New Directions in Reliability, Security and Privacy in Radio Frequency Identification Systems

1
New Directions in Reliability, Security and
Privacyin Radio Frequency Identification Systems
Leonid Bolotnyylbol_at_cs.virginia.edu
www.cs.virginia.edu/lb9xk
Gabriel Robinsrobins_at_cs.virginia.edu
www.cs.virginia.edu/robins
Department of Computer ScienceUniversity of
Virginia
2
Talk Outline

• Introduction to RFID
• Reliable Object Identification
• Multi-Tag RFID Systems
• Physical Security and Privacy
• PUF-Based Algorithms
• Inter-Tag Communication
• Generalized Yoking-Proofs
• Common Themes and Conclusion

3
Talk Outline

• Introduction to RFID
• Reliable Object Identification
• Multi-Tag RFID Systems
• Physical Security and Privacy
• PUF-Based Algorithms
• Inter-Tag Communication
• Generalized Yoking-Proofs
• Common Themes and Conclusion

4
General RFID System
5
Introduction to RFID

• Frequencies Low (125KHz), High (13.56MHz), UHF
  (915MHz)

6
RFID History
Whats next?
7
Talk Outline

• Introduction to RFID
• Reliable Object Identification
• Multi-tag RFID Systems
• Physical Security and Privacy
• PUF-Based Algorithms
• Inter-Tag Communication
• Generalized Yoking-Proofs
• Common Themes and Conclusion

8
Obstacles of Reliable Identification

• Bar-codes vs. RFID
• line-of-sight
• scanning rate

• Object detection obstacles
• radio noise is ubiquitous
• liquids and metals are opaque to RF
• milk, water, juice
• metal-foil wrappers
• temperature and humidity
• objects/readers moving speed
• object occlusion
• number of objects grouped together
• tag variability and receptivity
• tag aging

9
Case Studies

• Defense Logistics Agency trials (2001)
• 3 of moving objects did not reach destination
• 20 of tags recorded at every checkpoint
• 2 of a tag type detected at 1 checkpoint
• some tags registered on arrival but not departure

• Wal-Mart experiments (2005)
• 90 tag detection at case level
• 95 detection on conveyor belts
• 66 detection inside fully loaded pallets

10
Multi-Tag RFID

• Use Multiple tags per object to increase
  reliability of object detection/identification

11
The Power of an Angle

• Inductive coupling distance (power)1/6
• Far-field propagation distance (power)1/2

12
Equipment and Setup

• Equipment

x4
x1
x8
x1
x100s
x100s

• Setup
• empty room
• 20 solid non-metallic 20 metallic and liquid
  objects
• tags positioned perpendicular to each other
• tags spaced apart
• software drivers

13
Experiments

• Read all tags in readers field
• Randomly shuffle objects
• Compute average detection rates

• Variables
• reader type
• antenna type
• tag type
• antenna power
• object type
• number of objects
• number of tags per object
• tags orientation
• tags receptivity

14
Linear Antennas
15
Circular Antennas
16
Linear Antennas vs. Multi-tags
2 Readers, 2 Tags 84.5
1 Reader, 2 Tags 79.3
2 Readers, 1 Tag 64.9
1 Reader, 1 Tag 58.0
17
Importance of Tag Orientation
18
Detection in Presence of Metals Liquids

• Decrease in solid/non-liquid object detection
• Significant at low power
• Similar results for linear antennas

19
Varying Number of Objects
Experiment 1 15 solid non-metallic 15 liquids
and metals
Experiment 2 20 solid non-metallic 20 liquids
and metals
20
Applications of Multi-Tags
21
More Applications
22
Economics of Multi-Tags

• Rapid decrease in passive tag cost
• 5 cent tag expected in 2008
• 1 penny tag in a few years

23
Cost Trends
Time
24
Multi-Tag Conclusion

• Unreliability of object detection
• radio noise is ubiquitous
• liquids and metals are opaque to RF
• milk, water, juice
• metal-foil wrappers
• temperature and humidity
• objects/readers moving speed
• object occlusion
• number of objects grouped together
• tag variability and receptivity
• tag aging

• Many useful applications

• Favorable economics

25
Talk Outline

• Introduction to RFID
• Reliable Object Identification
• Multi-tag RFID Systems
• Physical Security and Privacy
• PUF-Based Algorithms
• Inter-Tag Communication
• Generalized Yoking-Proofs
• Common Themes and Conclusion

26
Motivation

• Digital crypto implementations require 1000s of
  gates
• Low-cost alternatives
• Pseudonyms / one-time pads
• Low complexity / power hash function designs
• Hardware-based solutions

27
PUF-Based Security

• Physical Unclonable Function Gassend et al 2002
• PUF security is based on
• wire delays
• gate delays
• quantum mechanical fluctuations
• PUF characteristics
• uniqueness
• reliability
• unpredictability
• PUF assumptions
• Infeasible to accurately model PUF
• Pair-wise PUF output-collision probability is
  constant
• Physical tampering will modify PUF

28
Individual Privacy in RFID

• Privacy

A
B
C
Alice was here A, B, C
29
Hardware Tampering Privacy Models
Allow adversary to tamper with tags memory
Cannot provide privacy without restricting
adversary - simple secret overwrite allows
tag tracking

• Restrict memory tampering functions
• - allow bit flips

2. Purely physical privacy - no digital
secrets
3. Detect privacy compromise - detect PUF
modification
30
Private Identification Algorithm
ID
p(ID)

• It is important to have
• a reliable PUF
• no loops in PUF chains
• no identical PUF outputs

• Assumptions
• no denial of service attacks (e.g., passive
  adversaries, DoS detection/prevention mechanisms)
• physical compromise of tags not possible

31
PUF-Based Ownership Transfer

• Ownership Transfer

• To maintain privacy we need
• ownership privacy
• forward privacy

• Physical security is especially important

• Solutions
• public key cryptography (expensive)
• knowledge of owners sequence
• short period of privacy
• trusted authority

32
PUF-Based MAC Algorithms

• MAC (K, t, ?)

• MAC based on PUF
• Motivation yoking-proofs, signing sensor data
• large keys (PUF is the key)
• cannot support arbitrary messages

• Assumptions
• adversary can adaptively learn poly-many (m, s)
  pairs
• signature verifiers are off-line
• tag can store a counter (to timestamp signatures)

33
Large Message Space
Assumption tag can generate good random
numbers (can be PUF-based)
Key PUF
s (m) c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)

• Signature verification
• requires tags presence
• password-based or in radio-protected
  environment (Faraday Cage)
• learn pc(ri, m), 1 i n
• verify that the desired fraction of PUF
  computations is correct

• To protect against hardware tampering
• authenticate tag before MAC verification
• store verification password underneath PUF

34
Small Message Space
Assumption small and known a priori message space
PUF reliability is again crucial
Verify that the desired number of sub-signatures
are valid
35
Attacks on MAC Protocols
36
Conclusions and Future Work
Hardware primitive for RFID security
Identification, MAC, Ownership Transfer, and Tag
Authentication Algorithms

• Properties
• Physical keys
• Protect tags from physical attacks
• New attack models

• Future Work
• Design new PUF
• Manufacture and test PUF
• Develop PUF theory
• New attack models

37
Talk Outline

• Introduction to RFID
• Reliable Object Identification
• Multi-tag RFID Systems
• Physical Security and Privacy
• PUF-Based Algorithms
• Inter-Tag Communication
• Generalized Yoking-Proofs
• Common Themes and Conclusion

38
Inter-Tag Communication in RFID

• Idea Heterogeneity in ubiquitous computing

• Applications

39
Yoking-Proofs

• Yoking joining together / simultaneous presence
  of multiple tags

• Key Observation Passive tags can communicate
• with each other through reader

• Problem Statement Generate proof that a group of
  passive tags were identified nearly-simultaneously
  

• Applications verify that
• medicine bottle sold together with instructions
• tools sold together with safety devices
• matching parts were delivered together
• several forms of ID were presented

40
Assumptions and Goals

• Assumptions
• Tags are passive
• Tags have limited computational abilities
• Tags can compute a keyed hash function
• Tags can maintain some state
• Verifier is trusted and powerful

• Solution Goals
• Allow readers to be adversarial
• Make valid proofs improbable to forge
• Allow verifier to verify proofs off-line
• Detect replays of valid proofs

• Timer on-board a tag
• Capacitor discharge can implement timeout

41
Generalized Yoking-Proof Protocol
Idea construct a chain of mutually dependent MACs
1
2
3
4
5
Anonymous Yoking tags keep their identities
private
42
Related Work on Yoking-Proofs

• Juels 2004
• protocol is limited to two tags
• no timely timer update (minor/crucial omission)

• Saito and Sakurai 2005
• solution relies on timestamps generated by
  trusted database
• violates original problem statement
• one tag is assumed to be more powerful than the
  others
• vulnerable to future timestamp attack

• Piramuthu 2006
• discusses inapplicable replay-attack problem of
  Juels protocol
• independently observes the problem with
  Saito/Sakurai protocol
• proposed fix only works for a pair of tags
• violates original problem statement

43
Talk Outline

• Introduction to RFID
• Reliable Object Identification
• Multi-tag RFID Systems
• Physical Security and Privacy
• PUF-Based Algorithms
• Inter-Tag Communication
• Generalized Yoking-Proofs
• Common Themes and Conclusion

44
Common Themes
45
Conclusion and Future Research

• Contributions

• Future Research
• More multi-tag tests
• Object localization using multi-tags
• Split tag functionality between tags
• Prevent adversarial merchandize inventorization
• PUF design
• More examples of inter-tag communication
• Applications of RFID

46
Publications

• L. Bolotnyy and G. Robins, Multi-tag Radio
  Frequency Identification Systems, IEEE Workshop
  on Automatic Identification Advanced Technologies
  (Auto-ID), Oct. 2005.
• L. Bolotnyy and G. Robins, Randomized
  Pseudo-Random Function Tree Walking Algorithm for
  Secure Radio-Frequency Identification, IEEE
  Workshop on Automatic Identification Advanced
  Technologies (Auto-ID), Oct. 2005.
• L. Bolotnyy and G. Robins, Generalized Yoking
  Proofs for a Group of Radio Frequency
  Identification Tags, International Conference on
  Mobile and Ubiquitous Systems (Mobiquitous), San
  Jose, CA, July 2006.
• L. Bolotnyy and G. Robins, Physically Unclonable
  Function -Based Security and Privacy in RFID
  Systems, IEEE International Conference on
  Pervasive Computing and Communications (PerCom),
  New York, March 2007.
• L. Bolotnyy, S. Krize, and G. Robins, The
  Practicality of Multi-Tag RFID Systems,
  International Workshop on RFID Technology -
  Concepts, Applications, Challenges (IWRT),
  Madeira, Portugal, June 2007.
• L. Bolotnyy and G. Robins, The Case for Multi-Tag
  RFID Systems, International Conference on
  Wireless Algorithms, Systems and Applications
  (WASA), Chicago, Aug. 2007.
• L. Bolotnyy and G. Robins, Multi-Tag RFID
  Systems, International Journal of Internet and
  Protocol Technology, Special issue on RFID
  Technologies, Applications, and Trends, 2(3/4),
  2007.
• 1 conference and 1 journal paper in submission
• 2 invited book chapters in preparationSecurity
  in RFID and Sensor Networks, to be published by
  Auerbach Publications, CRC Press, TaylorFrancis
  Group

47
More Successes

• Deutsche Telekom (largest in EU) offered to
  patent our multi-tags idea.
• Received 450,000 NSF Cyber Trust grant, 2007
  (PI Gabriel Robins).
• Technical Program Committee memberInternational
  Workshop on RFID Technology - Concepts,
  Applications, Challenges (IWRT), Barcelona,
  Spain, June 2008.
• Our papers and presentation slides used in
  lecture-based undergraduate/graduate courses
  (e.g., Rice University,
• George Washington University).

48
(No Transcript)
49
Thank You!
Dissertation Committee Gabriel Robins (advisor),
Dave Evans, Paul Reynolds, Nina Mishra, and Ben
Calhoun
Stephen Wilson, Blaise Gassend, Daihyun
Lim, Karsten Nohl, Patrick Graydon, and Scott
Krize
Questions?
lbol_at_cs.virginia.edu www.cs.virginia.edu/lb9x
k
50
BACK UP SLIDESNOT USED DURING PRESENTATION
51
Types of Multi-Tags
52
Controlling Variables

1. Radio noise
2. Tag variability
3. Reader variability
4. Reader power level
5. Distance to objects type, of antennas

53
Circular Antennas vs. Multi-Tags
Power 31.6dBm
1
0.9
0.8
0.7
Detection Probability
0.6
0.5
0.4
0.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Object Number
54
Power

• Decrease in detection with decrease in power
• More rapid decrease in detection for circular
  antennas

55
Multi-Tags on Metals and Liquids

• Low detection probabilities
• Drop in detection at low power

• Linear antennas outperform circular
• Multi-tags better than multiple readers

56
Detection Delta
0.030
0.014
0.029
0.036
1 tag
2 tags
3 tags
1 tag
2 tags
3 tags
1 tag
2 tags
3 tags
1 tag
2 tags
3 tags
57
Anti-Collision Algorithms
Algorithm
Redundant Tags
Connected-Tags
Binary No Effect No Effect
Binary Variant No Effect No Effect
Randomized Linear Increase No Effect
STAC Causes DoS No Effect
Slotted Aloha Linear Increase No Effect
Assuming tags communicate to form a single
response If all tags are detected
58
Business Case for RFID

• Costs benefits (business case)
• Moores law
• higher employee productivity
• automated business processes
• workforce reduction

• Tag manufacturing yield and testing
• 30 of chips damaged during manufacturing
• 15 damaged during printing U.S. GAO
• 20 tag failure rate in field RFID Journal
• 5 of tags purchased marked defective

59
RFID Tag Demand

• Demand drivers
• tag cost
• desire to stay competitive

• Cost effective tag design techniques
• memory design (self-adaptive silicon)
• assembly technology (fluidic self assembly)
• antenna design (antenna material)

60
Thesis
Multi-tags can considerably improve reliability
in RFID systems at a reasonable cost effective
PUF implementations can enable hardware-tampering
resistant algorithms for RFID security and
privacy generalized yoking-proofs can provide
auditing mechanisms for the near-simultaneous
reading of multiple RFID tags.
61
Related Work on PUF

• Optical PUF Ravikanth 2001
• Silicon PUF Gassend et al 2002
• Design, implementation, simulation, manufacturing
• Authentication algorithm
• Controlled PUF
• PUF in RFID
• Identification/authentication Ranasinghe et al
  2004
• Off-line reader authentication using public key
  cryptography Tuyls et al 2006

62
Privacy Model
Experiment

1. A passive adversary observes polynomially-many
   rounds of reader-tag communications with
   multiple tags
2. An adversary selects 2 tags
3. The reader randomly and privately selects one of
   the 2 tags and runs one identification round with
   the selected tag
4. An adversary determines the tag that the reader
   selected

Definition The algorithm is privacy-preserving
if an adversary can notdetermine reader selected
tag with probability substantially greater than ½
Theorem Given random oracle assumption for
PUFs, an adversary has no advantage in the above
experiment.
63
Improving Reliability of Responses

• Run PUF multiple times for same ID pick majority

• Create tuples of multi-PUF computed IDs
  identify a tag based on at least one valid
  position value

(ID1, ID2, ID3)
64
Choosing of PUF Computations
probv(n, 0.1n, 0.02)
probf(n, 0.1n, 0.4)
65
MAC Large Message Space Theorem
Given random oracle assumption for a PUF, the
probability that an adversary could forge a
signature for a message is bounded from above by
the tag impersonation probability.
66
MAC Small Message Space Theorem
Given random oracle assumption for a PUF, the
probability that an adversary could forge a
signature for a message is bounded by the tag
impersonation probability times the number of
sub-signatures.
67
Purely Physical Ownership Transfer
oid h(counter)
r1, a hs(r0, r1)
counter counter - 1
Challenges sent to tag in increasing order

• Properties
• All PUF computations must be correct
• PUF-based random number generator
• Physical write-once counter
• oid is calculated for each identification
• Inherently limited of owners

68
Using PUF to Detect and Restore Privacy of
Compromised System
s1,0
s1,1
s2,0
s2,1
s2,2
s2,3
s3,1
s3,0
s3,4
s3,5
s3,2
s3,3
s3,7
s3,6

1. Detect potential tag compromise
2. Update secrets of affected tags

69
PUF vs. Digital Hash Function

• Reference PUF 545 gates for 64-bit input
• 6 to 8 gates for each input bit
• 33 gates to measure the delay
• Low gate count of PUF has a cost
• probabilistic outputs
• difficult to characterize analytically
• non-unique computation
• extra back-end storage
• Different attack target for adversaries
• model building rather than key discovery
• Physical security
• hard to break tag and remain undetected

70
PUF Design

• Attacks on PUF
• impersonation
• modeling
• hardware tampering
• side-channel

• Weaknesses of existing PUF

reliability

• New PUF design
• no oscillating circuit
• sub-threshold voltage

• Compare different non-linear delay approaches

71
PUF Contribution and Motivation

• Contribution
• Physical privacy models
• Privacy-preserving tag identification algorithm
• Ownership transfer algorithm
• Secure MAC algorithms
• Comparison of PUF with digital hash functions
• Motivation
• Digital crypto implementations require 1000s of
  gates
• Low-cost alternatives
• Pseudonyms / one-time pads
• Low complexity / power hash function designs
• Hardware-based solutions

72
Speeding Up The Yoking Protocol
Idea split cycle into several sequences of
dependent MACs
starting / closing tags

• Requires
• multiple readers or multiple antennas
• anti-collision protocol