Localization privacy
Mike Burmester, Florida State University, USA
MITACS International Focus PeriodAdvances in Network Analysis and its Applications
Talkthrough
1. His Late Master’s Voice: private localization2. Motivation: device discovery and sensor deployments
in hostile territory3. RFID technology4. Private localization protocols with
with temporal and location mechanisms with temporal mechanisms only with location mechanisms only
5. Private localization is not possible without some kind of temporal or location information.
6. Threat model and security issues.
4/20/2911 2MITACS International Focus Period
His Late Master’s Voice ..
A motivating paradigm
Bob died suddenly leaving his treasure to sister Alice Moriarty will do anything to get the treasure. Alice hides it together with Nipper, and promptly departs. (Nipper is a low-cost RFID device that responds only to her calls) Alice can find the hidden treasure later when Moriarty is not
around.
4/20/2911 3MITACS International Focus Period
Nipper listening to a recording of his late master
painted by Francis Barraud who inherited from his late brother: Nipper, a phonograph
and some recordings
His Late Master’s Voicem
.
Wrong painting!mnnnnmm Not a cylinder phonograph
but a gramophone
Each RFID tag must only respond to authorized readers Each authorized RFID reader must be authenticated without
being challenged by the tag: any challenge by the tag will reveal its presence/position.
Localization privacy captures a novel aspect of privacy extending the traditional privacy notions of anonymity and unlinkability to private localization.
4/20/2911 4MITACS International Focus Period
Localization privacy .
Barking for privacy
Anonymity and unlinkability are slightly weaker notions: Even though the adversary may not be able to recognize a tag, or link
the tag's interrogation sessions, by knowing its location it can identify that tag to some degree.
Localization privacy is essentially a steganographic attribute. The goal of steganography is to hide data in such a way that the
adversary cannot detect its existence, while The goal of private localization is to hide a device in such a way that
its presence cannot be detected.
4/20/2911 5MITACS International Focus Period
Localization privacy m
.
Because localization privacy is essentially a steganographic attribute one would expect that any knowledge needed to enforce it is based on physical/environmental knowledge.
We shall see that localization privacy can only be achieved by using non-application layer data such as
• Temporal or• Locational
information.
4/20/2911 6MITACS International Focus Period
Sensor deployments.
Motivation Suppose we want to deploy 10,000 sensors in a 100 km2
for passive monitoring in a hostile territory. The lifetime of the system is expected to be at least
10 years. Attached to the sensors are RFID tags which are their
communication interface The tags are not networked to prevent detection. Robotic armored vehicles collect the monitored data
at regular intervals.
4/20/2911 7MITACS International Focus Period
Sensor deployments.
in untrusted territory
4/20/2911 8
Monitoring environmental data and surveillance.Deployment is not necessarily uniform
MITACS International Focus Period
Path of armored RFID reader.
multiple interrogations
4/20/2911 9MITACS International Focus Period
Device discovery,,,,,.
one-time interrogations
4/20/2911 10MITACS International Focus Period
RFID systems RFID tags
― a discardable technology?― low cost― replaceable― typically short-lived, but durable
Other RFID system components, RFID readers and a backend server:― Not necessarily low-cost― upgradeable― mid- to long-term life
Both: May protect high-value assets4/20/2911 11
MITACS International Focus Period
RFID tags
Attached to, or embedded in, host objects to be identified. Each tag is a transponder with an RF coupling element
and may also have a microprocessor. The coupling element has an antenna coil to capture RF
power, clock pulses and data from the RFID reader. The microprocessor has small amounts of ROM for storing,
among other information, the tag's identification, volatile RAM and (potentially) nonvolatile EEPROM.
4/20/2911 12MITACS International Focus Period
Types of passive tags
Smart label. Class 1 memory devices, typically Read-Only. Low cost replacements for bar codes.
Re-writable tags. Class 1 re-writable memory. Subject to unauthorized cloning, disabling, tracking.
IC tags. Class 2 tags with CMOS integrated circuit and non volatile EEPROM. Will defeat most attacks.
BAP tags. Battery assisted IC tags with an extended read range
4/20/2911 13MITACS International Focus Period
RFID readers
An RFID reader is a device with storage, computing, and communication resources comparable to at least those of a powerful PDA.
It is equipped with a transceiver consisting of an RF module, a control unit, and an RF coupling element to interrogate the tags.
RFID readers implement a radio interface to the tags and also a high level interface to the Server that processes captured data.
4/20/2911 14MITACS International Focus Period
Backend Server
A trusted entity that maintains a database with all the information needed to identify tags, including their identification numbers.
Since the integrity of an RFID system is entirely dependent on the proper behavior of the Server, it is assumed that the Server is physically secure and not subject to attacks.
As far as resources the Server is a powerful computing device with ample disk, memory, communication, and other resources.
4/20/2911 15MITACS International Focus Period
Reader-tag coupling
Affects the tag's reading range & the frequencies needed. RFID capacitive (electric) coupling short ranges (subcentimeter for UHF near-field ) RFID inductive (magnetic) coupling slightly longer ranges (submeter for UHF) RFID backscatter coupling range: 10m--100m+
For localization privacy apps use backscatter coupling 4/20/2911 16
MITACS International Focus Period
Fine grained …. localization
Localization is based on analyzing RF signals emitted by the target.
The RF waveform is influenced by the paths traveled by the signal.
For fine granularity the raw signal waveform must be passed to the upper layers and processed using algorithms that understand that the intricate relations the wireless environment and the signal.
4/20/2911 MITACS International Focus Period 17
Localization algorithms
Based on modeling the variations of RF signals in the environment. There are two types of algorithms. Those that:1. Calibrate the RF signal distribution and then estimate
the location. Multilateration algorithms Bayesian inference algorithms
2. Directly compute the location Nearest-eighbor algorithms Proximity algorithms Kernel-based learning algorithms.
4/20/2911 MITACS International Focus Period 18
NLJ detectors
Non-Linear Junction detectors detect covert devices based on the fact that subjecting a NLJ to a strong high frequency spectrally pure microwave (888 or 915 MHz) will cause the junction to emit the lower harmonics of the signal.
A NLJ detector floods the target area with high frequency energy and detects the emitted harmonics from the target.
Will detect any electronic device that is not shielded, even if it is switched off.
4/20/2911 MITACS International Focus Period 19
Protocol 1…...................………….
.bbb.
.……...………. TagTag knows its location & the time
1. The RFID reader sends:
timer , locr ; x = MACk(timer , locr)
2. The tag check it. If the values timer , locr are close enough to the locally measured values then it responds with:
y = MACk(x)
If this is correct the RFID reader accepts (the tag as authentic).
Here k is a secret key that the RFID reader shares with the tag.Step 1 authenticates the reader to the tagThis step can be thought of as a `response’ to the location & time challenge 4/20/2911 20MITACS International Focus Period
Localization The actual location of the tag is determined by analyzing
the RF signal waveform of its response y in Step 2 by using a localization algorithm.
4/20/2911 21MITACS International Focus Period
Protocol 1…..on….,,,,,bon bab
.on Tag knows its location & time
ProblemScalabilityThe RFID reader must send a different challenge to each one of the tags, if it does not know an approximate location of the tags.
[Public Key cryptography will address this issue---use ECC]
4/20/2911 22MITACS International Focus Period
Protocol 1…..on….,,,,,bon bab
.on Tag knows its location & time
1. The RFID reader sends: timer , x = MACk(timer)
2. The RFID tag check this. If it is correct it responds with:
y = MACk(x)
If this is correct the RFID reader accepts .
Step 1 authenticates the reader to the tag.This step can be thought of as a `response’ to the time challenge4/20/2911 23MITACS International Focus Period
Protocol 2…..….,,,,,bon bab
.on Tag knows the time only
Protocol 2…..nm.,,,,,bon bab
.on …Tag knows the time only
Problem:Clocks must be synchronized. This problem cannot be solved for lightweight applications!
4/20/2911 24MITACS International Focus Period
Suppose the tag and reader share a synchronized counter ct
1. The reader sends:
ct, locr ; x = MACk(ct, locr)
2. If this is correct the tag responds with:
y = MACk(x)
and updates the counter.If y is correct the reader accepts the tag.
4/20/2911 25MITACS International Focus Period
Protocol 3….……..m.,,,,,bon bab
.on …Tag knows its location only
Protocol 3….….…..m.,,,,,bon bab
.on …Tag knows its location only
Problem:Counter values must be synchronizedCan be done: the tag must always stores the one but last value of the counter and update it only the reader sends the current value of the counter in Step 2. .
[Update at tag in Step 2 if ct = ctcur : ctold ctcur ctcur next (ctcur)]
4/20/2911 26MITACS International Focus Period
Localization privacy cannot be achieved when thetags are static and neither temporal nor location information is available.
4/20/2911 27MITACS International Focus Period
….…….,,,,,bon bab
The tag does not know the time or its location
The adversary A
A can eavesdrop on, and schedule, all communication channels― Adapt model to allow for localization technologies and radio
jamming technologies A must eavesdrop on at least one complete localization
to localize a tag― Tag must backscatter, they cannot be capacitive or
inductive.
4/20/2911 28MITACS International Focus Period
The adversary A
A can be ubiquitous or local― With ubiquitous adversaries we can only
have localization privacy for the first interrogation only
― With local adversaries we can have localization privacy for multiple tag interrogations---but model is weak
4/20/2911 29MITACS International Focus Period
Protocol 1 provides implicit mutual authentication with localization privacy for one-time tag interrogation applications against a ubiquitous adversary. For applications where the tags may be interrogated several times we only get weak localization privacy.
Protocol 2 provides implicit mutual authentication with localization privacy for one-time tag interrogation applications against a ubiquitous adversary. For applications where the tags may be interrogated several times we only get weak localization privacy.
Protocol 3 provides only implicit mutual authentication with weak localization privacy, unless highly synchronized clocks are available.
Localization privacy cannot be achieved when the tags are static if neither temporal nor location information is available.
4/20/2911 30MITACS International Focus Period
Theorems….…….
Secure localization
Privacy --- unlinkability Integrity --- the effect of radio jamming attacks and
localization /NLJ attacks Availability --- the effect of radio jamming and
localization /NLJ attacks attacks
4/20/2911 31MITACS International Focus Period
Any questions?
Publicationshttp://www.cs.fsu.edu/~burmeste/pubs.html
4/20/2911 32MITACS International Focus Period