Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands [email protected] Digital Security...
-
Upload
sade-goodison -
Category
Documents
-
view
214 -
download
0
Transcript of Jaap-Henk Hoepman TNO ICT, Groningen, the Netherlands [email protected] Digital Security...
Jaap-Henk Hoepman
TNO ICT, Groningen, the Netherlands [email protected]
Digital Security (DS)Radboud University Nijmegen, the Netherlands
[email protected] / www.cs.ru.nl/~jhh
Privacy & The Internet of ThingsHow to keep the good
and make the bad less ugly
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Paradigm shift
5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
RFID = a lot of things.....
5-2-2010
NFC
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
The Internet Of Things
5-2-2010
The virtual world and the real world are no
longer seperated
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Where do I come from....
5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
The good
5-2-2010
Timo Arnall : http://www.elasticspace.com/
http://www.nabaztag.com//
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
... and where may this all go to?
5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
The bad
5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy
Privacy concerns
xx-xx-xxxx
orwell / big brother chandler / little sister kafka / the trial
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Security concerns as well
Confidentiality● Corporate espionage
Integrity● Data out of sync
Authenticity● Cloning
● Detach/swap
Availability● Jamming
● ...
5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
EC Recommendation 12-5-2009
5-2-2010
Don’t kill the Internet of Things !
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
How to avoid the kill and make the bad less ugly
Give people agency● RFID Guardian
● Privacy Coach
Use privacy enhancing technologies● Mutual authentication
● Conditional access
● ...
5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Agency
5-2-2010
“Tags should not be used on people but
used by people”
former Commisioner Viviane Reding
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
The RFID Privacy Coach
04-12-2009
The RFID Privacy Coach
privacy preference
privacy policy
NFCenabledphone
Goal – give consumers control over RFID
http://www.privacy-coach.org
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Policies? Preferences?
Example of a policy● ACME Ltd registeres the type of pasta you buy
when buy a can of peeled tomatoes
● ACME Ltd will offer discounts to people that wear a FOOBAR watch
Example of a preference● I do not want offers based on the tags I carry
(note that FOOBAR watches should give permission to ACME Ltd for reading their tags)
● I allow anonymous profiling
04-12-2009
The RFID Privacy Coach
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
How does it work?
04-12-2009
The RFID Privacy Coach
network independentprivacy policyprovider
tag number
tag policy
RFID tag
databasetag policies
consumerpreference
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Privacy enhancing technologies
Limitations● limited resources
● no central authority
● practicalityno key search
Requirement● acknowledge lifecycle!
5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Object-oriented model
Object owner● grants permission to
object
tag owner● grants access to tag
5-2-2010
caller
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Practical authentication protocol
Symmetric key authentication● using diversified access key
Re-encryption of tag identifier t● ● ● new id becomes● tag only accepts when properly authenticated
Protection against stolen readers● Domain gets new re-encryption key for each epoch● Tag stores last seen epoch● Keep old keys for old
5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things5-2-2010
Reader Tag
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
Properties
No trusted hardware for tags● Each tag has different symmetric key
Reader does not have to search all keys● Diversification
Tags untraceable before/after succesful authentication● Re-encryption
Any reader can update all identifiers● Universal re-encryption ● But reader needs to know at least one access key
5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Privacy and the Internet of Things
References
IFIP WG 11.2 “Pervasive systems security”● http://www.cs.ru.nl/ifip-wg11.2/
Council – a thinktank on the IoT● http://www.theinternetofthings.eu
5-2-2010
Jaap-Henk Hoepman // TNO ICT / Radboud University Nijmegen //
Discussion
04-12-2009
The RFID Privacy Coach
[Monty Python’s Argument Clinic sketch]