Title: Security and Privacy for RFID Systems
1Security and Privacy for RFID Systems
- Burt Kaliski, RSA Security
- RSA Conference Japan 2004
2Objectives
- Describe security and privacy attributes for RFID
systems - Extensions of standard network security and
privacy attributes, but more challenging and
complex - Motivate research and development into safe
RFID deployments, where security and privacy are
built in - Part of the benefit, also part of the cost
- Variety of RFID systems are contemplated
- Low-cost EPC tags
- Proximity cards
- Payment cards
-
- Attributes apply to differing extent to each type
of system
3General Model
- Readers interact with tags
- Readers report tag events to applications
- Applications record tag events in tag databases
- Users, applications implement business processes
using tag databases
4General Model
application server
reader
tag
database
5Security and Privacy Attributes
- Tag privacy
- Tag authenticity
- Reader security
- Tag database security
- Attributes are ideals, not necessarily
requirements - Applications need to make a cost/benefit tradeoff
61 Tag Privacy
- IdealOnly authorized applications should be
able to identify tags - Identify associate with other information
- e.g., determine actual identity link to previous
tag events - Readers may be able to scan tags, but results
should not be meaningful to application unless
authorized - Authorized having permission according to some
privacy policy - Store X can identify its own unpurchased tags,
but not purchased ones - Company Y can identify tags only for products it
has ordered - Extension Tag Access Management Applications
should not be able to access tag data or control
tags without authorization - e.g., kill command
7Tag Privacy Threats and Challenges
- Threats
- Rogue scanning
- e.g., by stores, competitors, thieves
- Passive eavesdropping on reader-to-tag
transmissions - Eavesdropping on tag possible at a short
distance, but some tag singulation protocols
are vulnerable to long-distance eavesdropping on
the reader - Challenges
- Tag cost, power may limit crypto capabilities
- Readers may be offline, so may need to be
provisioned with authentication data for many tags
8Eavesdropping at a Distance
- In the main EPC protocol for scanning RFID tags,
the reader considers the tags as belonging to a
binary tree - The reader addresses or singulates individual
tags by a tree-walking protocol using depth-first
search - Each subtree T corresponds to an identifier
prefix - Reader searches T by sending prefix, asking tags
for their next bit - If all 0, searches Left(T)
- If all 1, searches Right(T)
- If both 0 and 1, searches Left(T) and
Right(T) - Prefixes send by reader reveal tag identifiers
and can be heard at a long distance
9Tag Privacy Approaches (1)
- Deactivation
- Tag killed at point of sale
- Protects against rogue scanning, but doesnt
defend against passive eavesdropping on
authorized scanners - And tags are too useful to kill universally, and
not easy to reactivate securely - Public-key protocol
- Tag interacts with reader by public-key protocol
that authenticates reader, then encrypts tag
identifier with readers public key - Protects against both threats
- But too heavyweight for todays low-end tags
10The Reactivation Dilemma
- San Francisco Public Library announced in October
2003 a plan to identify library books with RFID
tags - Tag deactivation proposed to address privacy
concerns - If you deactivate the tag when a book is checked
out, how do you reactivate it when checked in? - Reactivation command must be authenticated
- Public-key methods too heavyweight
- So command needs a shared secret
- The dilemma Which secret?
- If a tag-specific secret, how does reader know
which one? - And if not tag-specific, then its not a secret
11Tag Privacy Approaches (2)
- User intervention
- User presses button on tag to authorize scanning
- Protects against rogue scanning if user can
identify unauthorized readers, but not passive
eavesdropping - Not suitable within supply chain
- Blocker tags (Juels, Rivest, Szydlo)
- User carries special blocker tag that interferes
with singulation protocol within private subtrees - Always answers 0 and 1 within subtree
- Protects against both threats for private tags
when applied - Again not suitable within supply chain
12Tag Privacy Approaches (3)
- Silent tree-walking (Weis et al.)
- Singulation protocol modified so that search
process doesnt reveal actual identifier - e.g., tag singulates with a random identifier,
then quietly sends actual identifier - Protects against passive eavesdropping from a
distance, but not rogue scanning - One-time identifiers (aka pseudonym tag)
(Juels) - Tag steps through multiple identifiers, linkable
to tags actual identity only by authorized
applications - Protects against both threats if enough
identifiers - Or if scanning rate somehow limited by tag
- But how to manage a large supply of identifiers?
132 Tag Authenticity
- IdealOnly authorized applications should be
able to produce valid tags - Valid having an identity recognized by
authorized application - Authorized e.g.
- Only manufacturer Z can produce tags
recognizable as being from Z
14Tag Authenticity Threats, Challenges
- Threats
- Cloning copying existing tags
- Forgery making new tags with a valid identity
- Relabeling (transferring a tag from one physical
item to another) requires physical
countermeasures, not addressed here - Grandmaster attack (spoofing tag and reader
simultaneously by relaying messages between them)
also requires physical countermeasures - Challenges
- Tag cost, power may limit crypto capabilities
- Cost and form factor likewise may limit
tamper-resistance
15Tag Authenticity Approaches (1)
- Track and trace
- Application anticipates tag movements, detects
and reports fraud - anomalies and duplicates
- No secrets on tag
- Protects against both threats but only after
the fact - Challenge-response
- Tag interacts with reader by challenge-response
protocol based on tag-specific secret key - Protects against both threats
- But a little (or a lot) heavyweight
- Feasible for payment cards
16Tag Authenticity Approaches (2)
- Static authentication (e.g., as in EMV spec.)
- Tag identifier includes a digital signature or
MAC, or is itself an application secret - No crypto needed on tag
- Protects against forgery, but not cloning
- Static authentication with public-key protocol
(e.g., SAML) - Tag authenticates reader by public-key protocol,
then encrypts static authenticator above with
readers public key - Only public-key operations needed on tag no tag
secret key - Protects against both threats, assuming readers
trustworthy - Still too heavyweight for low-end tags
- Again feasible for payment cards
17Tag Authenticity Approaches (3)
- Pseudonym tag with mutual authentication (Juels)
- Three-part protocol
- Tag presents one-time identifier
- Reader sends corresponding one-time PIN
- Tag returns its own one-time PIN for authenticity
- Protects against both threats if enough
identifiers - But again, how to manage a large supply of
identifiers?
183 Reader Security
- Ideala) Only authorized applications should be
able to interact with readers (e.g., to obtain
information about tag events) - b) Only authorized readers should be able to
provide information about tag events to an
application - Authorized having permission under some policy
- Company A can obtain information from its own
readers, but not Company Bs readers - Store Cs readers can provide tag events to
Store C, but not Store Ds readers
19Reader Security Threats, Challenges
- Threats
- Eavesdropping on reader-to-application
transmissions - Insertion, deletion, modification of tag events
- e.g., bogus readers
- Reader compromise (e.g., by intrusion) requires
IT security countermeasures, not addressed here - Challenges
- Readers need to be swapped in and out in the
field, which complicates key management - Reader cost, power may limit crypto capabilities
- though not nearly to the extent that tags are
limited
20Reader Security Approaches
- Basically, standard security protocols
- Application, reader authenticate each other,
establish a session key - Public-key or symmetric-key based protocol
- But how to determine which keys (i.e., readers
and applications) are authorized? - Tag event data encrypted and integrity-protected
with session key - Examples IPsec TLS WiFi
- Though some computational cost, crypto
capabilities will continue to improve, following
general trend in wireless and wired security - Further research may yield more interesting
approaches
214 Tag Database Security
- IdealOnly authorized applications and users
should be able to access online tag information
databases - Authorized having permission according to some
policy among parties - Administrator E can read tag information from
Company Fs database - Applications at Supplier G can query only about
Supplier Gs tags from Retailer Hs database
22Tag Database Security Threats and Challenges
- Threats
- Disclosure of information about tags
- Modification
- Traffic analysis, etc.
- Challenges
- Tag databases potentially need to be available to
many parties - Suppliers, retailers, consumers, auditors,
- Information about a given tag may be managed in
many places, and/or may change hands over time - Even referrals on lookups can reveal competitive
information!
23Tag Database Security Approaches
- Basically, good distributed database / Web
services security - Application, users authenticate, obtain
authorization - Database / Web service decides whether to accept
request based on authorization - But questions remain
- Which database(s) to query about a given tag? Is
the application or user authorized to find out
even this much? - How to manage authorizations across supply chain?
- More for another presentation
24Conclusions
- Security and privacy challenges are significant
in the emerging RFID infrastructure, yet
approaches are available or being developed to
address them - Solutions can combine approaches to achieve
security and privacy attributes at various levels
(and costs) according to policy, business
requirements - The reward from an RFID deployment tomorrow
depends on the investment in security and privacy
in the design today
25For More Information
- S. Sarma et al., Radio-Frequency Identification
Security Risks and Challenges, CryptoBytes 6(1),
Spring 2003, http//www.rsasecurity.com/rsalabs/cr
yptobytes/ - S. Weis home page, http//theory.lcs.mit.edu/swei
s/ - RFID privacy and security page, RSA Laboratories,
http//www.rsasecurity.com/rsalabs/rfid/
26Contact Information
- Burt KaliskiChief Scientist, RSA
SecurityDirector, RSA Laboratoriesbkaliski_at_rsase
curity.comhttp//www.rsasecurity.com/rsalabs/