Localization privacy Mike Burmester Florida State University USA
Localization privacy Mike Burmester, Florida State University, USA MITACS International Focus Period Advances in Network Analysis and its Applications
Talkthrough 1. His Late Master’s Voice: private localization 2. Motivation: device discovery and sensor deployments in hostile territory 3. RFID technology 4. Private localization protocols with § with temporal and location mechanisms § with temporal mechanisms only § with location mechanisms only 5. Private localization is not possible without some kind of temporal or location information. 6. Threat model and security issues. 4/20/2911 MITACS International Focus Period 2
His Late Master’s Voice. . A motivating paradigm Nipper listening to a recording of his late master painted by Francis Barraud who inherited from his late brother: Nipper, a phonograph and some recordings Ø Ø Bob died suddenly leaving his treasure to sister Alice Moriarty will do anything to get the treasure. Alice hides it together with Nipper, and promptly departs. (Nipper is a low-cost RFID device that responds only to her calls) Alice can find the hidden treasure later when Moriarty is not around. 4/20/2911 MITACS International Focus Period 3
His Late Master’s Voice m . Wrong painting!mnnnnmm Not a cylinder phonograph but a gramophone Ø Each RFID tag must only respond to authorized readers Ø Each authorized RFID reader must be authenticated without being challenged by the tag: any challenge by the tag will reveal its presence/position. Ø Localization privacy captures a novel aspect of privacy extending the traditional privacy notions of anonymity and unlinkability to private localization. 4/20/2911 MITACS International Focus Period 4
Localization privacy . Barking for privacy Ø Anonymity and unlinkability are slightly weaker notions: Ø Ø Even though the adversary may not be able to recognize a tag, or link the tag's interrogation sessions, by knowing its location it can identify that tag to some degree. Localization privacy is essentially a steganographic attribute. Ø Ø The goal of steganography is to hide data in such a way that the adversary cannot detect its existence, while The goal of private localization is to hide a device in such a way that its presence cannot be detected. 4/20/2911 MITACS International Focus Period 5
Localization privacy m . Ø Because localization privacy is essentially a steganographic attribute one would expect that any knowledge needed to enforce it is based on physical/environmental knowledge. Ø We shall see that localization privacy can only be achieved by using non-application layer data such as • • Temporal or Locational information. 4/20/2911 MITACS International Focus Period 6
Sensor deployments. Motivation Ø Ø Ø 4/20/2911 Suppose we want to deploy 10, 000 sensors in a 100 km 2 for passive monitoring in a hostile territory. The lifetime of the system is expected to be at least 10 years. Attached to the sensors are RFID tags which are their communication interface The tags are not networked to prevent detection. Robotic armored vehicles collect the monitored data at regular intervals. MITACS International Focus Period 7
Sensor deployments. in untrusted territory Monitoring environmental data and surveillance. Deployment is not necessarily uniform MITACS International Focus Period 4/20/2911 8
Path of armored RFID reader. multiple interrogations 4/20/2911 9 MITACS International Focus Period
Device discovery, , , discovery . one-time interrogations 4/20/2911 10 MITACS International Focus Period
RFID systems Ø RFID tags ― ― Ø a discardable technology? low cost replaceable typically short-lived, but durable Other RFID system components, RFID readers and a backend server: ― Not necessarily low-cost ― upgradeable ― mid- to long-term life Ø Both: May protect high-value assets 4/20/2911 11 MITACS International Focus Period
RFID tags Ø Attached to, or embedded in, host objects to be identified. Ø Each tag is a transponder with an RF coupling element and may also have a microprocessor. Ø The coupling element has an antenna coil to capture RF power, clock pulses and data from the RFID reader. Ø The microprocessor has small amounts of ROM for storing, among other information, the tag's identification, volatile RAM and (potentially) nonvolatile EEPROM. 4/20/2911 12 MITACS International Focus Period
Types of passive tags Ø Smart label. Class 1 memory devices, typically Read-Only. Low cost replacements for bar codes. Ø Re-writable tags. Class 1 re-writable memory. Subject to unauthorized cloning, disabling, tracking. Ø IC tags. Class 2 tags with CMOS integrated circuit and non volatile EEPROM. Will defeat most attacks. Ø BAP tags. Battery assisted IC tags with an extended range 4/20/2911 read 13 MITACS International Focus Period
RFID readers Ø An RFID reader is a device with storage, computing, and communication resources comparable to at least those of a powerful PDA. Ø It is equipped with a transceiver consisting of an RF module, a control unit, and an RF coupling element to interrogate the tags. Ø RFID readers implement a radio interface to the tags and also a high level interface to the Server that processes captured data. 4/20/2911 14 MITACS International Focus Period
Backend Server Ø A trusted entity that maintains a database with all the information needed identify tags, including their identification numbers. to Ø Since the integrity of an RFID system is entirely dependent on the proper behavior of the Server, it is assumed that the Server is physically secure and not subject to attacks. Ø As far as resources the Server is a powerful computing device with ample disk, memory, communication, and other resources. 4/20/2911 15 MITACS International Focus Period
Reader-tag coupling Affects the tag's reading range & the frequencies needed. Ø RFID capacitive (electric) coupling short ranges (subcentimeter for UHF near-field ) Ø RFID inductive (magnetic) coupling slightly longer ranges (submeter for UHF) Ø RFID backscatter coupling range: 10 m--100 m+ For localization privacy apps use backscatter coupling 4/20/2911 16 MITACS International Focus Period
Fine grained …. localization Ø Ø Ø Localization is based on analyzing RF signals emitted by the target. The RF waveform is influenced by the paths traveled by the signal. For fine granularity the raw signal waveform must be passed to the upper layers and processed using algorithms that understand that the intricate relations the wireless environment and the signal. 4/20/2911 MITACS International Focus Period 17
Localization algorithms Based on modeling the variations of RF signals in the environment. There are two types of algorithms. Those that: 1. Calibrate the RF signal distribution and then estimate the location. Ø Multilateration algorithms Ø Bayesian inference algorithms 2. Directly compute the location 4/20/2911 Ø Nearest-eighbor algorithms Ø Proximity algorithms Ø Kernel-based learning algorithms. MITACS International Focus Period 18
NLJ detectors Ø Ø Ø Non-Linear Junction detectors detect covert devices based on the fact that subjecting a NLJ to a strong high frequency spectrally pure microwave (888 or 915 MHz) will cause the junction to emit the lower harmonics of the signal. A NLJ detector floods the target area with high frequency energy and detects the emitted harmonics from the target. Will detect any electronic device that is not shielded, even if it is switched off. 4/20/2911 MITACS International Focus Period 19
Protocol 1…. . . . 1. …………. . bbb. …. . . ………. Tag . … Tag knows its location & the time 1. The RFID reader sends: timer , locr ; x = MACk(timer , locr) 2. The tag check it. If the values timer , locr are close enough to the locally measured values then it responds with: y = MACk(x) If this is correct the RFID reader accepts (the tag as authentic). Here k is a secret key that the RFID reader shares with the tag. Step 1 authenticates the reader to the tag This step can be thought of as a `response’ to the location & time challenge 4/20/2911 MITACS International Focus Period 20
Protocol 1…. . on…. , , , bon bab . on Tag knows its location & time Localization Ø The actual location of the tag is determined by analyzing the RF signal waveform of its response y in Step 2 by using a localization algorithm. 4/20/2911 MITACS International Focus Period 21
Protocol 1…. . on…. , , , bon bab . on Tag knows its location & time Problem Scalability The RFID reader must send a different challenge to each one of the tags, if it does not know an approximate location of the tags. [Public Key cryptography will address this issue---use ECC] 4/20/2911 MITACS International Focus Period 22
Protocol 2…. . …. , , , bon bab . on Tag knows the time only 1. The RFID reader sends: timer , x = MACk(timer) 2. The RFID tag check this. If it is correct it responds with: y = MACk(x) If this is correct the RFID reader accepts. Step 1 authenticates the reader to the tag. This step can be thought of as a `response’ to the time challenge 4/20/2911 MITACS International Focus Period 23
Protocol 2…. . n. m , , , bon bab . on Tag knows the time only … Problem: Clocks must be synchronized. This problem cannot be solved for lightweight applications! 4/20/2911 MITACS International Focus Period 24
. Protocol 3… ……. . m. 3 , , , bon bab . on … Tag knows its location only Suppose the tag and reader share a synchronized counter ct 1. The reader sends: ct, locr ; x = MACk(ct, locr) 2. If this is correct the tag responds with: y = MACk(x) and updates the counter. If y is correct the reader accepts the tag. 4/20/2911 MITACS International Focus Period 25
Protocol 3…. …. …. . m. 3 , , , bon bab . on …Tag knows its location only Problem: Counter values must be synchronized Can be done: the tag must always stores the one but last value of the counter and update it only the reader sends the current value of the counter in Step 2. . [Update at tag in Step 2 if ct = ctcur : ctold ctcur next (ctcur)] 4/20/2911 MITACS International Focus Period 26
…. ……. , , , bon bab The tag does not know the time or its location Localization privacy cannot be achieved when the tags are static and neither temporal nor location information is available. 4/20/2911 MITACS International Focus Period 27
The adversary A Ø A can eavesdrop on, and schedule, all communication channels ― Ø Adapt model to allow for localization technologies and radio jamming technologies A must eavesdrop on at least one complete localization to localize a tag ― Tag must backscatter, they cannot be capacitive or inductive. 4/20/2911 MITACS International Focus Period 28
The adversary A Ø A can be ubiquitous or local ― With ubiquitous adversaries we can only have localization privacy for the first interrogation only ― With local adversaries we can have localization privacy for multiple tag interrogations---but model is weak 4/20/2911 MITACS International Focus Period 29
Theorems…. ……. Theorems Ø Protocol 1 provides implicit mutual authentication with localization privacy for one-time tag interrogation applications against a ubiquitous adversary. For applications where the tags may be interrogated several times we only get weak localization privacy. Ø Protocol 2 provides implicit mutual authentication with localization privacy for one-time tag interrogation applications against a ubiquitous adversary. For applications where the tags may be interrogated several times we only get weak localization privacy. Ø Protocol 3 provides only implicit mutual authentication with weak localization privacy, unless highly synchronized clocks are available. MITACS International Focus Period 4/20/2911 Ø Localization privacy cannot be achieved when the tags are 30
Secure localization Ø Privacy --- unlinkability Ø Integrity --- the effect of radio jamming attacks and localization /NLJ attacks Ø Availability --- the effect of radio jamming and localization /NLJ attacks 4/20/2911 MITACS International Focus Period 31
Any questions? Publications http: //www. cs. fsu. edu/~burmeste/pubs. htm l 4/20/2911 MITACS International Focus Period 32
- Slides: 32