Title: Type Qualifiers for Security
1Privacy in pervasive computingWhat can
technologists do?
David Wagner U.C. Berkeley In collaboration
withDavid Molnar, Andrea Soppera, Ari Juels
2The tide is turning...
Pervasive computing is coming...
Its time to get serious about privacy.
3Outline
- RFID and identification systems
- Protocols for private identification
- The challenge of scalability trees of secrets
4Identification systems
- Example applications
- Electronic passports
- ID cards and badges
- Proximity cards, building access control
- Automatic payment systems (Fastrak, EZPass)
- Item tagging tracking, inventory management
- Key technologies
- RFID
- Contactless smart card
Challenge privacy (and security) for ID systems
5Introduction to RFID
RFID tags are passive, powered by reader, carry
identity Privacy issues Unwanted tracking of
people and items
Power
Identity
Reader
Tag
6RFID systems are resource-limited
- Tags might lack writable non-volatile memory
- Takes more energy to permanently write bits
- Thus, state might only last as long as tag is
powered - Cryptography is expensive
- Public-key out of reach for all but priciest
tags - AES within reach for mid-class tags? Feldhofer
- Cant take random number generation for granted
- Readers might not be network-connected
7RFID technologies vary widely
ISO 14443 E-passports, ID cardsUS5
3DES,RSA
Computation ?
ISO 15693Library booksUS0.50
sym.-keycrypto
EPCWalMartUS0.20
no crypto
10cm
1m
3m
Intended read range ?
8Read range?
normalreader(10cm / 3m)
maliciousreader(50cm / 15m)
eavesdropon tag(???)
eavesdropon reader(50m / ???)
9Simple trickDefeating eavesdropping on forward
link
go ahead
r
m ? r
wants tosend m
picksrandom r
Appears in EPC Gen II standards.
10A first attempt at defeatingeavesdropping and
unauthorized tag-reading
Ek(r, ID)
pseudonym
k
k
- Problem All tags and readers share the same key
k - If any tag is compromised, all security is lost
- If any reader is compromised, all security is
lost - Risk Massive data spills.
11Take 2 Independently keyed tags
(k1, ID1) (kN, IDN)
r, Fki(r)
pseudonym
Scans throughall keys to decode
ki
- Problem Doesnt scale.
- Takes O(N) work to decode each pseudonym
12Private identification protocols
- Goal a tag lt-gt reader protocol, providing
- Identification Authorized reader learns tags
identity - Privacy Unauthorized readers learn nothing
- Attacker cannot even link two sightings of same
tag - Authentication Tag identity cannot be spoofed
- Scalability Can be used with many tags
A non-trivial technical challenge,with many
possible applications.
13A beautiful method for private identification
(ki, i) (i, kij, IDij)
r, Fki(r), Fkij(r)
pseudonym
ki, kij
Decodes i, then j
- More scalable O(vN) work to decode each
pseudonym - First, scan all ki to learn i
- Then, scan all kij to learn j and thus tag
identity
14The tree of secrets
k0
k1
k00
k01
k10
k11
Tag ? leaf of the tree. Each tag receives the
keys on path from leaf to the root. Tag ij
generates pseudonyms as (r, Fki(r),
Fkij(r)). Reader can decode pseudonym using a
depth-first search.
15Analysis tree of secrets
- Generalizations
- Use any depth tree (e.g., lg N)
- Use any branching factor (e.g., 210)
- Use any other identification scheme (e.g.,
mutual auth) - Theory A concrete example
- Number of tags N 220 tags
- Tag storage O(lg N) 128 bits
- Tag work O(lg N) 2 PRF invocations
- Communications O(lg N) 138 bits
- Reader work O(lg N) 2 ? 210 PRF invocations
- Privacy degrades gracefully if tags are
compromised
16Reducing trust in readers
r, Fki(r), Fkij(r)
r, Fki(r), Fkij(r)
TrustedCenter
ki, kij
IDij
Reader
? (kij, Policyij) ?
If readers are online, Trusted Center can do
decoding for them, and enforce a privacy policy
for each tag.No keys stored at reader gt less
chance of privacy spills.
17Reducing trust Delegation
IDij
TrustedCenter
kij
? (kij, Policyij) ?
r, Fki(r), Fkij(r)
kij
ki, kij
For offline or partially disconnected readers,
can delegate power to decode pseudonyms for a
single tag to designated readers. Reader
workload O(D) per pseudonym,where D of tags
delegated to this reader.
18Time-limited delegation
IDij, L, R
TrustedCenter
keys
pseudonym
Only good for decodingL-th through
R-thpseudonyms from tag IDij
ctr, ki, kij
Even less trust Reader gets access to the next
100 pseudonyms from this tag (say), and nothing
more.
19Enabling time-limited delegation
k0
k0
k1
k00
k01
k00
k01
k10
k11
k000
k001
Use GGM at lower levels (ks0, ks1) G(ks) Tag
uses leaves sequentially Reader gets keys for a
subset
k0000
k0001
k0010
k0011
20Conclusions
- Identification systems an exciting research
area - Privacy is central
- Many non-trivial technical challenges, many
opportunities for clever solutions - Theres still time to have an impact on
deployments - Research question Private identification
protocols - Tree schemes have useful properties
- Can we do better? Can do without persistent
state? - Recent work Controlling readers with Trusted
Computing (to appear at WPES05)