Title: New Directions in Reliability, Security and Privacy in Radio Frequency Identification Systems
1New Directions in Reliability, Security and
Privacyin Radio Frequency Identification Systems
Leonid Bolotnyylbol_at_cs.virginia.edu
www.cs.virginia.edu/lb9xk
Gabriel Robinsrobins_at_cs.virginia.edu
www.cs.virginia.edu/robins
Department of Computer ScienceUniversity of
Virginia
2Talk Outline
- Introduction to RFID
- Reliable Object Identification
- Multi-Tag RFID Systems
- Physical Security and Privacy
- PUF-Based Algorithms
- Inter-Tag Communication
- Generalized Yoking-Proofs
- Common Themes and Conclusion
3Talk Outline
- Introduction to RFID
- Reliable Object Identification
- Multi-Tag RFID Systems
- Physical Security and Privacy
- PUF-Based Algorithms
- Inter-Tag Communication
- Generalized Yoking-Proofs
- Common Themes and Conclusion
4General RFID System
5Introduction to RFID
- Frequencies Low (125KHz), High (13.56MHz), UHF
(915MHz)
6RFID History
Whats next?
7Talk Outline
- Introduction to RFID
- Reliable Object Identification
- Multi-tag RFID Systems
- Physical Security and Privacy
- PUF-Based Algorithms
- Inter-Tag Communication
- Generalized Yoking-Proofs
- Common Themes and Conclusion
8Obstacles of Reliable Identification
- Bar-codes vs. RFID
- line-of-sight
- scanning rate
- Object detection obstacles
- radio noise is ubiquitous
- liquids and metals are opaque to RF
- milk, water, juice
- metal-foil wrappers
- temperature and humidity
- objects/readers moving speed
- object occlusion
- number of objects grouped together
- tag variability and receptivity
- tag aging
9Case Studies
- Defense Logistics Agency trials (2001)
- 3 of moving objects did not reach destination
- 20 of tags recorded at every checkpoint
- 2 of a tag type detected at 1 checkpoint
- some tags registered on arrival but not departure
- Wal-Mart experiments (2005)
- 90 tag detection at case level
- 95 detection on conveyor belts
- 66 detection inside fully loaded pallets
10Multi-Tag RFID
- Use Multiple tags per object to increase
reliability of object detection/identification
11The Power of an Angle
- Inductive coupling distance (power)1/6
- Far-field propagation distance (power)1/2
12Equipment and Setup
x4
x1
x8
x1
x100s
x100s
- Setup
- empty room
- 20 solid non-metallic 20 metallic and liquid
objects - tags positioned perpendicular to each other
- tags spaced apart
- software drivers
13Experiments
- Read all tags in readers field
- Randomly shuffle objects
- Compute average detection rates
- Variables
- reader type
- antenna type
- tag type
- antenna power
- object type
- number of objects
- number of tags per object
- tags orientation
- tags receptivity
14Linear Antennas
15Circular Antennas
16Linear Antennas vs. Multi-tags
2 Readers, 2 Tags 84.5
1 Reader, 2 Tags 79.3
2 Readers, 1 Tag 64.9
1 Reader, 1 Tag 58.0
17Importance of Tag Orientation
18Detection in Presence of Metals Liquids
- Decrease in solid/non-liquid object detection
- Significant at low power
- Similar results for linear antennas
19Varying Number of Objects
Experiment 1 15 solid non-metallic 15 liquids
and metals
Experiment 2 20 solid non-metallic 20 liquids
and metals
20Applications of Multi-Tags
21More Applications
22Economics of Multi-Tags
- Rapid decrease in passive tag cost
- 5 cent tag expected in 2008
- 1 penny tag in a few years
23Cost Trends
Time
24Multi-Tag Conclusion
- Unreliability of object detection
- radio noise is ubiquitous
- liquids and metals are opaque to RF
- milk, water, juice
- metal-foil wrappers
- temperature and humidity
- objects/readers moving speed
- object occlusion
- number of objects grouped together
- tag variability and receptivity
- tag aging
25Talk Outline
- Introduction to RFID
- Reliable Object Identification
- Multi-tag RFID Systems
- Physical Security and Privacy
- PUF-Based Algorithms
- Inter-Tag Communication
- Generalized Yoking-Proofs
- Common Themes and Conclusion
26Motivation
- Digital crypto implementations require 1000s of
gates - Low-cost alternatives
- Pseudonyms / one-time pads
- Low complexity / power hash function designs
- Hardware-based solutions
27PUF-Based Security
- Physical Unclonable Function Gassend et al 2002
- PUF security is based on
- wire delays
- gate delays
- quantum mechanical fluctuations
- PUF characteristics
- uniqueness
- reliability
- unpredictability
- PUF assumptions
- Infeasible to accurately model PUF
- Pair-wise PUF output-collision probability is
constant - Physical tampering will modify PUF
28Individual Privacy in RFID
A
B
C
Alice was here A, B, C
29Hardware Tampering Privacy Models
Allow adversary to tamper with tags memory
Cannot provide privacy without restricting
adversary - simple secret overwrite allows
tag tracking
- Restrict memory tampering functions
- - allow bit flips
2. Purely physical privacy - no digital
secrets
3. Detect privacy compromise - detect PUF
modification
30Private Identification Algorithm
ID
p(ID)
- It is important to have
- a reliable PUF
- no loops in PUF chains
- no identical PUF outputs
- Assumptions
- no denial of service attacks (e.g., passive
adversaries, DoS detection/prevention mechanisms) - physical compromise of tags not possible
31PUF-Based Ownership Transfer
- To maintain privacy we need
- ownership privacy
- forward privacy
- Physical security is especially important
- Solutions
- public key cryptography (expensive)
- knowledge of owners sequence
- short period of privacy
- trusted authority
32PUF-Based MAC Algorithms
- MAC based on PUF
- Motivation yoking-proofs, signing sensor data
- large keys (PUF is the key)
- cannot support arbitrary messages
- Assumptions
- adversary can adaptively learn poly-many (m, s)
pairs - signature verifiers are off-line
- tag can store a counter (to timestamp signatures)
33Large Message Space
Assumption tag can generate good random
numbers (can be PUF-based)
Key PUF
s (m) c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)
- Signature verification
- requires tags presence
- password-based or in radio-protected
environment (Faraday Cage) - learn pc(ri, m), 1 i n
- verify that the desired fraction of PUF
computations is correct
- To protect against hardware tampering
- authenticate tag before MAC verification
- store verification password underneath PUF
34Small Message Space
Assumption small and known a priori message space
PUF reliability is again crucial
Verify that the desired number of sub-signatures
are valid
35Attacks on MAC Protocols
36Conclusions and Future Work
Hardware primitive for RFID security
Identification, MAC, Ownership Transfer, and Tag
Authentication Algorithms
- Properties
- Physical keys
- Protect tags from physical attacks
- New attack models
- Future Work
- Design new PUF
- Manufacture and test PUF
- Develop PUF theory
- New attack models
37Talk Outline
- Introduction to RFID
- Reliable Object Identification
- Multi-tag RFID Systems
- Physical Security and Privacy
- PUF-Based Algorithms
- Inter-Tag Communication
- Generalized Yoking-Proofs
- Common Themes and Conclusion
38Inter-Tag Communication in RFID
- Idea Heterogeneity in ubiquitous computing
39Yoking-Proofs
- Yoking joining together / simultaneous presence
of multiple tags
- Key Observation Passive tags can communicate
- with each other through reader
- Problem Statement Generate proof that a group of
passive tags were identified nearly-simultaneously
- Applications verify that
- medicine bottle sold together with instructions
- tools sold together with safety devices
- matching parts were delivered together
- several forms of ID were presented
40Assumptions and Goals
- Assumptions
- Tags are passive
- Tags have limited computational abilities
- Tags can compute a keyed hash function
- Tags can maintain some state
- Verifier is trusted and powerful
- Solution Goals
- Allow readers to be adversarial
- Make valid proofs improbable to forge
- Allow verifier to verify proofs off-line
- Detect replays of valid proofs
- Timer on-board a tag
- Capacitor discharge can implement timeout
41Generalized Yoking-Proof Protocol
Idea construct a chain of mutually dependent MACs
1
2
3
4
5
Anonymous Yoking tags keep their identities
private
42Related Work on Yoking-Proofs
- Juels 2004
- protocol is limited to two tags
- no timely timer update (minor/crucial omission)
- Saito and Sakurai 2005
- solution relies on timestamps generated by
trusted database - violates original problem statement
- one tag is assumed to be more powerful than the
others - vulnerable to future timestamp attack
- Piramuthu 2006
- discusses inapplicable replay-attack problem of
Juels protocol - independently observes the problem with
Saito/Sakurai protocol - proposed fix only works for a pair of tags
- violates original problem statement
43Talk Outline
- Introduction to RFID
- Reliable Object Identification
- Multi-tag RFID Systems
- Physical Security and Privacy
- PUF-Based Algorithms
- Inter-Tag Communication
- Generalized Yoking-Proofs
- Common Themes and Conclusion
44Common Themes
45Conclusion and Future Research
- Future Research
- More multi-tag tests
- Object localization using multi-tags
- Split tag functionality between tags
- Prevent adversarial merchandize inventorization
- PUF design
- More examples of inter-tag communication
- Applications of RFID
46Publications
- L. Bolotnyy and G. Robins, Multi-tag Radio
Frequency Identification Systems, IEEE Workshop
on Automatic Identification Advanced Technologies
(Auto-ID), Oct. 2005. - L. Bolotnyy and G. Robins, Randomized
Pseudo-Random Function Tree Walking Algorithm for
Secure Radio-Frequency Identification, IEEE
Workshop on Automatic Identification Advanced
Technologies (Auto-ID), Oct. 2005. - L. Bolotnyy and G. Robins, Generalized Yoking
Proofs for a Group of Radio Frequency
Identification Tags, International Conference on
Mobile and Ubiquitous Systems (Mobiquitous), San
Jose, CA, July 2006. - L. Bolotnyy and G. Robins, Physically Unclonable
Function -Based Security and Privacy in RFID
Systems, IEEE International Conference on
Pervasive Computing and Communications (PerCom),
New York, March 2007. - L. Bolotnyy, S. Krize, and G. Robins, The
Practicality of Multi-Tag RFID Systems,
International Workshop on RFID Technology -
Concepts, Applications, Challenges (IWRT),
Madeira, Portugal, June 2007. - L. Bolotnyy and G. Robins, The Case for Multi-Tag
RFID Systems, International Conference on
Wireless Algorithms, Systems and Applications
(WASA), Chicago, Aug. 2007. - L. Bolotnyy and G. Robins, Multi-Tag RFID
Systems, International Journal of Internet and
Protocol Technology, Special issue on RFID
Technologies, Applications, and Trends, 2(3/4),
2007. - 1 conference and 1 journal paper in submission
- 2 invited book chapters in preparationSecurity
in RFID and Sensor Networks, to be published by
Auerbach Publications, CRC Press, TaylorFrancis
Group
47More Successes
- Deutsche Telekom (largest in EU) offered to
patent our multi-tags idea. - Received 450,000 NSF Cyber Trust grant, 2007
(PI Gabriel Robins). - Technical Program Committee memberInternational
Workshop on RFID Technology - Concepts,
Applications, Challenges (IWRT), Barcelona,
Spain, June 2008. - Our papers and presentation slides used in
lecture-based undergraduate/graduate courses
(e.g., Rice University, - George Washington University).
48(No Transcript)
49Thank You!
Dissertation Committee Gabriel Robins (advisor),
Dave Evans, Paul Reynolds, Nina Mishra, and Ben
Calhoun
Stephen Wilson, Blaise Gassend, Daihyun
Lim, Karsten Nohl, Patrick Graydon, and Scott
Krize
Questions?
lbol_at_cs.virginia.edu www.cs.virginia.edu/lb9x
k
50BACK UP SLIDESNOT USED DURING PRESENTATION
51Types of Multi-Tags
52Controlling Variables
- Radio noise
- Tag variability
- Reader variability
- Reader power level
- Distance to objects type, of antennas
53Circular Antennas vs. Multi-Tags
Power 31.6dBm
1
0.9
0.8
0.7
Detection Probability
0.6
0.5
0.4
0.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Object Number
54Power
- Decrease in detection with decrease in power
- More rapid decrease in detection for circular
antennas
55Multi-Tags on Metals and Liquids
- Low detection probabilities
- Drop in detection at low power
- Linear antennas outperform circular
- Multi-tags better than multiple readers
56Detection Delta
0.030
0.014
0.029
0.036
1 tag
2 tags
3 tags
1 tag
2 tags
3 tags
1 tag
2 tags
3 tags
1 tag
2 tags
3 tags
57Anti-Collision Algorithms
Algorithm
Redundant Tags
Connected-Tags
Binary No Effect No Effect
Binary Variant No Effect No Effect
Randomized Linear Increase No Effect
STAC Causes DoS No Effect
Slotted Aloha Linear Increase No Effect
Assuming tags communicate to form a single
response If all tags are detected
58Business Case for RFID
- Costs benefits (business case)
- Moores law
- higher employee productivity
- automated business processes
- workforce reduction
- Tag manufacturing yield and testing
- 30 of chips damaged during manufacturing
- 15 damaged during printing U.S. GAO
- 20 tag failure rate in field RFID Journal
- 5 of tags purchased marked defective
59RFID Tag Demand
- Demand drivers
- tag cost
- desire to stay competitive
- Cost effective tag design techniques
- memory design (self-adaptive silicon)
- assembly technology (fluidic self assembly)
- antenna design (antenna material)
60Thesis
Multi-tags can considerably improve reliability
in RFID systems at a reasonable cost effective
PUF implementations can enable hardware-tampering
resistant algorithms for RFID security and
privacy generalized yoking-proofs can provide
auditing mechanisms for the near-simultaneous
reading of multiple RFID tags.
61Related Work on PUF
- Optical PUF Ravikanth 2001
- Silicon PUF Gassend et al 2002
- Design, implementation, simulation, manufacturing
- Authentication algorithm
- Controlled PUF
- PUF in RFID
- Identification/authentication Ranasinghe et al
2004 - Off-line reader authentication using public key
cryptography Tuyls et al 2006
62Privacy Model
Experiment
- A passive adversary observes polynomially-many
rounds of reader-tag communications with
multiple tags - An adversary selects 2 tags
- The reader randomly and privately selects one of
the 2 tags and runs one identification round with
the selected tag - An adversary determines the tag that the reader
selected
Definition The algorithm is privacy-preserving
if an adversary can notdetermine reader selected
tag with probability substantially greater than ½
Theorem Given random oracle assumption for
PUFs, an adversary has no advantage in the above
experiment.
63Improving Reliability of Responses
- Run PUF multiple times for same ID pick majority
- Create tuples of multi-PUF computed IDs
identify a tag based on at least one valid
position value
(ID1, ID2, ID3)
64Choosing of PUF Computations
probv(n, 0.1n, 0.02)
probf(n, 0.1n, 0.4)
65MAC Large Message Space Theorem
Given random oracle assumption for a PUF, the
probability that an adversary could forge a
signature for a message is bounded from above by
the tag impersonation probability.
66MAC Small Message Space Theorem
Given random oracle assumption for a PUF, the
probability that an adversary could forge a
signature for a message is bounded by the tag
impersonation probability times the number of
sub-signatures.
67Purely Physical Ownership Transfer
oid h(counter)
r1, a hs(r0, r1)
counter counter - 1
Challenges sent to tag in increasing order
- Properties
- All PUF computations must be correct
- PUF-based random number generator
- Physical write-once counter
- oid is calculated for each identification
- Inherently limited of owners
68Using PUF to Detect and Restore Privacy of
Compromised System
s1,0
s1,1
s2,0
s2,1
s2,2
s2,3
s3,1
s3,0
s3,4
s3,5
s3,2
s3,3
s3,7
s3,6
- Detect potential tag compromise
- Update secrets of affected tags
69PUF vs. Digital Hash Function
- Reference PUF 545 gates for 64-bit input
- 6 to 8 gates for each input bit
- 33 gates to measure the delay
- Low gate count of PUF has a cost
- probabilistic outputs
- difficult to characterize analytically
- non-unique computation
- extra back-end storage
- Different attack target for adversaries
- model building rather than key discovery
- Physical security
- hard to break tag and remain undetected
70PUF Design
- Attacks on PUF
- impersonation
- modeling
- hardware tampering
- side-channel
- Weaknesses of existing PUF
reliability
- New PUF design
- no oscillating circuit
- sub-threshold voltage
- Compare different non-linear delay approaches
71PUF Contribution and Motivation
- Contribution
- Physical privacy models
- Privacy-preserving tag identification algorithm
- Ownership transfer algorithm
- Secure MAC algorithms
- Comparison of PUF with digital hash functions
- Motivation
- Digital crypto implementations require 1000s of
gates - Low-cost alternatives
- Pseudonyms / one-time pads
- Low complexity / power hash function designs
- Hardware-based solutions
72Speeding Up The Yoking Protocol
Idea split cycle into several sequences of
dependent MACs
starting / closing tags
- Requires
- multiple readers or multiple antennas
- anti-collision protocol