associate professor - bme-hitbuttyan/courses/bmevihim219/2013/slides-rfid-pri… ·...
TRANSCRIPT
RFID privacy
Foundations of Secure e-Commerce (bmevihim219)
Dr. Levente ButtyánAssociate Professor
BME Hálózati Rendszerek és Szolgáltatások TanszékLab of Cryptography and System Security (CrySyS)
RFID privacy 2© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Outline
- RFID applications- RFID architecture- security and privacy threats- prevention of tracking at the application layer- privacy problems at lower layers
RFID privacy 3© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Introduction� RFID = Radio-Frequency Identification
� allows us to identify objects or subjects with neither physical nor visual contact• need to place a transponder on or in the object and query it remotely using
a reader
� the principle is fundamentally not new• identify-friend-or-foe system of the Royal Air Force in WWII to distinguish
allied aircrafts from enemy aircrafts• motorway tolls, ski lifts, identification of livestock and pets, automobile
ignition keys …
� RFID is becoming interesting due to the ability to develop very small and cheap transponders called “electronic tags”• offer only weak computation and storage capabilities• passively powered by the reader’s electromagnetic field• communication distance is relatively short (a few meters)• when outside of the reader’s field, tags are inert• low cost, small size � can be deployed at very large scale • pose new security and privacy problems!
RFID privacy 4© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Example applications
� access control• current access control systems in buildings often use RFID-
based wireless tokens, e.g., cards or badges
� RFID in the automobile sector• keyless entry using a key fob that contains an active RFID tag• passive entry systems automatically unlock doors when the
driver carrying a passive RFID tag approaches the car• appeared recently, e.g., on Renault Laguna, Mercedes-Benz S-
class, CL-class, and Toyota Lexus LS430
• many car keys have an RFID device integrated into them which activates the fuel injection system (anti-theft measure)
• car keys can be replaced with cards that stay in the drivers pocket
RFID privacy 5© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Example applications (cont’d)� supply chain
• the idea is to replace barcodes with low cost RFID tags• advantages
• tags can be scanned quickly in large quantities• no need for visual channel• tags can be placed right on or in objects, instead of the packaging• tags may contain unique identifiers for individual objects
• facilitates management of objects throughout the entire supply chain (manufacturing, storage, distribution, … )
• stock and inventories in supermarkets and warehouses is a primary application domain (e.g., Wal-mart, Metro, Migros, …)
� RFID in libraries• a tag in each volume makes borrowing and returning books easier• inventories can be carried out without taking books from the shelves• examples: K.U. Leuven (Belgium), Santa Clara (United States),
Heiloo (Netherlands), Richmond Hill (Canada), …
RFID privacy 6© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Example applications (cont’d)
� subdermal tags• RFID based identification of domestic animals is done routinely
today• identification of people ???
• nightclubs (e.g., Baja Beach Club, Barcelona)• VIPs (e.g., members of a special organization)• prisoners
� electronic IDs (passports, ID cards)• already in use today• chip in the passport contains biometric information of the bearer
� electronic payments systems• electronic toll collection (e.g., EZ Pass)• automated fare collection (AFC) in public transport systems• contactless payment cards (e.g., Mastercard PayPass)
RFID privacy 7© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Applications in the future� smart and easy shopping
• fast check-out at point-of-sale terminals • terminal reads all tags in the shopping cart in a few seconds• payment can be speeded up using contactless credit cards
• return items without receipt• no need to keep receipts of purchased items
• tracking faulty or contaminated products• object IDs can serve as indices into purchase records• one can easily list all records that contain IDs belonging to a particular set of
products and identify consumers that bought those products
� smart household appliances• washing machine can select the appropriate program by reading the tags
attached to the clothes• refrigerator can print shopping lists automatically or even order food on-line
� interactive objects• consumers can interact with tagged objects through their mobile phones
acting as an RFID reader (NFC – Near Field Communications technology)• the mobile phone can download and display information about scanned
objects (e.g., movie poster, furniture, etc.)
RFID privacy 8© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
RFID system architecture
� RFID system elements• RFID tags + RFID reader(s) + back-end infrastructure
� RFID tag = microcircuit + RF antenna
request
response (ID)ID
reader
tags
back-end infrastructure and
processingRF communications
RFID privacy 9© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
RFID tag characteristics� power
• active tags have their own battery• passive tags have no internal energy source
• obtain energy from the reader’s electromagnetic field• reflect reader’s RF signal and modulate it with information to be sent
• semi-passive tags have battery but use it only for internal calculations
• power for communication is obtained from the reader
� communication range• depends on frequency and transmission power
• low frequency (LF) and high frequency (HF) tags: few decimeters• ultra-high frequency (UHF) tags: several meters
• note: by using specific antennas and transmission powers above the legal limits, we can largely surpass these ranges
• note: information sent by a reader (forward channel) can be captured at a distance far superior than that sent by a tag (backward channel)
RFID privacy 10© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
RFID tag characteristics (cont’d)� memory
• tags contain a minimum number of memory bits to store their identifier (between 32 and 128 bits)
• depending on the target application, tags can have ROM, EEPROM, RAM or SRAM
• electronic anti-theft devices (EAS, Electronic Article Surveillance) that can be found on many items, require only one bit (enabled EAS / not enabled EAS)
• they do not really allow object identification, only detection
� computing power can vary in a wide range:• no computational capabilities, only memory that can be remotely
accessed• only simple logical operations (e.g., XOR and AND)• a few thousand logical gates that allow for symmetric key encryption
and hash• more evolved tags could use asymmetric key crypto, but those are
expensive
RFID privacy 11© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
RFID tag characteristics (cont’d)
� physical characteristics• typically antenna size determines the size of the tag• antenna size depends on the communication range and
frequency
• smallest tag today is µ-tag from Hitachi (~0.4 mm)
� tamper resistance• infeasible for low cost tags (low cost ~ few Euro cents)
RFID privacy 12© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Some specific examples
RFID privacy 13© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Various RFID tags
Logistic and industry
Key fob
CD label
Nail tag
Life stock and pets
Logistic and industry(naked)
RFID privacy 14© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Various RFID readers
RFID privacy 15© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Related standards� ISO
• 14443: proximity cards (A – Mifare, B – Calypso)• 15693: vicinity cards (can be read from a larger distance than proximity
cards) • 18000: describes a series of diverse RFID technologies, each utilizing a
unique frequency band
� EPC (Electronic Product Code)• established by EPCGlobal, a non profit organization made up of several
companies and academics• promotes very low cost RFID technology with the goal of integrating it into
supply chains• Class 1: unique identifier (a code that allows the identification of the product
to which the tag is attached), and a function permitting the definitive destruction of the tag
• Class 2: more memory and authentication functions• Class 3: semi-passive tags• Class 4: active tags, which can potentially communicate with each other• currently only Class 1 is fully specified � ISO 18000-6
RFID privacy 16© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Objectives: identification and authentication
� (mutual) authentication• an authentication protocol allows a reader to be convinced of
the identity of a queried tag• in case of mutual authentication, the protocol allows a tag to
be convinced of the identity of a querying reader
� identification• an identification protocol allows a reader to obtain the identity
of a queried tag, but no proof is required
• in many cases, identification is sufficient (e.g., inventory in a warehouse), although requirements also depend on the adversary model
RFID privacy 17© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Basic protocols
� identificationR(eader) � T(ag): requestT � R: ID
� authenticationR: pick a random number NR � T: NT: compute F(ID, N)T � R: ID, F(ID, N)
where F is some (not necessarily strong) crypto function, e.g., an encryption or a keyed hash
RFID privacy 18© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Security threats
� impersonation• the adversary can (with non-negligible probability) successfully
complete the authentication protocol in the name of a tag• relevant only for authentication protocols, because identification
protocols are trivially vulnerable to impersonation (no proof of identity is required)
• countermeasures need strong crypto and proper key management• all tags sharing the same crypto key is not a good approach
– tags are not tamper resistant– compromising a single tag allows the adversary to impersonate any other
tag
• tags must have individual keys– key diversification techniques are applicable– once the tag identifies itself, the reader (back-end system) can look-up the
tag key in a database, or compute it on-the-fly using some master key
RFID privacy 19© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Security threats (cont’d)
� relay (wormhole) attack• the adversary relays messages between a legitimate reader
and a legitimate tag that is remote• all systems that assume that successful run of the protocol
via the RF interface means that the tagged object or person is present are defeated (e.g., access control systems, car anti-theft systems, inventory systems, …)
• the feasibility of such relay attacks has been demonstrated • defense is difficult, crypto alone does not help• distance-bounding protocols have been proposed …
RFID privacy 20© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Distance -bounding protocols
� estimate the distance between the parties from the round trip time• rapid bit exchange in multiple rounds• essentially, no computation during the distance estimation
phase• challenge-response principle to avoid that one party can send
earlier than the reception of the other’s last message• estimated distance is only an upper bound on the real
distance (because any party can always delay responses)• if the parties are really far away, then estimated distance
cannot be small (it is larger than the real distance) � relay attack is detected
• however, false positives are possible
RFID privacy 21© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Example: Hancke -Kuhn protocol� protocol:
R : pick a nonce r and generate bits C1, …, Cn
R � T : rT : compute h(K|r) and split result into R(0)
1, …, R(0)n, R(1)
1, …, R(1)n
T � R : IDR � T : C1
T � R : R(C1)1
…
R � T : Cn
T � R : R(Cn)n
R : look up K that belongs to ID, compute h(K|r) and split result into R’(0)1,
…, R’(0)n, R’(1)
1, …, R’(1)n, and for all i, compare R(Ci)
i with R’(Ci)i
� properties:• tag authentication (prob. 1-(1/2)n) with distance bounding (prob. 1-(3/4)n)• tag does not need to do computation during the distance estimation phase
distance estimation phase
RFID privacy 22© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
An attack on the H -K protocol
R : pick a nonce r and generate bits C1, …, Cn
R � A(T) : rA(R) � T : rT : compute h(K|r) and split result into R(0)
1, …, R(0)n, R(1)
1, …, R(1)n
T � A(R) : IDA(R) sends 0, …, 0 to T and receives R(0)
1, …, R(0)n
A(R) � T : rT : compute h(K|r) and split result into R(0)
1, …, R(0)n, R(1)
1, …, R(1)n
T � A(R) : IDA(R) sends 1, …, 1 to T and receives R(1)
1, …, R(1)n,
A(T) � R : IDA(T) responds to any challenge Ci of R without communicating
remotely with Tverification at R is successful, distance bounding is defeated
RFID privacy 23© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Privacy threats
� in most of the applications, RFID tags respond to the reader’s query automatically, without authenticating the reader (only the tag authenticates itself)
� interaction usually reveals tag specific information (typically the ID stored in the tag, or even more)
� clandestine scanning of tags is a plausible threat� two particular privacy problems:
• inventorying• tracking
RFID privacy 24© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Inventorying
– a reader can silently determine what objects a person is carrying• reader-tag interaction may reveal more than an ID (e.g., title
of a tagged book, name of a tagged medicine, …)• object can be identified by resolving the ID read from the tag
watch: Casio
book: Applied Cryptography
shoes: Nike
suitcase: Samsonit
e
jeans: Lee Cooper
RFID privacy 25© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Tracking
– set of readers can determine where a given person is located• trivial if tags use
unique identifiers• even if tag
response is not unique, it is possible to track a constellation of a set of particular tags (or tag types/standards!!!)
IDs: 12, 34, 56, 78@ 7:32
IDs: 12, 34, 56, 78@ 7:45
IDs: 12, 34, 56, 78@ 8:03
IDs 12, 34, 56, 78@ 8:21
RFID privacy 26© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Is this really a problem?
� other technologies also permit the tracking of people (e.g., video surveillance, GSM, Bluetooth)
� however, consider the following:• RFID tags permit everybody to track people using low cost
equipment• tags cannot be switched off easily
• physical or electronic destruction of tags during checkout• but how to verify that operation was successful???
• tags can be easily hidden, their lifespan is not limited, and analyzing the collected data can be efficiently automated
• although nominal reading distance is only a few decimeters or meters, a more efficient antenna and larger power could be used to go beyond the presupposed limits
• in many cases, an adversary can get close enough (e.g., public transport)
• current trend is towards UHF systems, where the communication distance is larger than in LF/HF systems
RFID privacy 27© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Is this really a problem?� http://www.boycottbenetton.com/
• Press release: Benetton selects Philips to introduce smart labels across 5,000 worldwide stores
• Press release: Hidden sensors in clothing may fuel global surveillance network
• Press release: Benetton has publicly retreated from plans to fit clothing with tiny remote surveillance and tracking chips
� http://www.boycottgillette.com/spychips.html• Gillette has been caught hiding tiny RFID surveillance chips in the
packaging of its shaving products. These tiny, high tech spy tags are being used to trigger photo taking of unsuspecting customers!
• "The world's stupidest anti-shoplifting campaign" - CommsWorld
� http://www.bigbrotherawards.org/• In their "Future Store", a supermarket of the "Extra" chain in Rheinberg
near Duisburg (opened in April 2003 with a well-advertised event featuring Claudia Schiffer), the Metro Group are trialing the use of transponders or so-called RFIDs ("Radio Frequency Identification" devices).
• For its instigation and the related marketing concepts, the Metro Group is receiving an exemplary and future-oriented Big Brother Award.
RFID privacy 28© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Dead tags tell no tales� idea: permanently disable tags with a special “kill” command� part of the EPC specification
� advantages:• simple• effective
� disadvantages:• eliminates all post-purchase benefits of RFID for the consumer and for
society• no return of items without receipt• no smart house-hold appliances• …
• cannot be applied in some applications• library• e-passports• banknotes
� similar approaches:• put RFID tags into price tags or packaging which are removed and
discarded
RFID privacy 29© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
“Sleep” command
� idea: • instead of killing the tag definitively, put it in sleep mode• tag can be re-activated if needed
� advantages:• simple• effective
� disadvantages:• difficult to manage in practice
• tag re-activation must be password protected• how the consumers will manage hundreds of passwords for their
tags?• passwords can be printed on tags, but then they need to be
scanned optically or typed in by the consumer
RFID privacy 30© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Other similar approaches
� Faraday cage• can be effective in some applications (e.g., passports, money
wallets)• may not be usable in others (e.g., clothes, subdermal)
� clipped tags• tag’s antenna can be physically separated from the chip• reactivation of the tag can only be done intentionally
RFID privacy 31© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
On crypto based approaches� tag should not send ID in clear
� public key crypto would solve the problem• ID is encrypted with the public key of the reader• only the reader can decrypt it
but public key crypto is not available for low cost tags
� symmetric encryption with a common shared key• enough to compromise a single tag, and than all tags become traceable
� symmetric encryption with individual tag keys• encryption must be randomized !!!• reader needs to search through the entire set of tag keys and attempt
decryption with them (no hint on the key/identity can be provided to the reader)
� ID refreshment (pseudonyms) • adversary should not be able to tell the difference between the information
sent by the tag and a random value• information sent by the tag should only be used once
RFID privacy 32© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Weis-Sarma-Rivest-Engels protocol� setup
• each tag is initialized with a randomly chosen identifier ID• system stores an entry for each tag in its database that contains ID
� protocolR � T : requestT : pick a random number r, and compute s = h(ID|r)T � R : r, sR : search through the database for the ID for which h(ID|r) = s
� an alternative• in theory, the hash function may leak information about its input (e.g.,
certain bits)• instead of hashing, s can be computed as s = ID XOR fK(r), where K is a
key shared between T and R, and f.(.) is a pseudo random fn
� a potential problem• no authentication is provided � an adversary can replay tag responses
(impersonation)
RFID privacy 33© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Molnar-Wagner protocol� setup
• each tag is initialized with a randomly chosen identifier ID and a tag key K• the system stores an entry for each tag in its database that contains both ID
and K
� protocolR : pick a random number aR � T : aT : pick a random number b, and compute s = ID XOR fK(0|a|b)T � R : b, sR : search through the database for an (ID, K) pair for which ID XOR fK(0|a|b) = s; if found, then compute t = fK(1|a|b)R � T : t
� notes• the protocol provides mutual authentications• 0 and 1 serves as direction indicators
RFID privacy 34© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Ohkubo -Suzuki-Kinoshita protocol� setup
• each tag maintains a state variable s• the system stores for each tag its ID and its initial state s0
• two hash functions h and g, and a system parameter m are agreed upon
� protocolR � T : requestT : compute response r = g(s) and new state s = h(s)T � R : rR : search through the database and find the entry for which g(h(i)(s0)) = r for some 0 < i <= m
� notes• protocol provides forward privacy : even if a tag is compromised, its
previous interactions cannot be associated with the tag (previous state of the tag cannot be computed due to the one-way property of h)
• no authentication is provided � an adversary can replay tag responses (impersonation)
RFID privacy 35© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
OSK protocol with authentication� setup
• same as before
� protocolR : pick a random number rR � T : rT : compute response a = g(r XOR s) and new state s = h(s)T � R : aR : search through the database and find the entry for which g(r XOR h(i)(s0)) = a for some 0 < i <= m; if found compute b = g(w XOR h(i+1)(s0)), where w is a fixed known valueR � T : b
� notes• both versions are vulnerable to a DoS attack where an adversary queries
the tag more than m times; such a victim tag can no longer identify itself to the system
• if state is advanced only if a correct b is received from R, then privacy can be defeated by preventing T to receive b: state is not updated, and T gives the same response to the same r as before
RFID privacy 36© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
The HB protocol� HB stands for Hopper and Blum’s secure human authentication protocol
• involves only simple operations that even a human can perform such as XOR and AND
� basic idea:• tag and reader share a secret value x of k bits• reader sends a challenge a to the tag• tag computes the binary inner product a.x (involves only XOR and AND)
and sends the result back• legitimate tag gives the right answer with prob. 1, while an impersonating
adversary succeeds with probability ½• repeating the procedure can reduce the success probability of the
adversary arbitrarily ( (½)n )• unfortunately, each run of the protocol leaks information about x, and ~k
runs result in a s.l.e. that can be solved for x with Gaussian elimination• to thwart this, the tag injects noise in its responses, and sends a wrong
result with probability 0 < q < ½ • legitimate tag gives the right answer with prob. 1-q > ½, while an
impersonating adversary succeeds with probability ½ � still distinguishable
RFID privacy 37© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
The HB protocol (cont’d)� setup
• tag stores the secret value x (k bits long), and system parameter q• system stores for each tag its x value
� protocolR : pick a from {0, 1}k uniformly at randomR � T : aT : pick v from {0, 1} such that Pr{v = 1} = q , and compute s = a.x + vT � R : sR : for each entry x’ in the database, check if s = a.x’; after n rounds, the reader selects the entry that matches ~(1-q)n times
� an active attack• an adversary can challenge the tag n times with the same a• tag responds with a.x ~(1-q)n > n/2 times and a.x + 1 ~qn < n/2 times �
the value of a.x can be obtained• repeat multiple times with different linearly independent a values � system
of linear equations can be solved for x
RFID privacy 38© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
The HB+ protocol (cont’d)
� setup• tag stores secret values x and y (each of them is k bits long), and
system parameter q• system stores for each tag its (x, y) values
� protocolT : pick b from {0, 1}k uniformly at random, and v from {0, 1} such that Pr{v = 1} = q T � R : bR : pick a from {0, 1}k uniformly at randomR � T : aT : compute s = a.x + b.y + vT � R : sR : for each entry (x’, y’) in the database, check if s = a.x’ + b.y’; after n rounds, the reader selects the entry that matches ~(1-q)n times
RFID privacy 39© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
The HB+ protocol (cont’d)� an active (man-in-the-middle) attack is still possible
• active adversary modifies the reader’s challenge a to a’ = a+d• tag responds with s = a’.x + b.y + v = a.x + b.y + v + d.x• the same d is used in each of the n rounds• if the tag is successfully authenticated, then d.x = 0. otherwise d.x = 1• repeat the whole procedure for sufficiently many linearly independent d
values, and solve the obtained system of linear equations for x
• once x is determined, an attacker can impersonate the tag by setting b = 0
• the adversary can select b, and respond to the reader’s challenge a with a.x + v (v is chosen according to the probability q)
• the same b is used in each of the n rounds• if authentication is successful, then b.y = 0, otherwise b.y = 1• repeat the whole procedure for sufficiently many linearly independent b
values, and solve the obtained system of linear equations for y
RFID privacy 40© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Traceability in lower layers
� collision avoidance layer• responsible for selecting a single tag when multiple tags are
in the reader’s range (singulation procedure)• also uses identifiers (although these are not necessarily fixed)• singulation procedure may reveal these identifiers
� physical layer• defines the physical air interface (frequency, modulation, data
encoding, timings, etc)• radio fingerprinting may be a problem here
RFID privacy 41© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Binary tree walking
� a deterministic singulation procedure based on a depth first search in a binary tree, where the leaves are the singulation IDs • in each step, the reader sends an ID prefix, and each tag whose ID
starts with that prefix responds with the next bit of the ID• if multiple tags respond with the same bit, then no collision will
occur, and the reader can extend the prefix with the response bit• otherwise, if some tags respond differently, then there’s a collision,
and the reader recurses on both possible extensions of the prefix
reader: prefix “-” ?tags: collisionreader: prefix “0” ?tags: 0reader: prefix “00” ?tags: 1reader: prefix “1” ?tags: 0reader: prefix “10” ?tags: collision
-
0 1
00 01 10 11
000 010 100 110001 011 101 111 100101
001
RFID privacy 42© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
The blocker tag� idea:
• tree is divided into two zones• privacy zone: all IDs starting with 1
• upon purchase of a product, its tag is transferred into the privacy zone by setting the leading bit
� the blocker tag is a special tag, such that when the prefix in the reader’s query starts with 1, it simulates a collision• when the blocker tag is present, all IDs in the privacy zone will appear to be
present for the reader• when the blocker tag is not present, everything works normally
-
0 1
00 01 10 11
000 010 100 110001 011 101 111
privacy zone
transfer to the privacy zoneupon purchase
RFID privacy 43© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Slotted Aloha� a probabilistic collision avoidance protocol
• time is divided into n slots, where n is chosen by the reader• each tag randomly chooses one slot and responds to the reader when its
slot arrives• some collisions may occur• to recover, the reader queries the tags again (until no collision occurs)
• it can mute the tags that have not brought out collisions by indicating their identifiers or the time slots during which they transmitted
• it can choose a more appropriate n
RFID privacy 44© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Privacy problems with Slotted Aloha
� if the switch-off technique is used, the reader may mute correctly identified tags by broadcasting their identifier• better to broadcast slot numbers instead of identifiers
� an attack based on keeping a singulation session open is still possible:• adversary sends a singulation request to a target tag, tag responds in slot s’• adversary does not close the session (no ack is sent)• later when the adversary suspects that the target tag is present, she can
confirm this by sending a new singulation request indicating that only tags which transmitted during s’ must retransmit
• if a tag retransmits, there is a high probability that it is the adversary’s target tag
• another tag will respond to the second singulation request if and only if its last session also stayed opened and it also transmitted during s’
� it is fundamental that singulation sessions cannot stay open• use some internal timeout to abort singulation sessions with abnormal
duration• such timers can be implemented by loading a capacitor on the first request
and close any open session when the capacitor is empty
RFID privacy 45© Buttyán Levente, HIT Budapesti M űszaki és Gazdaságtudományi Egyetem
Radio fingerprinting
� the transient behavior at the very beginning of a transmission will be slightly different for different transceivers, especially if they are produced by different manufacturers
� one person may carry RFID tags from many different manufacturers, and the particular constellation of brands may be unique to a person!
� the same may be said about constellation of standards (that differ in frequency band, modulation, and bit encodings)