Type Qualifiers for Security

1
Privacy in pervasive computingWhat can
technologists do?
David Wagner U.C. Berkeley In collaboration
withDavid Molnar, Andrea Soppera, Ari Juels
2
The tide is turning...
Pervasive computing is coming...
Its time to get serious about privacy.
3
Outline

• RFID and identification systems
• Protocols for private identification
• The challenge of scalability trees of secrets

4
Identification systems

• Example applications
• Electronic passports
• ID cards and badges
• Proximity cards, building access control
• Automatic payment systems (Fastrak, EZPass)
• Item tagging tracking, inventory management
• Key technologies
• RFID
• Contactless smart card

Challenge privacy (and security) for ID systems
5
Introduction to RFID
RFID tags are passive, powered by reader, carry
identity Privacy issues Unwanted tracking of
people and items
Power
Identity
Reader
Tag
6
RFID systems are resource-limited

• Tags might lack writable non-volatile memory
• Takes more energy to permanently write bits
• Thus, state might only last as long as tag is
  powered
• Cryptography is expensive
• Public-key out of reach for all but priciest
  tags
• AES within reach for mid-class tags? Feldhofer
• Cant take random number generation for granted
• Readers might not be network-connected

7
RFID technologies vary widely
ISO 14443 E-passports, ID cardsUS5
3DES,RSA
Computation ?
ISO 15693Library booksUS0.50
sym.-keycrypto
EPCWalMartUS0.20
no crypto
10cm
1m
3m
Intended read range ?
8
Read range?
normalreader(10cm / 3m)
maliciousreader(50cm / 15m)
eavesdropon tag(???)
eavesdropon reader(50m / ???)
9
Simple trickDefeating eavesdropping on forward
link
go ahead
r
m ? r
wants tosend m
picksrandom r
Appears in EPC Gen II standards.
10
A first attempt at defeatingeavesdropping and
unauthorized tag-reading
Ek(r, ID)
pseudonym
k
k

• Problem All tags and readers share the same key
  k
• If any tag is compromised, all security is lost
• If any reader is compromised, all security is
  lost
• Risk Massive data spills.

11
Take 2 Independently keyed tags
(k1, ID1) (kN, IDN)
r, Fki(r)
pseudonym
Scans throughall keys to decode
ki

• Problem Doesnt scale.
• Takes O(N) work to decode each pseudonym

12
Private identification protocols

• Goal a tag lt-gt reader protocol, providing
• Identification Authorized reader learns tags
  identity
• Privacy Unauthorized readers learn nothing
• Attacker cannot even link two sightings of same
  tag
• Authentication Tag identity cannot be spoofed
• Scalability Can be used with many tags

A non-trivial technical challenge,with many
possible applications.
13
A beautiful method for private identification
(ki, i) (i, kij, IDij)
r, Fki(r), Fkij(r)
pseudonym
ki, kij
Decodes i, then j

• More scalable O(vN) work to decode each
  pseudonym
• First, scan all ki to learn i
• Then, scan all kij to learn j and thus tag
  identity

14
The tree of secrets

k0
k1
k00
k01
k10
k11
Tag ? leaf of the tree. Each tag receives the
keys on path from leaf to the root. Tag ij
generates pseudonyms as (r, Fki(r),
Fkij(r)). Reader can decode pseudonym using a
depth-first search.
15
Analysis tree of secrets

• Generalizations
• Use any depth tree (e.g., lg N)
• Use any branching factor (e.g., 210)
• Use any other identification scheme (e.g.,
  mutual auth)
• Theory A concrete example
• Number of tags N 220 tags
• Tag storage O(lg N) 128 bits
• Tag work O(lg N) 2 PRF invocations
• Communications O(lg N) 138 bits
• Reader work O(lg N) 2 ? 210 PRF invocations
• Privacy degrades gracefully if tags are
  compromised

16
Reducing trust in readers
r, Fki(r), Fkij(r)
r, Fki(r), Fkij(r)
TrustedCenter
ki, kij
IDij
Reader
? (kij, Policyij) ?
If readers are online, Trusted Center can do
decoding for them, and enforce a privacy policy
for each tag.No keys stored at reader gt less
chance of privacy spills.
17
Reducing trust Delegation
IDij
TrustedCenter
kij
? (kij, Policyij) ?
r, Fki(r), Fkij(r)
kij
ki, kij
For offline or partially disconnected readers,
can delegate power to decode pseudonyms for a
single tag to designated readers. Reader
workload O(D) per pseudonym,where D of tags
delegated to this reader.
18
Time-limited delegation
IDij, L, R
TrustedCenter
keys
pseudonym
Only good for decodingL-th through
R-thpseudonyms from tag IDij
ctr, ki, kij
Even less trust Reader gets access to the next
100 pseudonyms from this tag (say), and nothing
more.
19
Enabling time-limited delegation

k0
k0
k1
k00
k01
k00
k01
k10
k11
k000
k001
Use GGM at lower levels (ks0, ks1) G(ks) Tag
uses leaves sequentially Reader gets keys for a
subset
k0000
k0001
k0010
k0011
20
Conclusions

• Identification systems an exciting research
  area
• Privacy is central
• Many non-trivial technical challenges, many
  opportunities for clever solutions
• Theres still time to have an impact on
  deployments
• Research question Private identification
  protocols
• Tree schemes have useful properties
• Can we do better? Can do without persistent
  state?
• Recent work Controlling readers with Trusted
  Computing (to appear at WPES05)