RFID Authentication: Security, Privacy and the Real World

Size: px

Start display at page:

Download "RFID Authentication: Security, Privacy and the Real World"

Charleen Kelley
6 years ago
Views:

1 RFID Authentication: Security, Privacy and the Real World ESC 2013 Jens Hermans KU Leuven - COSIC 15 January 2013

2 Introduction Cryptography in Daily Life RFID

3 Introduction Cryptography in Daily Life Security - Why?

4 Introduction Cryptography in Daily Life Privacy - Why? Das Kapital Insulin pump Underwear Membership implant Industrial espionage, user privacy

5 Introduction Cryptography in Daily Life Threat Analysis / Requirements Privacy + Security + Supply Chain Public Transport Car Keys Payments Access Control Passports

6 RFID Security & Privacy 1 RFID Security & Privacy Provable Security/Privacy Insider Attacks Requirements 2 Protocols (Research) 3 Protocols (Industry) 4 Protocol Design Lightweight Cryptography Design Performance 5 Conclusions and Future Perspectives

7 RFID Security & Privacy RFID Privacy: goals... ID = u , S =... ID =? { (ID=u , P=...),...}

8 RFID Security & Privacy RFID Privacy: goals #Tags? ID = u , S =... Link? ID = u , S =...

9 RFID Security & Privacy Different Privacy Solutions Protocol Level Privacy Kill Command Destroy Tag Shielding (Read Range Reduction)...

10 RFID Security & Privacy Provable Security/Privacy Protocol Analysis... Properties: ID = u , S =... Security Privacy: untraceability Allow corruption ID =? { (ID=u , P=...),...}

11 RFID Security & Privacy Provable Security/Privacy Provable Security & Privacy System Adversary Adversary wins if...

12 RFID Security & Privacy Provable Security/Privacy Corrupting Tags

13 RFID Security & Privacy Provable Security/Privacy Privacy Models - Indistinguishability Encryption: RO A B Privacy-models: Juels-Weis IND-CPA Vaudenay IND-CCA Hermans et al. IND-CCA2...

14 RFID Security & Privacy Provable Security/Privacy Privacy Levels Strong Forward Weak Narrow Wide at end at end

15 RFID Security & Privacy Provable Security/Privacy Privacy Requirements Privacy Level Application Narrow Weak Supply Chain Narrow Forward Smart Products Wide Weak Wide Forward Car Keys Payments Access Tokens Passports Public Transport

16 RFID Security & Privacy Insider Attacks Insider Attacks System Adversary Insider Tag

17 RFID Security & Privacy Requirements Privacy Requirements Privacy Level Application Narrow Weak Narrow Forward Wide Weak Supply Chain Smart Products Car Keys Payments Wide Forward + InsiderWide Forward + Insider Access Tokens Currently: Wide Strong Passports Public Transport

18 Protocols (Research) 1 RFID Security & Privacy Provable Security/Privacy Insider Attacks Requirements 2 Protocols (Research) 3 Protocols (Industry) 4 Protocol Design Lightweight Cryptography Design Performance 5 Conclusions and Future Perspectives

19 Protocols (Research) PRF (Block cipher) based [ISO/IEC ] State: x j Tag T Secrets: DB = {x j } Reader c c R {0,1} n p R {0,1} m r = F x (c p) r,p Search x j DB s.t.f xj (c p) = r Privacy Wide-Weak

20 Protocols (Research) Symmetric Key and Efficiency Damgård-Pedersen 08: Independent keys: inefficient O(n) Correlated keys: efficient O(log(n)) privacy loss Key Updating Higher Privacy Level (narrow forward) Desynchronization Attacks / Efficiency Problems Implementation cost?

21 Protocols (Research) EC Schnorr Protocol State: x j,y Tag T Secrets: y,db = {X j} Reader r R Z l R = rp R O? e e 0? s = x+er s Ẋ = sp er DB? Privacy None

22 Protocols (Research) Randomized Schnorr [BCI08] State: x j,y Tag T Secrets: y,db = {X j} Reader r 1,r 2 R Z l R 1 = r 1P,R 2 = r 2Y R 1,R 2 O? e s = ex+r 1 +r 2 s Ẋ = e 1 (sp R 1 y 1 R 2) DB Privacy Narrow Strong

23 Protocols (Research) Randomized Hash GPS [BCI09] State: x j,y Tag T Secrets: y,db = {X j} Reader r 1,r 2 R Z l R 1 = r 1P,R 2 = r 2Y z = H(R 1,R 2) R 1,R 2 O? e s = ex+r 1 +r 2 s,r 1,R 2 Verify z Ẋ = e 1 (sp R 1 y 1 R 2) DB Privacy Narrow Strong and Wide Forward

24 Protocols (Research) IND-CCA2 Encryption [Vau07] State: s j,id Tag T PK: K P. Secrets: DB = {s j } Reader c c R {0,1} n r = Enc KP (ID s j c) r ID s j c Dec KS (r) Search s j DB Privacy Wide Strong

25 Protocols (Research) Performance Protocol Privacy Ins. Ext. Snd. Operations Schnorr no no yes 1 EC mult Randomized Schnorr narrow-strong no yes 2 EC mult Rand. Hashed GPS narrow-strong no yes 2 EC mult wide-forward 1 hash Vaudenay wide-strong yes no 2 EC mult + DHIES 1 hash 1 MAC 1 symm enc Hash ElGamal wide-strong yes no 2 EC mult 1 hash 1 MAC

26 Protocols (Research) Lightweight Cryptography? Limits: Area ( ) Time Power Energy

27 Protocols (Research) Typical Ingredients for Protocols Primitive Status RNG OK? Key Update??? Block Cipher OK Hash Function OK ECC OK???

28 Protocols (Industry) 1 RFID Security & Privacy Provable Security/Privacy Insider Attacks Requirements 2 Protocols (Research) 3 Protocols (Industry) 4 Protocol Design Lightweight Cryptography Design Performance 5 Conclusions and Future Perspectives

29 Protocols (Industry) Scope ISO/IEC JTC 1 SC31: Automatic identification and data capture techniques Features: Tag authentication Reader authentication Mutual authentication Secure data exchange Target platform: passive & active tags.

30 Protocols (Industry) Proposals Tag Auth Reader Auth Mutual Auth Privacy Protocol Block cipher based (3) ( ) ( ) HB-2 ( ) Stream cipher based XOR ECC Static DH CryptoGPS ECDSA/DH TLS PK Encryption - Rabin

31 Protocol Design Design 1 RFID Security & Privacy Provable Security/Privacy Insider Attacks Requirements 2 Protocols (Research) 3 Protocols (Industry) 4 Protocol Design Lightweight Cryptography Design Performance 5 Conclusions and Future Perspectives

32 Protocol Design Design New Protocol [Peeters, Hermans 2012] Design protocol: Correct Extended soundness (At least) Wide Forward + Insider privacy Efficient

33 Protocol Design Design EC Schnorr Protocol State: x j,y Tag T Secrets: y,db = {X j } Reader r R Z l R = rp R O? e e 0? s = x+er s Ẋ = sp er DB?

34 Protocol Design Design Lightweight Elliptic Curve Cryptography P y Q x Implementation [LBSV10]: Area (14.5 kge) Time (85ms) Power (13.8 W) Energy (1.18 J) R

35 Protocol Design Design Key Assumptions Oracle Diffie-Hellman Assumption (A = ap,b = bp,abp) (A = ap,b = bp,rp) with extra O(Z) := xcoord(bz)p. X Logarithm xcoord(rp)p r P

36 Protocol Design Design New Protocol State: x,y = yp Tag T Secrets: y DB : {X i = x ip} Reader R r 1,r 2 R Z l R 1 = r 1P,R 2 = r 2P e e R Z l d = xcoord(xcoord(r 2Y)P) s = x+er 1 +d d = xcoord(xcoord(yr 2)P) Ẋ = (s d)p er 1 DB?

37 Protocol Design Design New Protocol - Extended Soundness State: x,y = yp Tag T Secrets: y DB : {X i = x ip} Reader R r 1,r 2 R Z l R 1 = r 1P,R 2 = r 2P e e R Z l d = xcoord(xcoord(r 2Y)P) s = x+er 1 +d d = xcoord(xcoord(yr 2)P) Ẋ = (s d)p er 1 DB? Extended Soundness Schnorr protocol extended soundness (OMDL assumption)

38 Protocol Design Design New Protocol - Privacy State: x,y = yp Tag T Secrets: y DB : {X i = x ip} Reader R r 1,r 2 R Z l R 1 = r 1P,R 2 = r 2P e e R Z l d = xcoord(xcoord(r 2Y)P) s = x+er 1 +d ḋ = xcoord(xcoord(yr 2)P) Ẋ = (s ḋ)p er1 DB?

39 Protocol Design Design Something symmetric? Final step: s = x +d +er 1 Assume set X = {x 0,...,x n } and set I = {ι 0,...,ι m }. 1 Adversary gets I 2 Set of oracles: { x α d i if b = 0 O 1(α,β) := x β d i if b = 1 O 2(s,i) := s d i X I O 3(s) := s X I 3 Adversary gets X, outputs guess g, d i R {0,1} l

40 Protocol Design Design Something for wide strong privacy? Assume set X = {x 0,...,x n } 1 Adversary gets X 2 Interact with oracles: { x αd i +e i if b = 0 O 1(α,β) := x β d i +e i if b = 1 O 2(s,i) := d 1 i (s e i ) X 3 Output guess g., d i,e i R Z l

41 Protocol Design Performance Performance Protocol Privacy Ins. Ext. Snd. Operations Schnorr no no yes 1 EC mult Randomized Schnorr narrow-strong no yes 2 EC mult Rand. Hashed GPS narrow-strong no yes 2 EC mult wide-forward 1 hash Vaudenay wide-strong yes no 2 EC mult + DHIES 1 hash 1 MAC 1 symm enc Hash ElGamal wide-strong yes no 2 EC mult 1 hash 1 MAC Our Protocol wide-forward-insider yes yes 4 EC mult - optimised version wide-forward-insider yes yes 2 EC mult Wide-Strong protocol wide-strong yes yes 4-5 EC mult

42 Conclusions and Future Perspectives Summary Overview RFID Privacy RFID Protocols Implementation Aspects New Private & Efficient RFID Protocol

43 Conclusions and Future Perspectives?

Wide Strong Private RFID Identification based on Zero-Knowledge

Wide Strong Private RFID Identification based on Zero-Knowledge Roel Peeters and Jens Hermans KU Leuven - ESAT/COSIC and iminds Kasteelpark Arenberg 10/2446, 3001 Leuven, BELGIUM firstname.lastname@esat.kuleuven.be