YOU ARE DOWNLOADING DOCUMENT

Please tick the box to continue:

Transcript
Page 1: Localization privacy

Localization privacy

Mike Burmester, Florida State University, USA

MITACS International Focus PeriodAdvances in Network Analysis and its Applications

Page 2: Localization privacy

Talkthrough

1. His Late Master’s Voice: private localization2. Motivation: device discovery and sensor deployments

in hostile territory3. RFID technology4. Private localization protocols with

with temporal and location mechanisms with temporal mechanisms only with location mechanisms only

5. Private localization is not possible without some kind of temporal or location information.

6. Threat model and security issues.

4/20/2911 2MITACS International Focus Period

Page 3: Localization privacy

His Late Master’s Voice ..

A motivating paradigm

Bob died suddenly leaving his treasure to sister Alice Moriarty will do anything to get the treasure. Alice hides it together with Nipper, and promptly departs. (Nipper is a low-cost RFID device that responds only to her calls) Alice can find the hidden treasure later when Moriarty is not

around.

4/20/2911 3MITACS International Focus Period

Nipper listening to a recording of his late master

painted by Francis Barraud who inherited from his late brother: Nipper, a phonograph

and some recordings

Page 4: Localization privacy

His Late Master’s Voicem

.

Wrong painting!mnnnnmm Not a cylinder phonograph

but a gramophone

Each RFID tag must only respond to authorized readers Each authorized RFID reader must be authenticated without

being challenged by the tag: any challenge by the tag will reveal its presence/position.

Localization privacy captures a novel aspect of privacy extending the traditional privacy notions of anonymity and unlinkability to private localization.

4/20/2911 4MITACS International Focus Period

Page 5: Localization privacy

Localization privacy .

Barking for privacy

Anonymity and unlinkability are slightly weaker notions: Even though the adversary may not be able to recognize a tag, or link

the tag's interrogation sessions, by knowing its location it can identify that tag to some degree.

Localization privacy is essentially a steganographic attribute. The goal of steganography is to hide data in such a way that the

adversary cannot detect its existence, while The goal of private localization is to hide a device in such a way that

its presence cannot be detected.

4/20/2911 5MITACS International Focus Period

Page 6: Localization privacy

Localization privacy m

.

Because localization privacy is essentially a steganographic attribute one would expect that any knowledge needed to enforce it is based on physical/environmental knowledge.

We shall see that localization privacy can only be achieved by using non-application layer data such as

• Temporal or• Locational

information.

4/20/2911 6MITACS International Focus Period

Page 7: Localization privacy

Sensor deployments.

Motivation Suppose we want to deploy 10,000 sensors in a 100 km2

for passive monitoring in a hostile territory. The lifetime of the system is expected to be at least

10 years. Attached to the sensors are RFID tags which are their

communication interface The tags are not networked to prevent detection. Robotic armored vehicles collect the monitored data

at regular intervals.

4/20/2911 7MITACS International Focus Period

Page 8: Localization privacy

Sensor deployments.

in untrusted territory

4/20/2911 8

Monitoring environmental data and surveillance.Deployment is not necessarily uniform

MITACS International Focus Period

Page 9: Localization privacy

Path of armored RFID reader.

multiple interrogations

4/20/2911 9MITACS International Focus Period

Page 10: Localization privacy

Device discovery,,,,,.

one-time interrogations

4/20/2911 10MITACS International Focus Period

Page 11: Localization privacy

RFID systems RFID tags

― a discardable technology?― low cost― replaceable― typically short-lived, but durable

Other RFID system components, RFID readers and a backend server:― Not necessarily low-cost― upgradeable― mid- to long-term life

Both: May protect high-value assets4/20/2911 11

MITACS International Focus Period

Page 12: Localization privacy

RFID tags

Attached to, or embedded in, host objects to be identified. Each tag is a transponder with an RF coupling element

and may also have a microprocessor. The coupling element has an antenna coil to capture RF

power, clock pulses and data from the RFID reader. The microprocessor has small amounts of ROM for storing,

among other information, the tag's identification, volatile RAM and (potentially) nonvolatile EEPROM.

4/20/2911 12MITACS International Focus Period

Page 13: Localization privacy

Types of passive tags

Smart label. Class 1 memory devices, typically Read-Only. Low cost replacements for bar codes.

Re-writable tags. Class 1 re-writable memory. Subject to unauthorized cloning, disabling, tracking.

IC tags. Class 2 tags with CMOS integrated circuit and non volatile EEPROM. Will defeat most attacks.

BAP tags. Battery assisted IC tags with an extended read range

4/20/2911 13MITACS International Focus Period

Page 14: Localization privacy

RFID readers

An RFID reader is a device with storage, computing, and communication resources comparable to at least those of a powerful PDA.

It is equipped with a transceiver consisting of an RF module, a control unit, and an RF coupling element to interrogate the tags.

RFID readers implement a radio interface to the tags and also a high level interface to the Server that processes captured data.

4/20/2911 14MITACS International Focus Period

Page 15: Localization privacy

Backend Server

A trusted entity that maintains a database with all the information needed to identify tags, including their identification numbers.

Since the integrity of an RFID system is entirely dependent on the proper behavior of the Server, it is assumed that the Server is physically secure and not subject to attacks.

As far as resources the Server is a powerful computing device with ample disk, memory, communication, and other resources.

4/20/2911 15MITACS International Focus Period

Page 16: Localization privacy

Reader-tag coupling

Affects the tag's reading range & the frequencies needed. RFID capacitive (electric) coupling short ranges (subcentimeter for UHF near-field ) RFID inductive (magnetic) coupling slightly longer ranges (submeter for UHF) RFID backscatter coupling range: 10m--100m+

For localization privacy apps use backscatter coupling 4/20/2911 16

MITACS International Focus Period

Page 17: Localization privacy

Fine grained …. localization

Localization is based on analyzing RF signals emitted by the target.

The RF waveform is influenced by the paths traveled by the signal.

For fine granularity the raw signal waveform must be passed to the upper layers and processed using algorithms that understand that the intricate relations the wireless environment and the signal.

4/20/2911 MITACS International Focus Period 17

Page 18: Localization privacy

Localization algorithms

Based on modeling the variations of RF signals in the environment. There are two types of algorithms. Those that:1. Calibrate the RF signal distribution and then estimate

the location. Multilateration algorithms Bayesian inference algorithms

2. Directly compute the location Nearest-eighbor algorithms Proximity algorithms Kernel-based learning algorithms.

4/20/2911 MITACS International Focus Period 18

Page 19: Localization privacy

NLJ detectors

Non-Linear Junction detectors detect covert devices based on the fact that subjecting a NLJ to a strong high frequency spectrally pure microwave (888 or 915 MHz) will cause the junction to emit the lower harmonics of the signal.

A NLJ detector floods the target area with high frequency energy and detects the emitted harmonics from the target.

Will detect any electronic device that is not shielded, even if it is switched off.

4/20/2911 MITACS International Focus Period 19

Page 20: Localization privacy

Protocol 1…...................………….

.bbb.

.……...………. TagTag knows its location & the time

1. The RFID reader sends:

timer , locr ; x = MACk(timer , locr)

2. The tag check it. If the values timer , locr are close enough to the locally measured values then it responds with:

y = MACk(x)

If this is correct the RFID reader accepts (the tag as authentic).

Here k is a secret key that the RFID reader shares with the tag.Step 1 authenticates the reader to the tagThis step can be thought of as a `response’ to the location & time challenge 4/20/2911 20MITACS International Focus Period

Page 21: Localization privacy

Localization The actual location of the tag is determined by analyzing

the RF signal waveform of its response y in Step 2 by using a localization algorithm.

4/20/2911 21MITACS International Focus Period

Protocol 1…..on….,,,,,bon bab

.on Tag knows its location & time

Page 22: Localization privacy

ProblemScalabilityThe RFID reader must send a different challenge to each one of the tags, if it does not know an approximate location of the tags.

[Public Key cryptography will address this issue---use ECC]

4/20/2911 22MITACS International Focus Period

Protocol 1…..on….,,,,,bon bab

.on Tag knows its location & time

Page 23: Localization privacy

1. The RFID reader sends: timer , x = MACk(timer)

2. The RFID tag check this. If it is correct it responds with:

y = MACk(x)

If this is correct the RFID reader accepts .

Step 1 authenticates the reader to the tag.This step can be thought of as a `response’ to the time challenge4/20/2911 23MITACS International Focus Period

Protocol 2…..….,,,,,bon bab

.on Tag knows the time only

Page 24: Localization privacy

Protocol 2…..nm.,,,,,bon bab

.on …Tag knows the time only

Problem:Clocks must be synchronized. This problem cannot be solved for lightweight applications!

4/20/2911 24MITACS International Focus Period

Page 25: Localization privacy

Suppose the tag and reader share a synchronized counter ct

1. The reader sends:

ct, locr ; x = MACk(ct, locr)

2. If this is correct the tag responds with:

y = MACk(x)

and updates the counter.If y is correct the reader accepts the tag.

4/20/2911 25MITACS International Focus Period

Protocol 3….……..m.,,,,,bon bab

.on …Tag knows its location only

Page 26: Localization privacy

Protocol 3….….…..m.,,,,,bon bab

.on …Tag knows its location only

Problem:Counter values must be synchronizedCan be done: the tag must always stores the one but last value of the counter and update it only the reader sends the current value of the counter in Step 2. .

[Update at tag in Step 2 if ct = ctcur : ctold ctcur ctcur next (ctcur)]

4/20/2911 26MITACS International Focus Period

Page 27: Localization privacy

Localization privacy cannot be achieved when thetags are static and neither temporal nor location information is available.

4/20/2911 27MITACS International Focus Period

….…….,,,,,bon bab

The tag does not know the time or its location

Page 28: Localization privacy

The adversary A

A can eavesdrop on, and schedule, all communication channels― Adapt model to allow for localization technologies and radio

jamming technologies A must eavesdrop on at least one complete localization

to localize a tag― Tag must backscatter, they cannot be capacitive or

inductive.

4/20/2911 28MITACS International Focus Period

Page 29: Localization privacy

The adversary A

A can be ubiquitous or local― With ubiquitous adversaries we can only

have localization privacy for the first interrogation only

― With local adversaries we can have localization privacy for multiple tag interrogations---but model is weak

4/20/2911 29MITACS International Focus Period

Page 30: Localization privacy

Protocol 1 provides implicit mutual authentication with localization privacy for one-time tag interrogation applications against a ubiquitous adversary. For applications where the tags may be interrogated several times we only get weak localization privacy.

Protocol 2 provides implicit mutual authentication with localization privacy for one-time tag interrogation applications against a ubiquitous adversary. For applications where the tags may be interrogated several times we only get weak localization privacy.

Protocol 3 provides only implicit mutual authentication with weak localization privacy, unless highly synchronized clocks are available.

Localization privacy cannot be achieved when the tags are static if neither temporal nor location information is available.

4/20/2911 30MITACS International Focus Period

Theorems….…….

Page 31: Localization privacy

Secure localization

Privacy --- unlinkability Integrity --- the effect of radio jamming attacks and

localization /NLJ attacks Availability --- the effect of radio jamming and

localization /NLJ attacks attacks

4/20/2911 31MITACS International Focus Period

Page 32: Localization privacy

Any questions?

Publicationshttp://www.cs.fsu.edu/~burmeste/pubs.html

4/20/2911 32MITACS International Focus Period


Related Documents