RFID Security Privacy at both Physical and System

RFID Security & Privacy at both Physical and System Levels - Presentation to Io. T-GSI 26 th August 2011 Robert H. Deng & Yingjiu Li School of Information Systems Singapore Management University 2021/10/19 1

RFID Security & Privacy at Physical Level 2021/10/19 2

Radio Frequency IDentification (RFID) Radio signal (contactless) Authenticate / Identify Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency 2021/10/19 Read / Update Reader (transceivers) Database Read data off tags without direct contact Match tag IDs to physical objects 3

RFID Security Issues • Tag Authentication – Only valid tags are accepted by a valid reader • Reader Authentication – Only valid readers are accepted by valid tags – Not always required but mandatory in some applications (e. g. , e-tickets) • Availability – Infeasible to manipulate honest tags such that honest readers do not accept them 2021/10/19 4

RFID Privacy Issues § Privacy requirements • Privacy issues • Adversaries identify tags • Adversaries track tags Tags 2021/10/19 • Anonymity: Confidentiality of the tag identity • Untraceability: Unlinkability of the tag’s transactions Radio signal (contactless) Reader 5

RFID Privacy Preserving Authentication Protocol Design Tag T Reader R c r f (optional) § Security requirements § One way or mutual authentication § Privacy requirements • Anonymity: Confidentiality of the tag identity • Untraceability: Unlinkability of the tag’s transactions 2021/10/19 6

Cryptographic Protocols for RFID Privacy • Numerous lightweight RFID protocols for lowcost tags have been proposed • They use simple operations (XOR, bit inner product, CRC, etc) • Most of them have been broken (T. van Deursen and S. Radomirovic: Attacks on RFID Protocols, e. Print Archive: Report 2008/310) 2021/10/19 7

Recent Progress: RFID Privacy Models • Ind-privacy: indistinguishability of two tags (Jules & Weis, Per. Com 2007) – Ideal model, but not easy to work with • Unp-privacy: unpredictability of protocol messages (Ha, Moon, Zhou & Ha, ESORICS 2008), (Ma, Li, Deng, Li, CCS 09) ─ Only works with symmetric key based protocols • ZK-privacy model: Zero knowledge model (Deng, Li, Yung, Zhao, Esorics 2010) — Output of real world experiment and output of simulated world experiment are indistinguishable — Works with both symmetric key and public key protocols 2021/10/19 8

RFID Security & Privacy at System Level 2021/10/19 9

An Io. T Architecture for Sharing RFID Information Query/ Answer User Query/ Answer Publish/ Update Internet Publish/ Update Information service RFID readers RFID tags Enterprise information system 2021/10/19 Discovery service Enterprise information system

Security and Privacy • Security: Identification/authentication of involving parties – Users, discovery services, information services • Privacy: Only authorized parties can access RFID data as needed – Query, read, write, update, delete • Solution: Access control – Policy management, enforcement, implementation 2021/10/19 11

Access Control Requirements • Cross domain – RFID data to be shared are managed by different parties (IS and DS) • Unknown users – Query issuer may not have prior business relationship or be known to data holders • Visibility – Access to RFID data is based on supply chain information • Compatibility – Access control can be easily enforced in web services and database systems 2021/10/19 12

Existing Access Control Models • • Discretionary access control (DAC) Mandatory access control (MAC) Role based access control (RBAC) Attribute based access control (ABAC) Subject 2021/10/19 Access Object 13

Comparison Cross Domain Unknown users Visibility Compatibility DAC √ Χ Χ Χ MAC Χ Χ RBAC Χ Χ ABAC √ √ 2021/10/19 14

Current Effort • Data Discovery Requirements Document (EPCglobal draft, 2009) – Description of requirements on RFID discovery services, including data confidentiality, integrity and access control • A framework of components for access control in data discovery services (BRIDGE final report, 2009) – Focus on networked services for inter-company operation of supply chains • Our current work – Design secure discovery services and implement the whole system in Singapore 2021/10/19 15