Protection of the Users Privacy in Ubiquitous RFID-based Systems

Size: px

Start display at page:

Download "Protection of the Users Privacy in Ubiquitous RFID-based Systems"

Ralf Davis
6 years ago
Views:

1 Protection of the Users Privacy in Ubiquitous RFID-based Systems Ivan Gudymenko Hauptseminar Technischer Datenschutz 1

2 Outline Intro E-ticketing Personal Belongings Management Conclusion and future work 2

3 Outline Intro E-ticketing Personal Belongings Management Conclusion and future work 3

4 Intro UbiComp systems based on RFID Privacy issues address serious concerns Motivation: making UbiComp privacy-respecting Two use cases: E-ticketing Personal Belongings Management 4

5 Outline Intro E-ticketing Personal Belongings Management Conclusion and future work 5

6 E-ticketing: A General Scenario 6/0123%4"5678"0123(-.796:"3(7;;<-6=#89(*01796:"3%7;;<-6=#8:!"#$%&'#( )$*#+$,-#$./ 0+$1(,'2$/ &'()%*+",,-./(0.-1!"#$#%&'()*+,"-%. 0+$1('/) ;#+45".$(,<,1"= 23" /012:!"#$"% 23"+45*01! ($-,1#.+"(+#>+0>#1-*.! (?->>-./! (+0,1*="%(#++*0.1,(=/=1@! (,1#1-,1-+, 6

Privacy Concerns in E-ticketing Privacy Protection Goals: Unintended customer identification exposure of customer ID (direct and indirect) 1. Anonymity 2. Confidentiality 3.

7 Privacy Concerns in E-ticketing Privacy Protection Goals: Unintended customer identification exposure of customer ID (direct and indirect) 1. Anonymity 2. Confidentiality 3. Unlinkability 4. Unobservability unencrypted ID during the anti-collision session physical layer identification (RFID fingerprinting) Information linkage Illegal customer profiling 7

8 Privacy Concerns in E-ticketing: Countermeasures 8

9 E-ticketing: Standards Stack *2,&3('45* /+'$,&)4 0,'1&)+')$,+.()(*&%)+,-('+/!"##$%&'()&"%*&%)+,-('+* Aimed at providing interoperability Many existent solutions are still proprietary, though 9

10 Privacy-related Issues: Architecture Level ISO EN *2,&3('45* /+'$,&)4 0,'1&)+')$,+.()(*&%)+,-('+/!"##$%&'()&"%*&%)+,-('+* Coarsely-specified, general privacy requirements: data minimization user consent acquisition customer confidentiality No recommendations for further implementation 10

11 Privacy-related Issues: Data Interfaces Level *2,&3('45* /+'$,&)4 0,'1&)+')$,+.()(*&%)+,-('+/!"##$%&'()&"%*&%)+,-('+* 11

12 Privacy-related Issues: Data Interfaces Level EN *2,&3('45* /+'$,&)4 0,'1&)+')$,+.()(*&%)+,-('+/!"##$%&'()&"%*&%)+,-('+* Specification of a generic Security Subsystem Access control to privacy-relevant fields further defined in EN

13 Security Subsystem in EN %&#'()"*!"#$%&#'()$ (#'*!"#$ 9+ ; 9($)' +$/.%,"'# +$/.%,"';!"#$%&'#()!"#$%&'#(2 * $'++,#-(./ $'++,#-(,/ $'++,#-(0/ $'++,#-(3/ $'++,#-(&/ $'++,#-($/ 1 H"$;'0I.-&$5= J"$E#'* (0KK#1*9!"+$%&#'()$ #,,-.(#/.01 &1/3'41-1'!,-./ $ 438$'&9:-/7 ;<87$36=7$ 438$*#/#$>'0:,"!"#$+,&-.#(/0 1")"2&'&)/+30,/&' 9+ : $/.%,"2 +$/.%,"'# +$/.%,"':!"#$%&'#()!"#$%&'#(4 * $'++,#-(./ $'++,#-(-/ $'++,#-(0/ $'++,#-(5/ $'++,#-(&/ $'++,#-(6/ 1 +$/.%,"'#!"#$%&'#() * $'++,#-(./ $'++,#-(0/ $'++,#-(&/ 1!"#$!%&' ()))* +,-./012.!"#"$%&'&($) )$%*"$ +,(-./$0123"&%.%& )$%*"$ 41-1'5/678'!,-./012.?3@5AB7$ %3CD7 E@3C837 FG=5AB7 5(-('!$/632 75!8 9($) )(-( 4"/"+5#6.7+3&-.#(/0 1")"2&'&)/+30,/&' 5!+ ; 5! 5!+ : 5!+ < +$/.%,"2 13

14 Privacy-related Issues: Data Interfaces Level EN 1545 *2,&3('45* /+'$,&)4 0,'1&)+')$,+.()(*&%)+,-('+/!"##$%&'()&"%*&%)+,-('+* Privacy-relevant data fields (customer number, birth date, etc.) Access control and encryption for protection 14

15 Privacy-relevant Fields in EN Privacy-relevant field Description birth date - birth name - birth place - customer number customer reference number device ID can be linked to a particular customer address - telephone number - postal address - location ID - customer profile ID e.g. student, military, resident, etc. user data additional information about a customer 15

16 Privacy-related Issues: Data Interfaces Level ISO *2,&3('45* /+'$,&)4 0,'1&)+')$,+.()(*&%)+,-('+/!"##$%&'()&"%*&%)+,-('+* Secure messaging mechanisms Can be used for protecting privacy-critical data 16

17 Privacy-related Issues: Communication Interface *2,&3('45* /+'$,&)4 0,'1&)+')$,+.()(*&%)+,-('+/!"##$%&'()&"%*&%)+,-('+* Solely functionality-oriented No security or privacy mechanisms considered Customer ID exposure during the anti-collision session and physical layer identification: to be solved here 17

18 Privacy-related Issues: Summary AL DIL CIL 18

19 Privacy-related Issues: Summary (2) Security mechanisms are considered in the first place Customer privacy more as a by-product Privacy issues are not explicitly addressed across the stack Proprietary solutions act in a similar way (ITSO, CALYPSO, MIFARE) Develop an approach explicitly addressing privacy in a cross-layer fashion and across system components 19

20 Outline Intro E-ticketing Personal Belongings Management Conclusion and future work 20

21 A General Scenario!"#$!!"#$%!&'()*+,)-.,-)/!!0/)+1'*2!,)*.3&'4!5/6&./!! )*+,$-!"#$%&'()*+,- %&&'($!!"#$%!&'()*+,)-.,-)/!!0/)+1'*2!,)*.3&'4!5/6&./!!!0/)+1'*2!,)*.3&'4!5/6&./!1'27!! 21

22 Key Differences to E-ticketing The requirement to track items from a certain distance No validation step is required Anonymization is easier Only a few readers (e.g. a portable one, at work and at home) Compliance to the Standards Stack not required (weaker interoperability?) Develop a privacy-respecting solution for personal belongings management 22

23 Outline Intro E-ticketing Personal Belongings Management Conclusion and future work 23

24 Conclusion Two use cases for the PhD dissertation have been discussed Focus on user privacy No decent cross-layer, cross-component solution with respect to privacy has been developed so far 24

25 Future Work Further research on partial solutions developed so far Identify what can be done for a decent cross-layer, cross-component solution Focus on the issues representing a particular interest for a research community and industry 25

26 Time Plan: Near Future May 2012 Finish State-of-the-Art: - proprietary solutions - focus papers Privacy-preserving protocol evaluation June 2012 July/August 2012 Specific tasks determination Core concept development Requirements paper for doctoral symposium 26

27 References [JP02] Ari Juels and Ravikanth Pappu. Squealing Euros: Privacy Protection in RFID-Enabled Banknotes. In Financial Cryptography 03, pages Springer-Verlag, [LLY08-a] Tong-Lee Lim, Tieyan Li, and Sze-Ling Yeo. Randomized Bit Encoding for Stronger Backward Channel Protection in RFID Systems. In Proceedings of the 2008 Sixth Annual IEEE International Conference on Pervasive Computing and Communications, PERCOM 08, pages 40 49, Washington, DC, USA, IEEE Computer Society. [LLY08-b] Tong-Lee Lim, Tieyan Li, and Sze-Ling Yeo. A Cross-layer Framework for Privacy Enhancement in RFID systems. Pervasive and Mobile Computing, 4(6): , [Gud11] [CR06] Ivan Gudymenko. Protection of the Users Privacy in Ubiquitous RFID Systems. Master s thesis, Technische Universität Dresden, Faculty of Computer Science, December Wonjoon Choi and Byeong-hee Roh. Backward Channel Protection Method for RFID Security Schemes Based on Tree-Walking Algorithms. In Marina Gavrilova, Osvaldo Gervasi, Vipin Kumar, C. Tan, David Taniar, Antonio Lagan a, Youngsong Mun, and Hyunseung Choo, editors, Computational Science and Its Applications - ICCSA 2006, volume 3983 of Lecture Notes in Computer Science, pages Springer Berlin / Heidelberg,

28 Thank you very much for your attention! Questions? Comments? Suggestions? 28

29 Back-up Slides 29

30 Logical Interfaces in EN 15320: States Transitional Diagram 30

Developing Privacy-respecting E-ticketing Systems. Ivan Gudymenko

Developing Privacy-respecting E-ticketing Systems Ivan Gudymenko Klausurtagung II/2012 Outline E-ticketing Systems Under Concern: E-ticketing: A General Application Scenario Fare Collection Approaches