New Directions in Detection,
Security and Privacy for RFID
Leonid Bolotnyy and Gabriel Robins
Department of Computer Science, UVa
1
Thesis
Multi-tags, “yoking-proofs”, and physical unclonable
functions can improve reliability, security, and privacy
in radio frequency identification (RFID) systems.
2
Progress
•
L. Bolotnyy and G. Robins, Multi-Tag Radio Frequency Identification Systems, IEEE
Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 83-88, 2005
•
L. Bolotnyy and G. Robins, Randomized Pseudo-Random Function Tree Walking
Algorithm for Secure Radio Frequency Identification, IEEE Workshop on Automatic
Identification Advanced Technologies (AutoID), pp. 43-48, 2005
•
L. Bolotnyy and G. Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE
International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006
•
L. Bolotnyy and G. Robins, PUF-Based Security and Privacy in RFID Systems, IEEE
International Conference on Pervasive Computing (PerCom), 2007
•
Several additional papers in progress
•
NSF Cyber Trust proposal (submitted January 2007)
•
Deutsche Telekom (largest in EU) offered to patent our multi-tags idea
3
Introduction
• RFID
• Tags types:
passive
semi-passive
active
• Frequencies: Low (125KHz), High (13.56MHz), UHF (915MHz)
• Coupling methods:
signal
Reader
antenna
signal
Reader
antenna
Inductive coupling
Backscatter coupling
4
History
• Radar invented - 1935
• EAS invented - early 1960’s
• First RFID patent filed - 1973
• First RFID book published - 1999
• Auto-ID Center formed - 1999
• EPCglobal formed - 2004
• First RFID game marketed - 2006
5
Thesis Proposal
• Improve tag detection
• Improve security and privacy
Auditing algorithms for RFID
“Yoking-Proofs”
Inter-tag communication
Definition of privacy
PUF-based security
Algorithms
PUF design
6
Why Multi-Tag RFID?
• Bar-codes vs. RFID
– line-of-sight
– scanning rate
• Unreliability of tag detection
– radio noise is ubiquitous
– liquids and metals are opaque to RF
• milk, water, juice
• metal-foil wrappers
– Wal-Mart experiments (2005)
• 90% tag detection at case level
• 95% detection on conveyor belts
• 66% detection of individual items inside fully loaded pallets
– Our preliminary experiments support data above
7
Applications of Multi-Tags
8
The Power of an Angle
• Inductive coupling: voltage ~ sin(β), distance ~ (power)1/6
• Far-field propagation: voltage ~ sin2(β), distance ~ (power)1/2
B-field
• Optimal Tag Placement:
4
Expected angle (in Degrees)
1
β
3
2
65
61.86
58.11
60
55
47.98
50


4
2
 [  x(2 cos x) dx   (
0
4

2
 x)(2 cos x) dx] / 
45
40
35

32.7
 [  x(2 cos x)dx] /(2 )
2
0
30
1
2
3
Number of Tags
4
9
Benefits and Costs of Multi-Tags
• PROS
–
–
–
–
–
–
–
–
increases expected induced voltage on tag
increases operational range of system
increases memory per object
improves availability
improves reliability
improves durability
provides potential security enhancement
new applications
• CONS
– increases system cost
– modestly complicates manufacturing
– potentially increases tags’ interrogation time
10
Experimental Apparatus and
Experiments with Multi-Tags
• Equipment
• Experiments
– Measure detection of ~20 multi-tagged objects
• With/without metals and liquids
– Rotate multi-tagged object mixes
• 1, 2, 3, & 4 tags per object
– Vary tag, reader, and antenna types
– Vary distances, geometry, power
– Multi-tags vs. multiple readers
11
Preliminary Experimental Results
1
Average Detection Probability
0.9
0.8
0.7
0.6
0.5
0.4
0.3
2 Readers,
1 Reader,
2 Readers,
1 Reader,
Δ= 4.0%
0.2
Δ=18.7%
0.1
Δ= 6.1%
0
1
2
3
4
5
6
7
8
9
10
11
12
13
2 Tags
2 Tags
1 Tag
1 Tag
86.6%
82.6%
63.9%
57.8%
14
16
15
Δ=22.7%
Δ=24.8%
17
18
19
20
Object Number
12
Security and Privacy in RFID
• Privacy
A
B
C
Alice was here: A, B, C
privacy
13
Security and Privacy in RFID
• Privacy: difficult to track tags
• Security
– Secure Identification
– Tag Authentication
– Message Authentication
f(c) f(r, ID)
c
σ (m)
m
– Ownership Transfer
– Auditing
14
“Yoking-Proofs”
• Yoking: joining together / simultaneous
presence of multiple tags
• Key Observation: Passive tags can communicate
with each other through reader
• Problem Statement: Generate proof that a group of
passive tags were identified nearly-simultaneously
• Applications – verify that:
– medicine bottle sold together with instructions
– tools sold together with safety devices
– matching parts were delivered together
– several forms of ID were presented
– a group of people was present at a meeting
15
Assumptions and Goals
• Assumptions
–
–
–
–
–
Tags are passive
Tags have limited computational abilities
Tags can compute a keyed hash function
Tags can maintain some state
Verifier is trusted and powerful
• Solution Goals
–
–
–
–
Allow readers to be adversarial
Make valid proofs improbable to forge
Allow verifier to verify proofs off-line
Detect replays of valid proofs
• Timer on-board a tag
– FCC regulations: protocol termination < 400ms
– Capacitor discharge can implement timeout
16
Generalized “Yoking-Proof” Protocol
Idea: construct a chain of mutually dependent MACs
1
2
3
5
4
Anonymous Yoking: tags keep their identities private
Speedup yoking protocols by splitting chain into arcs
17
Inter-Tag Communication in RFID
•
•
•
•
•
•
•
Idea: heterogeneity in ubiquitous computing
“Yoking proofs”
Battery-less sensing
Tags as mailboxes
Tags as proxies
Location access control
Tags partitioned into groups
– Group leader in charge of authentication and access control
• Subordinate reader-tag authentication
18
PUF-Based Security and Privacy
• Digital crypto implementations require 1000’s of gates
• Low-cost alternatives
– Pseudonyms / one-time pads
– Low complexity / power hash function designs
– Hardware-based solutions
• Definition of privacy that incorporates hardware attacks
• PUF definition
• Security is based on:
– wire delays
– gate delays
– quantum mechanical fluctuations
• PUF characteristics
– uniqueness
– reliability
– unpredictability
19
PUF-Based Algorithms
• Identification Sequence: ID, p(ID), …, pk(ID)
• It is important to have
–
–
–
–
a reliable PUF
no loops in PUF chains
no identical PUF outputs
no impersonation attacks
• Authentication Pairs: c1, p(c1), c2, p(c2), ..., cn, p(cn)
• Verify that at least the desired fraction of
challenge-response pairs is correct
• MAC based on PUF
– Motivation: “yoking-proofs”, signing sensor data
– large keys
– cannot support arbitrary messages
• Large message set
• Small message set
20
PUF-Based Ownership Transfer
• Ownership Transfer
• To maintain privacy we need
– ownership privacy
– forward privacy
• Physical security is especially important
• Solutions
–
–
–
–
public key cryptography
knowledge of owners sequence
trusted authority
short period of privacy
21
Comparison of PUF With Digital
Hash Functions
algorithm
MD4
MD5
SHA-256
AES
Yuksel
PUF
# of gates
7350
8400
10868
3400
1701
545
• Reference PUF: 545 gates for 64-bit input
– 6 to 8 gates for each input bit
– 33 gates to measure the delay
• Low gate count of PUF has a cost
–
–
–
–
probabilistic outputs
difficult to characterize analytically
non-unique computation
extra storage
• Different attack target for adversaries
– model building rather than key discovery
• Physical security
– hard to break tag and remain undetected
22
PUF Design
•
Attacks on PUF
–
–
–
–
•
impersonation
modeling
hardware tampering
side-channel
Weaknesses of existing PUF
reliability
•
New PUF design
–
–
•
no oscillating circuit
sub-threshold voltage
Compare different non-linear delay approaches
23
Conclusion and Research Plan
• Contributions
– Multi-Tags
• tag objects with multiple tags to improve detection
– Security and Privacy
• Yoking proofs
• Inter-tag communication
• Hardware-based security
– PUFs
• Plan for the next 5 months
–
–
–
–
finish multi-tag experiments
define privacy w.r.t. physical attacks
design / evaluate improved PUF circuits
publish more papers
24
• Bolotnyy and Robins, Multi-Tag Radio Frequency Identification Systems,IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 83-88, 2005
• Bolotnyy and Robins, Randomized Tree Walking Algorithm for Secure RFID, IEEE Workshop on Automatic Identification Advanced Technologies (AutoID), pp. 43-48, 2005
• Bolotnyy and Robins, Generalized ‘Yoking-Proofs’ for a Group of RFID Tags, IEEE International Conference on Mobile and Ubiquitous Systems (Mobiquitous), 2006
• Bolotnyy and Robins, PUF-Based Security and Privacy in RFID Systems, IEEE International Conference on Pervasive Computing (PerCom), 2007
Back Up Slides
26
Related Work on Multi-Tags
• Two-antennas per tag to determine location
• Four tags per object to determine movement direction
• Multiple tags to increase reliability (for visually impaired)
• Random placement of two tags on playing cards
• Splitting tag ID into Class ID and Pure ID
• Up to three tags to determine object-person interaction
27
Types of Multi-Tags
• Redundant Tags
• Complimentary Tags
• Dual-Tags
– Own Memory Only
– Shared Memory Only
– Own and Shared Memory
• Triple-Tags
• n-Tags
28
Detection Distance with Multi-Tags
Expected Factor of Distance Increase
1.7
1.57
Increase Factor
1.6
1.5
1.63
1.37
1.4
Far-Field Propagation
1.3
Inductive Coupling
1.2
1.1
1
1.06
1.08
1.09
2
3
4
1
1
Num ber of Tags
29
Effects of Multi-Tags on
Anti-Collision Algorithms
Algorithm
Redundant Tags
Dual-Tags
Binary
No Affect
No Affect
Binary Variant
No Affect
No Affect
Randomized
Doubles Time**
No Affect*
STAC
Causes DOS
No Affect*
Slotted Aloha
Doubles Time**
No Affect*
*If Dual-Tags communicate to form a single response
**Assuming an object is tagged with two tags
30
Related Work on “Yoking-Proofs”
• Juels [2004]
– protocol is limited to two tags
– no timely timer update (minor/crucial omission)
• Saito and Sakurai [2005]
–
–
–
–
solution relies on timestamps generated by trusted database
violates original problem statement
one tag is assumed to be more powerful than the others
vulnerable to “future timestamp” attack
• Piramuthu [2006]
–
–
–
–
discusses inapplicable replay-attack problem of Juels’ protocol
independently observes the problem with Saito/Sakurai protocol
proposed fix only works for a pair of tags
violates original problem statement
31
Speeding Up The Yoking Protocol
Idea: split cycle into several sequences of dependent MACs
starting / closing tags
Requires
– multiple readers or multiple antennas
– anti-collision protocol
32
Related Work on PUF
• Optical PUF [Ravikanth 2001]
• Silicon PUF [Gassend et al 2002]
– design, implementation, simulation, manufacturing
– authentication algorithm
– controlled PUF
• PUF in RFID
– off-line reader authentication using public key
cryptography [Tuyls et al 2006]
33
PUF-Based Authentication
Reader
Tag
GetID
probv(n)
ID
GetResponse(c1)
p(c1)
n
n μi(1-μ)n-i
probv = 1 - ∑ i
i=t+1
.
.
.
probf(n)
GetResponse(cn)
p(cn)
n
probf = 1 - ∑
j=t+1
n τj(1- τ)n-j
j
α < probv ≤ 1 and probf ≤ β ≤ 1
0 ≤ t ≤ n-1
34
PUF-Based Identification Algorithm
• Tag stores its identifier: ID
• Database stores: ID, p(ID), …, pk(ID)
• Upon reader’s query, the tag
–
responds with p(ID)
– updates its ID with p(ID)
• It is important to have
– a reliable PUF
– no loops in PUF chains
– no identical PUF outputs
• Assumptions
– passive adversaries (otherwise, denial of service possible)
– physical compromise of tags not possible
– reliable PUF
35
PUF-Based MAC Algorithms
• MAC = (K, τ, υ)
• valid signature σ : υ K(M, σ) = 1
• forged signature σ’ : υ K(M’, σ’) = 1, M = M’
• Need to protect against replay attacks
• MAC based on PUF
– large keys
– cannot support arbitrary messages
– Motivational example: buyer/seller
• Large message set
σ (m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)
• Small message set
σ (m) = c, pc(1)(m), ..., pc(n) (m), ..., c+q-1, pc+q-1(1)(m), pc+q-1(n)(m)
Using PUF to Detect and Restore
Privacy of Compromised System
s1,0
s2,0
s3,0
s1,1
s2,1
s3,1
s3,2
s2,2
s3,3 s3,
s3,5
s1,2
s2,3
s3,6
s2,4
s3,7
s3,8
s3,9
s2,5
s3,10
4
1. Detect potential tag compromise
2. Update secrets of affected tags
37