx
2
0[ (2 cos ) ] /(2 )
x x dx
B-field
β
• Optimal Tag Placement:
1
4
32
10
Benefits and Costs of Multi-Tags
• PROS– increases expected induced voltage on tag– increases operational range of system– increases memory per object– improves availability– improves reliability– improves durability– provides potential security enhancement– new applications
• CONS– increases system cost– modestly complicates manufacturing– potentially increases tags’ interrogation time
11
Experimental Apparatus and Experiments with Multi-Tags
• Equipment
• Experiments– Measure detection of ~20 multi-tagged objects
• With/without metals and liquids
– Rotate multi-tagged object mixes• 1, 2, 3, & 4 tags per object
– Vary tag, reader, and antenna types– Vary distances, geometry, power– Multi-tags vs. multiple readers
12
Preliminary Experimental Results
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Object Number
Ave
rag
e D
etec
tio
n P
rob
abil
ity
1 Reader, 2 Tags 82.6%
2 Readers, 1 Tag 63.9%
2 Readers, 2 Tags 86.6%
1 Reader, 1 Tag 57.8%Δ=24.8%
Δ=22.7%Δ= 4.0%
Δ=18.7%
Δ= 6.1%
14
Security and Privacy in RFID
• Privacy: difficult to track tags• Security
– Secure Identification f(r, ID)
– Tag Authentication c
f(c)
m
σ (m)– Message Authentication
– Ownership Transfer
– Auditing
15
“Yoking-Proofs”
• Applications – verify that:– medicine bottle sold together with instructions– tools sold together with safety devices– matching parts were delivered together
– several forms of ID were presented– a group of people was present at a meeting
• Problem Statement: Generate proof that a group of passive tags were identified nearly-simultaneously
• Key Observation: Passive tags can communicate with each other through reader
• Yoking: joining together / simultaneous presence of multiple tags
16
Assumptions and Goals• Assumptions
– Tags are passive– Tags have limited computational abilities– Tags can compute a keyed hash function– Tags can maintain some state– Verifier is trusted and powerful
• Solution Goals– Allow readers to be adversarial– Make valid proofs improbable to forge– Allow verifier to verify proofs off-line– Detect replays of valid proofs
• Timer on-board a tag– FCC regulations: protocol termination < 400ms
– Capacitor discharge can implement timeout
17
Generalized “Yoking-Proof” Protocol
1
3
2
45
Anonymous Yoking: tags keep their identities private
Speedup yoking protocols by splitting chain into arcs
Idea: construct a chain of mutually dependent MACs
18
Inter-Tag Communication in RFID
• Idea: heterogeneity in ubiquitous computing• “Yoking proofs”• Battery-less sensing• Tags as mailboxes• Tags as proxies• Location access control• Tags partitioned into groups
– Group leader in charge of authentication and access control
• Subordinate reader-tag authentication
19
PUF-Based Security and Privacy• Digital crypto implementations require 1000’s of gates• Low-cost alternatives
– Pseudonyms / one-time pads– Low complexity / power hash function designs– Hardware-based solutions
• Definition of privacy that incorporates hardware attacks• PUF definition• Security is based on:
– wire delays– gate delays– quantum mechanical fluctuations
• PUF characteristics– uniqueness– reliability– unpredictability
20
PUF-Based Algorithms• Identification Sequence: ID, p(ID), …, pk(ID)• It is important to have
– a reliable PUF
– no loops in PUF chains
– no identical PUF outputs
– no impersonation attacks
• MAC based on PUF– Motivation: “yoking-proofs”, signing sensor data– large keys– cannot support arbitrary messages
• Large message set
• Small message set
• Authentication Pairs: c1, p(c1), c2, p(c2), ..., cn, p(cn)• Verify that at least the desired fraction of
challenge-response pairs is correct
21
PUF-Based Ownership Transfer
• Ownership Transfer
• To maintain privacy we need– ownership privacy– forward privacy
• Physical security is especially important
• Solutions– public key cryptography– knowledge of owners sequence– trusted authority– short period of privacy
22
Comparison of PUF With Digital Hash Functions
• Reference PUF: 545 gates for 64-bit input– 6 to 8 gates for each input bit– 33 gates to measure the delay
• Low gate count of PUF has a cost– probabilistic outputs– difficult to characterize analytically– non-unique computation– extra storage
• Different attack target for adversaries– model building rather than key discovery
• Physical security– hard to break tag and remain undetected
MD4
7350
MD5
8400
SHA-256
10868
Yuksel
1701
PUF
545
AES
3400
algorithm
# of gates
23
PUF Design• Attacks on PUF
– impersonation– modeling– hardware tampering– side-channel
• Weaknesses of existing PUF
• New PUF design– no oscillating circuit– sub-threshold voltage
• Compare different non-linear delay approaches
reliability
24
Conclusion and Research Plan• Contributions
– Multi-Tags• tag objects with multiple tags to improve detection
– Security and Privacy• Yoking proofs• Inter-tag communication• Hardware-based security
– PUFs
• Plan for the next 5 months– finish multi-tag experiments– define privacy w.r.t. physical attacks– design / evaluate improved PUF circuits– publish more papers
• Bolotnyy and Robins, Multi-Tag Radio Frequency Identification Systems,IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 83-88, 2005
• Bolotnyy and Robins, Randomized Tree Walking Algorithm for Secure RFID, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 43-48, 2005
• Bolotnyy and Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006
• Bolotnyy and Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007
27
Related Work on Multi-Tags
• Two-antennas per tag to determine location
• Four tags per object to determine movement direction
• Multiple tags to increase reliability (for visually impaired)
• Random placement of two tags on playing cards
• Splitting tag ID into Class ID and Pure ID
• Up to three tags to determine object-person interaction
28
Types of Multi-Tags
• Triple-Tags
• n-Tags
• Dual-Tags– Own Memory Only– Shared Memory Only– Own and Shared Memory
• Redundant Tags
• Complimentary Tags
29
Detection Distance with Multi-Tags
Expected Factor of Distance Increase
1
1.37
1.571.63
11.06 1.08 1.09
1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1 2 3 4
Number of Tags
Incr
ease
Fac
tor
Far-Field Propagation
Inductive Coupling
30
Effects of Multi-Tags on Anti-Collision Algorithms
Binary No Affect No Affect
Binary Variant No Affect No Affect
Randomized Doubles Time** No Affect*
STAC Causes DOS No Affect*
Slotted Aloha Doubles Time** No Affect*
Algorithm Redundant Tags Dual-Tags
*If Dual-Tags communicate to form a single response**Assuming an object is tagged with two tags
31
Related Work on “Yoking-Proofs”
• Saito and Sakurai [2005]– solution relies on timestamps generated by trusted database– violates original problem statement– one tag is assumed to be more powerful than the others– vulnerable to “future timestamp” attack
• Piramuthu [2006]– discusses inapplicable replay-attack problem of Juels’ protocol– independently observes the problem with Saito/Sakurai protocol– proposed fix only works for a pair of tags– violates original problem statement
• Juels [2004]– protocol is limited to two tags
– no timely timer update (minor/crucial omission)
32
Speeding Up The Yoking Protocol
starting / closing tags
Idea: split cycle into several sequences of dependent MACs
Requires– multiple readers or multiple antennas
– anti-collision protocol
33
Related Work on PUF
• Optical PUF [Ravikanth 2001]• Silicon PUF [Gassend et al 2002]
– design, implementation, simulation, manufacturing– authentication algorithm– controlled PUF
• PUF in RFID– off-line reader authentication using public key
cryptography [Tuyls et al 2006]
34
Reader Tag
PUF-Based Authentication
.
.
.
GetID
GetResponse(c1)
GetResponse(cn)
ID
p(c1)
p(cn)
α < probv ≤ 1 and probf ≤ β ≤ 1
0 ≤ t ≤ n-1
probv(n)
probf(n)
i=t+1
μi(1-μ)n-iprobv = 1 - ∑
n ni
τj(1- τ)n-jprobf = 1 - ∑
j=t+1
n nj
35
PUF-Based Identification Algorithm• Tag stores its identifier: ID• Database stores: ID, p(ID), …, pk(ID) • Upon reader’s query, the tag
– responds with p(ID)
– updates its ID with p(ID)
• Assumptions– passive adversaries (otherwise, denial of service possible)– physical compromise of tags not possible– reliable PUF
• It is important to have – a reliable PUF– no loops in PUF chains– no identical PUF outputs
PUF-Based MAC Algorithms
• MAC based on PUF– large keys– cannot support arbitrary messages– Motivational example: buyer/seller
• Need to protect against replay attacks
• MAC = (K, τ, υ)
K
K
• valid signature σ : υ (M, σ) = 1
• forged signature σ’ : υ (M’, σ’) = 1, M = M’
σ (m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)
• Large message set
• Small message setσ (m) = c, pc
(1)(m), ..., pc(n)
(m), ..., c+q-1, pc+q-1(1)(m), pc+q-1
(n)(m)