Protection of the User’s Privacy in Ubiquitous E-ticketing...
Transcript of Protection of the User’s Privacy in Ubiquitous E-ticketing...
Faculty of Computer Science Chair of Privacy and Data Security
Protection of the User’s Privacy in
Ubiquitous E-ticketing Systems based on
RFID and NFC Technologies
Ivan Gudymenko
Status talk, 12 June 2013
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 2
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 3
Target Area
• Ubiquitous Computing (UbiComp);
– Based on RFID/NFC;
• Focus on electronic ticketing (e-ticketing).
→ Privacy protection.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 4
E-ticket Taxonomy and Dissertation Focus
public transport
event ticketing
fitness & leisure fitness studios
ski pass
concerts
sport eventsONLINE TICKET
E-ticket
Smart ticket
2.Smartticket1.Onlineticket
E-ticket
• Focus on public transport
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 5
E-ticketing in Public Transport
[Courtesy of MunsterscheZeitung.de]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 6
E-ticketing: A General Application Scenario
E-ticket
Distribution
TripBegin
E-ticketOn-boardReader(Terminal)
EventProcessingUnit(e.g.GPS-based)
E-ticketCheck-in
Back-endSystem
-EventStorage
-DistanceCalculation
-Billing
-CustomerAccounts
Management
-Statistics
TravelRecords
(1) (2a) (2b) (3)
Check-out
E-ticket
Smartcard
NFCE-tic
ket
Smartcard
NFC
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 7
Fare Collection Approaches in E-ticketing
Farecollection
approaches
1.ElectronicPaperTicket(EPT)
2.Check-in/Check-outbased(CICO)
a)PureCICO b)SeamlessCICO
i.Walkin/Walkout(WIWO)
ii.Bein/Beout(BIBO)
• Focus on CICO-based systems
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 8
E-ticketing: Technologies and Standards
• RFID-based stack (proximity cards);
• NFC stack (NFC-enabled devices);
• Recently, CIPURSE by OSPT (Open Standard forPublic Transport).
RFID-basedE-TicketingStack
Architecture
DataInterfaces
CommunicationInterface
ISOEN24014-1(conceptualframework)
EN15320(logicallevel,abstractinterface,security)
EN1545(dataelements)
ISO/IEC7816-4(commands,security)
ISO14443(parts1-3required)
TheNFCForum
Architecture
TheNFCForum
Specifications
E-ticket
Smartcard
NFC
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 9
Target Area: Summary
• E-ticketing systems for public transport;
• ”Smart ticket” (as opposed to online ticket);
• CICO for automated fare collection;
• Underlying technologies: RFID/NFC.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 10
E-ticketing: Concerns
• For transport companies
– High system development/deployment costs;– Lack of well-standardized solutions;– New infrastructure is a high risk investment;– Possibly low Return of Investment (ROI).
• For customers
– Reluctance to using a conventional system in a newway;
– Privacy concerns:• Ubiquitous customer identification;• Customer profiling (esp. unconsented);• Increased surveillance potential.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 11
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 12
Privacy Protection: Motivation
• Rising privacy concerns in public;
• Motivation to invest in privacy for transport companies;
• A privacy-preserving solution is of mutual benefit forboth parties:
– Higher acceptance among customers;– Transport companies retain competitiveness.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 13
Generic Privacy Threats in E-ticketing Systems
1. Unintended customer identification:
a) Exposure of the customer ID:
i. Personal ID exposure (direct identification);
ii. Indirect identification through the relevant object’s ID.
b) Exposure of a non-encrypted identifier during theanti-collision session;
c) Physical layer identification (RFID fingerprinting).
2. Information linkage;
3. Illegal customer profiling.
→ A cross-layered set of countermeasures required.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 14
Protecting User Privacy: Problems
• Customer privacy is not in primary focus ofstandardization effort;
• Several tailor-made solutions (in add-on fashion);
• No holistic approach treating privacy from an outset (inreal systems)
→ Privacy by Design is required.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 15
A Privacy-preserving E-ticketing System: Reqs
(1) Privacy
(a) Against terminalsIdentification: no
Correlation: no
(b) Against back-endIdentification: no
Correlation: yes
(c) Against observers PII Derivation: no
(2) Billing
(a) Regular Billing Regular billing support
(b) Billing Correctness In accordance with fare policy
(3) Efficiency Check-in/out events handling
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 16
A General System Architecture and Requirements:An Overview
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 17
A General System Architecture and Requirements:An Overview (1)
(1) Privacy
(a) Against terminalsIdentification: no
Correlation: no
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 18
A General System Architecture and Requirements:An Overview (2)
(1) Privacy
(b) Against back-endIdentification: no
Correlation: yes
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 19
A General System Architecture and Requirements:An Overview (3)
(1) Privacy(c) Against observers PII Derivation: no
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
ExternalObserver
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 20
A General System Architecture and Requirements:An Overview (4)
(2) Billing
(a) Regular Billing Regular billing support
(b) Billing Correctness In accordance with fare policy
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 21
A General System Architecture and Requirements:An Overview (5)
(3) Efficiency Check-in/out events handling
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
Real-time Non-real-time
E-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:-Singulation-Billing-Identification
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 22
Main Goals/Research Questions
RQ: How to build a privacy-preserving e-ticketing systemwith the following properties?
(1) Loose-coupling between front-end and back-end(scaling);
(2) Offline e-ticket validation at the terminal side:
– Valid e-tickets remain anonymous to the terminal;– Invalid e-tickets must be rejected.
(3) Privacy-preserving travel records processing in back-end:
– With regular billing support for personalized tickets;– Preventing direct identification (pseudonymization).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 23
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 24
Important Evaluation Criteria
• Mutual authentication between terminals and e-ticket;
• E-ticket anonymity/untraceability against terminals;
• Trust assumptions (esp. concerning terminals);
• Back-end coupling (close/loose);
• Regular billing support.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 25
Solutions Taxonomy: Outline
E-ticketingSystems
Close-coupled Loosely-coupled
AsymmetricCrypto
Linear
O(n)
Logarithmic
~O(logn)
Constanttime
O(1)
SymmetricCrypto
FullyOffline Semi-offline
Asymmetric
Crypto
Symmetric
Crypto
Asymmetric
Crypto
Symmetric
Crypto
E-cashbasedReader-specific
TagAccessLists
FullDBon
aterminalE-cashbased E-cashbased
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 26
Solutions Taxonomy: Detailed
E-ticketingSystems
Close-coupled Loosely-coupled
AsymmetricCrypto
Linear
Ohnf
Logarithmic
~Ohlognf
Constanttime
OhYf
Precomputation
(T-MTrade-off)
Precomputed
Look-uptable
HCDF
[HvBenjaminetalv]
SymmetricCrypto
YptimePseudop
nyms[SWM]
LpTierDB
[Alomairetalv]
Treestructure
[MWW]
Matrixstructv
[Cheonetalv]
Bloomfilters
[Noharaetalv]
OSKImproved
[Avoineetalv]
OSK
[Okuboetalv]
SWMProtocol
[SongWMitchell]
Secrets
Ordering
FullyOffline Semi-offline
Asymmetric
Crypto
Symmetric
Crypto
Asymmetric
Crypto
Symmetric
Crypto
E-cash
based
Reader-specific
TagAccessLists
FullDBon
aterminal
PAYG
[Baldimtsietalv]
TanSL
[Tanetalv]ALM
[Avoineetalv]
GR
[GarciaWRossum]
E-cash
basedE-cashbased
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 27
Solutions Taxonomy: Close-coupled Systems
E-ticketingSystems
AsymmetricCrypto
Linear
Ohnf
Logarithmic
~Ohlognf
Constanttime
OhYf
Precomputation
(T-MTrade-off)
Precomputed
Look-uptable
HCDF
[HvBenjaminetalv]
SymmetricCrypto
YptimePseudop
nyms[SWM]
LpTierDB
[Alomairetalv]
Treestructure
[MWW]
Matrixstructv
[Cheonetalv]
Bloomfilters
[Noharaetalv]
OSKImproved
[Avoineetalv]
OSK
[Okuboetalv]
SWMProtocol
[SongWMitchell]
Secrets
Ordering
E-cashbased
Close-coupled
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 28
Okubo et al. (OSK Protocol)
E-ticketingSystems
Close-coupled
Linear
OcnW
SymmetricCrypto
OSK
[OkuboetalI]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 29
[Okubo et al., 2003]
Okubo et al. (OSK Protocol)
• Hash chain-based; two hash functions:
– H(): used for secret refreshment;– G (): used for untraceability against eavesdroppers.
• Hash chain for the i th tag:F : (i , k) 7→ r k
i = G(Hk−1
(s init
i
)).
GG
HHH
ai ai+1
si si+1
��
���Tag (E-ticket)
Reader (Terminal)
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 30
[Okubo et al., 2003]
OSK assessment
• Mutual authentication: no
• Untraceability against terminals: yes
• Terminals must be trusted: no
• Back-end coupling: tight
• Regular billing support: not considered
• Limited number of validations (by hash chain size k);
• Stateless by design;
• Serious scalability issues: O(kn).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 31
Revised Song & Mitchel’s Protocol (RSM)
E-ticketingSystems
Close-coupled
Linear
Oxnf
SymmetricCrypto
SAMProtocol
[SongAMitchell]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 32
[Song and Mitchell, 2011]
Revised Song & Mitchel’s Protocol (RSM)
• Each tag has a secret s and a pseudonym t : t = h(s);
• A keyed hash function serves for tag identification andauthentication (with tag pseudonym t as a key);
• The protocol is stateful;
• Refreshment of tag pseudonym and tag secret onsuccessful mutual authentication.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 33
[Song and Mitchell, 2011]
RSM Assessment
• Mutual authentication: yes
• Untraceability against terminals: yes
• Terminals must be trusted: no
• Back-end coupling: tight
• Regular billing support: not considered
• Scalability issues remain: O(n).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 34
RSM-based One-time Pseudonym Protocol
• Precomputed look-up table of one-time pseudonyms fortag identification:
– Tag identification complexity O(1);
• Tag authentication is performed similarly to RSM;
• Requires re-initialization when the pseudonyms pool isexhausted.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 35
[Song and Mitchell, 2011]
Heydt-Benjamin et al. (HCDF)
E-ticketingSystems
Close-coupled
AsymmetricCrypto
E-cashbased
HCDF
[HvBenjaminetalv]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 36
[Heydt-Benjamin et al., 2006]
Heydt-Benjamin et al. (HCDF)
• Based on e-cash, anonymous credentials, and proxyre-encryption.
• Explicitly considers public transport (a holisticframework);
• Two types of tickets:
(1) Temporally-bounded;(2) Stored-value.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 37
[Heydt-Benjamin et al., 2006]
Heydt-Benjamin et al. (HCDF), continued
• On enter:
– For temporally-bounded tickets: one-show validitycredential;
– For stored value tickets: accept entrance cookie CE .
• On exit:
– For temporally-bounded. tickets: the same;– For stored value: reveal CE , calculate price (TA),
delete CE (T).
• On-the-fly price calculation on exit (for stored valueticket).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 38
[Heydt-Benjamin et al., 2006]
HCDF Assessment
• Mutual authentication: no (not explicit)
• Untraceability against terminals: yes
• Terminals must be trusted: no
• Back-end coupling: tight
• Regular billing support: no
• Involves asymmetric crypto on tag (ZKP).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 39
Close-coupled Systems: Summary
E-ticketingSystems
AsymmetricCrypto
Linear
Ohnf
Logarithmic
~Ohlognf
Constanttime
OhYf
Precomputation
(T-MTrade-off)
Precomputed
Look-uptable
HCDF
[HvBenjaminetalv]
SymmetricCrypto
YptimePseudop
nyms[SWM]
LpTierDB
[Alomairetalv]
Treestructure
[MWW]
Matrixstructv
[Cheonetalv]
Bloomfilters
[Noharaetalv]
OSKImproved
[Avoineetalv]
OSK
[Okuboetalv]
SWMProtocol
[SongWMitchell]
Secrets
Ordering
E-cashbased
Close-coupled
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 40
Close-coupled Systems: Pros
• Terminal simplicity.
• Less trust in terminals.
• Simple infrastructure.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 41
Close-coupled Systems: Contras
• Scaling issues.
• Back-end must be online 24/7.
• Synchronization (statefulness, possibility of DoSattacks).
• Back-end is a bottleneck and single point of failure.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 42
Other Solutions Are Necessary
→ Some kind of decentralization is required.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 43
Solutions taxonomy: Loosely-Coupled Systems
E-ticketingSystems
Loosely-coupled
FullyOffline Semi-offline
Asymmetric
Crypto
Symmetric
Crypto
Asymmetric
Crypto
Symmetric
Crypto
E-cash
based
Reader-specific
TagAccessLists
FullDBon
aterminal
PAYG
[Baldimtsietalf]
TanSL
[Tanetalf]ALM
[Avoineetalf]
GR
[GarciaFRossum]
E-cash
based
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 44
Loosely-Coupled Systems: Semi-offline
E-ticketingSystems
Loosely-coupled
Semi-offline
Asymmetric
Crypto
Symmetric
Crypto
PAYG
[Baldimtsietalf]ALM
[Avoineetalf]
GR
[Garcia-Rossum]
E-cash
based
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 45
Avoine et al. (ALM)
E-ticketingSystems
Loosely-coupled
Semi-offline
Symmetric
Crypto
ALM
[AvoineetalI]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 46
[Avoine et al., 2009]
Avoine et al. (ALM)
• Offline tag validation using challenge response;
• Reader-specific tag identification/authentication tuplesets (TS);
• TS are precomputed by trusted back-end and uploadedto readers;
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 47
[Avoine et al., 2009]
Avoine et al. (ALM): Keys
• Two key types:
– Long-term tag-specific key KT shared betweenback-end and a tag (is not known to readers);
– Session key kTR is computed on-the-fly by a tag;
• kTR = f (KT , IDR , cR)
• At the reader side, kTR resides in TS (precomputed);
• kTR is bounded to a specific (reader, tag) pair.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 48
[Avoine et al., 2009]
ALM Assessment
• Mutual authentication: yes
• Untraceability against terminals: no
• Terminals must be trusted: yes
• Back-end coupling: semi-coupled (counter sync)
• Regular billing support: not considered
• Scalability issues are shifted to the reader side:
– O(n) complexity to locally identify/authenticate a tag.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 49
Baldimtsi et al. (PAYG)
E-ticketingSystems
Loosely-coupled
Semi-offline
Asymmetric
Crypto
E-cash
based
PAYG
[BaldimtsietalI]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 50
[Baldimtsi et al., 2012]
Baldimtsi et al. (PAYG)
• Based on e-cash and anonymous credentials;
• Explicitly considers public transport;
• Single trip tickets only;
• Unique ID is encoded into the Trip Authorization Token(TAT) against double spending.
– The knowledge of the encoded ID must be proved inZK on check-in.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 51
[Baldimtsi et al., 2012]
Baldimtsi et al. (PAYG): System Architecture
• Online vending machines (TAT issuing, refundreimbursement)
• Offline check-in terminals:
– TAT validity check;– Issuance of a Refund Calculation Token (RCT).
• Offline check-out terminals:
– Terminal-side fare calculation;– Refund top-up.
• Variable pricing by attribute encoding;
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 52
[Baldimtsi et al., 2012]
PAYG: Issues to Consider
• Refund-based system (refund aggregation into RefundToken);
• Nuisance for users (additional effort for refundreimbursement);
• All reimbursed refund tokens must be stored in back-endto prevent refund double spending (for each single trip);
• Actual fare calculation during check-out (no complexpricing schemes possible);
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 53
PAYG: Assessment
• Mutual authentication: no
• Untraceability against terminals: yes
• Terminals must be trusted: no
• Back-end coupling: semi-coupled
• Regular billing support: no
• Involves asymmetric crypto on tag (ZKP).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 54
Loosely-Coupled Systems: Fully-offline
E-ticketingSystems
Loosely-coupled
FullyOffline
Asymmetric
Crypto
Symmetric
Crypto
E-cash
based
Reader-specific
TagAccessLists
FullDBon
aterminal
TanSL
[Tanetalp]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 55
Tan et al. (TanSL)
E-ticketingSystems
Loosely-coupled
FullyOffline
Symmetric
Crypto
Reader-specific
TagAccessLists
TanSL
[Tanetalp]
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 56
[Tan et al., 2007]
Tan et al. (TanSL)
• A basis for a more profound protocol
– ALM by Avoine et al.
• Reader-specific tag access list (as in ALM);
• Authentication is bound to a concrete (reader, tag) pair;
• Fully offline tag identification and authentication;
• No regular secret refreshment (unlike ALM);
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 57
[Tan et al., 2007]
TanSL: Assessment
• Mutual authentication: yes
• Untraceability against terminals: no
• Terminals must be trusted: yes
• Back-end coupling: fully offline
• Regular billing support: not considered
• Scalability issues are shifted to the reader side:
– O(n) complexity to locally identify/authenticate a tag.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 58
Loosely-coupled Systems: Summary
E-ticketingSystems
FullyOffline Semi-offline
Asymmetric
Crypto
Symmetric
Crypto
Asymmetric
Crypto
Symmetric
Crypto
E-cash
based
Reader-specific
TagAccessLists
FullDBon
aterminal
PAYG
[Baldimtsietalf]
TanSL
[Tanetalf]ALM
[Avoineetalf]
GR
[GarciaFRossum]
E-cash
based
Loosely-coupled
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 59
Loosely-coupled Systems: Pros
• Loosely coupled system components
– Better scaling (compared to close-coupled systems);
• Terminal-side e-ticket validation (efficiency);
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 60
Loosely-coupled Systems: Contras
• More intelligence at the terminal side is required;
• Contradicting requirements:
– Validate e-tickets;– Without identifying/tracking them.
• Terminals operate on the tag data containingidentifiable information;
→ Privacy – validation trade-off.
• Decentralized infrastructure is harder to manage(updates, uploads, etc.).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 61
State-of-the-art: Final Overview
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 62
CriteriaThe most relevant approaches Reviewed
PAYG[1] HCDF[2] SVW[3] GR[4] ALM[5] OSK[6] RSMP[7]
Explicitly cons. PT yes yes yes yes no no no
Anonym. against term. yes yes p no no yes yes
Untraceab. against term. yes yes p no no yes yes
Mutual authentication no no no no yes no yes
CryptoPrimitivesUsed
Symmetric no yes yes yes yes no yes
Hash yes yes no yes no yes yes
Asymmetric yes yes p no no no no
Back-endCoupling
Tight – yes – – – yes yes
Semi-coupl. yes – – yes yes – –
Loose – – yes – – – –
Tamp. resist. required ∅ ∅ p ∅ ∅ no no
Regular billing no no no ∅ ∅ ∅ ∅
Involves extern. device no no/p yes no no no no
BE is trusted no no yes yes yes yes yes
ATs are trusted no no yes yes yes no no
Revocation is possible yes yes yes yes yes yes yes
Dynamic extensibility yes yes yes no no yes no
CriteriaThe most relevant approaches Reviewed
PAYG[1] HCDF[2] SVW[3] GR[4] ALM[5] OSK[6] RSMP[7]
Explicitly cons. PT yes yes yes yes no no no
Anonym. against term. yes yes p no no yes yes
Untraceab. against term. yes yes p no no yes yes
Mutual authentication no no no no yes no yes
CryptoPrimitivesUsed
Symmetric no yes yes yes yes no yes
Hash yes yes no yes no yes yes
Asymmetric yes yes p no no no no
Back-endCoupling
Tight – yes – – – yes yes
Semi-coupl. yes – – yes yes – –
Loose – – yes – – – –
Tamp. resist. required ∅ ∅ p ∅ ∅ no no
Regular billing no no no ∅ ∅ ∅ ∅
Involves extern. device no no/p yes no no no no
BE is trusted no no yes yes yes yes yes
ATs are trusted no no yes yes yes no no
Revocation is possible yes yes yes yes yes yes yes
Dynamic extensibility yes yes yes no no yes no
State of the Art: Focused
CriteriaThe most relevant approaches Reviewed
PAYG[1] HCDF[2] SVW[3] GR[4] ALM[5] OSK[6] RSMP[7]
Anonymity terminals yes yes p no no yes yes
Untraceability terminals yes yes p no no yes yes
Mutual authentication no no no no yes no yes
Close-coupling no yes no no no yes yes
Regular billing no no no ∅ ∅ ∅ ∅
BE is trusted no no yes yes yes yes yes
ATs are trusted no no yes yes yes no no
Legend:∅ – not considered;p – partially provided;
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 65
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 66
Recall: System Requirements
(1) Privacy
(a) Against terminalsIdentification: no
Correlation: no
(b) Against back-endIdentification: no
Correlation: yes
(c) Against observers PII Derivation: no
(2) Billing
(a) Regular Billing Regular billing support
(b) Billing Correctness In accordance with fare policy
(3) Efficiency Check-in/out events handling
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 67
A Privacy-preserving E-ticketing System withRegular Billing Support (PEB)
• Protect privacy while allowing various pricing schemes inback-end;
• Pricing schemes are fully independent of systemarchitecture;
• A reasonable trade-off is allowed:
– In front-end. Different sessions between an e-ticket andterminal/s are completely unlinkable;
– In back-end. Back-end may correlate different sessionsto an e-ticket pseudonym.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 68
Attacker Model
(1) (Outsider) No PII derivation by external observers(front-end sessions).
(2) (Insider) No tracking and identification of valid e-ticketsby terminals.
(3) (Insider) No direct identification by back-end.
→ Insider/outsider with respect to the involvement intothe system flow.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 69
PEB: System Architecture
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
2.MutualAuthent.
3.BLCheck
UpdateBL
Real-time Non-real-time
1.SCEstablishmentSendTRE-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:
-Singulation
-Billing
ExternalTTP
-UserIdentification-EndBilling
TransportAuthority(TA)
yBill,Pseudonym)
SendBill
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 70
PEB: Pseudonymization
• For each e-ticket, TTP creates a static pseudonym PTi ;
– Mapping PTi 7→ ID is kept secret by TTP;
• PTi is sent to TA;
• TA includes it into its static pseudonym set: PTi ∈ PT ;
• TA, therefore, operates only on pseudonyms in PT ;
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 71
PEB: Pseudonymization (continued)
• TA possesses an asymmetric key pair:(k+
ta, k−ta
);
• Front-end e-ticket pseudonyms: PAi = Ek+
ta
(PT
i
)– Required for terminal-side black list checking.
• E-tickets are parameterized with PAi ;
• E-ticket ↔ terminal: a session pseudonym on eachinteraction (anti-tracking): SPj = Ek+
ta
(PA
i · rj).
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 72
PEB: Pseudonymization (continued)
... ...
Terminal1
Terminal2
Terminaln
TerminalsE-tickets
2.MutualAuthent.
3.BLCheck
UpdateBL
Real-time Non-real-time
1.SCEstablishmentSendTRE-ticket1
E-ticket2
E-ticketn
Back-end
Check-in/out BackboneNetwork
TRProcessing:
-Singulation
-Billing
ExternalTTP
-UserIdentification-EndBilling
TransportAuthority(TA)
)Bill,Pseud.D SendBill
SP1SP2
SPj
...
Decrypt PiT
(Bill,PiT)
Decrypt IDPiT
(Bill,ID)
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 73
PEB: Privacy-preserving BL Checking
• Based on the inherent homomorphism of an encryptionscheme in use: PA
i = Ek+ta
(PT
i
);
• Malleability property: E (x · r) = E (x)r ;
• On validation, an e-ticket presents a tuple to a terminal:SPT ←
(E (x · r),E (r)
);
• Black list: {y : y ∈ BL};
• Check SPj against the BL:∀y ∈ BL,E (r) ∈ SPT : c ← E (r)y
c?= E (x · r) ∀c ∈ C .
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 74
BL Checking: A Choice of a Suitable Encryption
• Based on the discrete exponentiation function
• E (x) = g x (mod p)
• Malleability property:
E (x · r) = g (x ·r)
=(g x
)r
= E (x)r .
(mod p)
• Other inherently homomorphic deterministic schemespossible.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 75
PEB: Discussion
• Loosely-coupled system;
• Mutual identification due to group signatures;
• Revocation: black lists:
– Encrypted black lists possible;– Alternatively, dynamic accumulators can be used [8].
• To enhance performance, anonymity set can be reducedin a controllable way;
• Our system fully satisfies the requirements.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 76
State-of-the-art Overview and PEB
CriteriaThe most relevant approaches Reviewed
PAYG[1] HCDF[2] SVW[3] GR[4] ALM[5] OSK[6] RSMP[7] PEB
Anonymity terminals yes yes p no no yes yes yes
Untraceability terminals yes yes p no no yes yes yes
Mutual authentication no no no no yes no yes yes
Close-coupling no yes no no no yes yes no
Regular billing no no no ∅ ∅ ∅ ∅ yes
BE is trusted no no yes yes yes yes yes no
ATs are trusted no no yes yes yes no no no
Legend:∅ – not considered;p – partially provided;
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 77
Current Progress
• The first results were presented at PECCS-2013 inBarcelona (see [9]);
• The paper presenting the core architecture has beenaccepted to the IFIP-2013 Summer School.
• Contacts with industry: DVB are interested, Secunet;
• Supervision of two students helping to validate theconcept.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 78
Outline
Introduction
Privacy Issues in E-ticketing Systems
Academic Solutions: State of the art
A Privacy-preserving E-ticketing System with Regular BillingSupport (PEB)
References
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 79
References I
[1] F. Baldimtsi, G. Hinterwalder, A. Rupp, A. Lysyanskaya, C. Paar, and W. P. Burleson, “Pay as you go,”in Workshop on hot topics in privacy enhancing technologies, HotPETSs 2012,http://petsymposium.org/2012/papers/hotpets12-8-pay.pdf, 2012.
[2] T. S. Heydt-Benjamin, H.-J. Chae, B. Defend, and K. Fu, “Privacy for Public Transportation,” inProceedings of the 6th international conference on Privacy Enhancing Technologies, PET’06, (Berlin,Heidelberg), pp. 1–19, Springer-Verlag, 2006.
[3] A.-R. Sadeghi, I. Visconti, and C. Wachsmann, “User Privacy in Transport Systems Based on RFIDE-Tickets,” in Workshop on Privacy in Location-Based Applications (PILBA 2008), vol. 5283 of LectureNotes in Computer Sciences, Springer-Verlag, October 2008.Malaga, Spain.
[4] F. Garcia and P. Rossum, “Modeling Privacy for Off-Line RFID Systems,” in Smart Card Research andAdvanced Application (D. Gollmann, J.-L. Lanet, and J. Iguchi-Cartigny, eds.), vol. 6035 of Lecture Notesin Computer Science, pp. 194–208, Springer Berlin Heidelberg, 2010.
[5] G. Avoine, C. Lauradoux, and T. Martin, “When Compromised Readers Meet RFID,” in InformationSecurity Applications (H. Y. Youm and M. Yung, eds.), vol. 5932 of Lecture Notes in Computer Science,pp. 36–50, Springer Berlin Heidelberg, 2009.
[6] M. Ohkubo, K. Suzuki, and S. Kinoshita, “Cryptographic Approach to ”Privacy-Friendly” Tags,” in InRFID Privacy Workshop, 2003.
[7] B. Song and C. J. Mitchell, “Scalable RFID security protocols supporting tag ownership transfer,”Comput. Commun., vol. 34, pp. 556–566, apr 2011.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 80
References II
[8] J. Camenisch and A. Lysyanskaya, “Dynamic Accumulators and Application to Efficient Revocation ofAnonymous Credentials,” in Proceedings of the 22nd Annual International Cryptology Conference onAdvances in Cryptology, CRYPTO ’02, (London, UK, UK), pp. 61–76, Springer-Verlag, 2002.
[9] I. Gudymenko, “On Protection of the Users Privacy in Ubiquitous E-ticketing Systems Based on RFID
and NFC Technologies,” in 3d International Conference on Pervasive and Embedded Computing andCommunication Systems, PECCS-2013, pp. 86–91, feb 2013.
[10] A. Juels and R. Pappu, “Squealing Euros: Privacy Protection in RFID-Enabled Banknotes,” in FinancialCryptography 03, pp. 103–121, Springer-Verlag, 2002.
[11] T.-L. Lim, T. Li, and S.-L. Yeo, “Randomized Bit Encoding for Stronger Backward Channel Protection inRFID Systems,” in Proceedings of the 2008 Sixth Annual IEEE International Conference on PervasiveComputing and Communications, PERCOM ’08, (Washington, DC, USA), pp. 40–49, IEEE ComputerSociety, 2008.
[12] W. Choi and B.-h. Roh, “Backward Channel Protection Method for RFID Security Schemes Based onTree-Walking Algorithms,” in Computational Science and Its Applications - ICCSA 2006 (M. Gavrilova,O. Gervasi, V. Kumar, C. Tan, D. Taniar, A. Lagan, Y. Mun, and H. Choo, eds.), vol. 3983 of LectureNotes in Computer Science, pp. 279–287, Springer Berlin / Heidelberg, 2006.
[13] T.-L. Lim, T. Li, and S.-L. Yeo, “A Cross-layer Framework for Privacy Enhancement in RFID systems,”Pervasive and Mobile Computing, vol. 4, no. 6, pp. 889 – 905, 2008.
[14] I. Gudymenko, “Protection of the Users Privacy in Ubiquitous RFID Systems,” Master’s thesis,Technische Universitt Dresden, Faculty of Computer Science, December 2011.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 81
Thank you for your attention!Questions? Comments?
Suggestions?
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 82
Backup Slides
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 83
E-ticketing: Main Advantages
• For transport companies
– decrease in system maintenance costs;– significant reduction of payment handling costs;– fare dodgers rate improvement;– better support of flexible pricing schemes;– support of multiapplication/nontransit scenarios;– a high interoperability potential.
• For customers
– faster verification of an e-ticket;– ”pay as you go”;– flexible pricing schemes;– increased usability.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 84
Generic Countermeasures
Threats Countermeasures
1. Unintended customer identification:
a) Exposure of the customer ID:
i. Personal ID exposure (direct) Privacy-respecting authentication; ID encryp-tion/randomization; access-control functions [10]
ii. Indirect identification ID encryption
b) Unencrypted ID during anti-collision Randomized bit encoding [11]; bit collision mask-ing [12, 13] (protocol dependent)
c) PHY-layer identification Shielding; switchable antennas [14]
2. Information linkage Anonymization (in front-end and back-end): threat 1countermeasures; privacy-respecting data processing
3. Illegal customer profiling Privacy-respecting data storage (back-end); the sameas in threat 1
• Difficult to apply in a joint fashion.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 85
Revised Song & Mitchel’s Protocol (RSM) [7]
S T[T : s, t, s, t] [t]Generate r1
r1−−− →Generate r2M1 = t⊕ r2M2 = ft(r1‖r2)
r1,M1,M2← −−−Find t in the DBs.t. M2 = ft(r1‖(M1 ⊕ t))
r2 = M1 ⊕ tM3 = s⊕ ft(r2‖r1)
r1,M3−−− →s← s s = M3 ⊕ ft(r2‖r1)t← t If h(s) = t,s← (s� l/4)⊕ (t� l/4)⊕ r1 ⊕ r2 t← h((s� l/4)⊕ (t� l/4)⊕ r1 ⊕ r2)t← h(s)
Figure 1: The revised SM protocol
• The look-up table contains a number of entries for each tag, one for eachelement of a tag-specific hash-chain. Elements from this hash-chain areused as tag identifiers (and as database keys to identify tags). A keyedhash function is used to generate each hash-chain, using a secret key sharedby the tag and server. The hash-chain length, m, determines the numberof tag identifiers that can be produced using any one key.
• The operation of the protocol (described in detail in section 5.3) can bedivided into three cases, as follows (see also Table 1):
1. Case 1: for each of the first m− 1 queries of a tag, the protocol pro-cess only involves tag authentication and requires just two messages.To authenticate a tag, the server searches a look-up table, takingconstant time.
2. Case 2: on the mth query of a tag, the protocol updates the secretsshared by the server and tag, as well as providing tag authentication.This process requires an additional message. The server takes O(1)work to authenticate a tag, as in case 1.
3. Case 3: if a tag is queried more than m times, which should not nor-mally happen, then a revised version of the SM protocol is performed;this requires the server to perform a linear search with complexityO(n).
• For server authentication (in cases 2 and 3), for each tag the server holdsa secret s that only it knows, as in the schemes presented in [12, 8].
11
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 86
HCDF: Session Description
Authorized Reader (F ) Ticket (TX)
t //
r ∈R {0, 1}lnS ← t||r
C ← EK+
TA(S)
Coo
C′ ← RE(C)S ← D
K−F(C′)
oo ES(transaction) //
Fig. 2. Authentication of reader to ticket using re-encryption (RE) allows F to trans-late ciphertext encrypted with K+
TA to ciphertext which can be decrypted with K−F .
Thus the private key of TA remains offline. This re-encryption can only happen if Fpossesses an appropriate non-expired delegation key. Proof of possession of this delega-tion key is the mechanism by which F demonstrates that it is authorized. This protocolprovides a secure channel while matching the resource constraints of the different de-vices.
demonstrates that it is authorized by using its delegation key to transform Cinto a form which it can then decrypt with its own private key. The fact that F isthen able to reply to TX with a well-formed message encrypted with session-keyS demonstrates that F is authorized (possesses a non-expired delegation key).
Once TX is satisfied that it is talking to an authorized reader it updates itslogical clock to value t. If it ever receives a communication with a timestamp lessthan t, the communication will be assumed to be adversarial, and the protocolwill be aborted. TX also uses t to refuse to divulge any information about cookiesit holds which have expired.
Since t increases monotonically (which can be monitored by HPDs, and dis-crepancies will also be eventually caught by passive transponders) and r is chosenby TX, neither F nor TX can cheat at this protocol in such a way as to make are-play attack possible. S can only be decrypted by a reader with an unexpireddelegation key (up to the strength of the underlying public-key and re-signaturecryptosystems). This suffices for the security (up to underlying primitives) ofthe challenge-response.
6.2 createT icket(TV, TX,U) → TX
Once the session key S is negotiated as discussed above, a stored-value ticket canbe created by calling CreateTokens(TV, TX, ν) resulting in a new wallet whichis then stored on TX. The protocol for creation of a temporally bounded ticketis similar, except that in place of CreateTokens, FormNym and GrantCredmust be executed with respect to some time interval λ which the user has chosen
• Session key generation: S ← t||r ;
• Exchange S using non-expired delegation key(re-encryption);
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 87
Avoine et al. (ALM)
Reader R Tag TIdR, cR IdT ,KT , cT
IdT , kTR = EKT (IdR, cR)
(1) IdR, cR, nR−−−−−−−−−−−−→EkTR
(nR,nT )←−−−−−−−−−−−− (2)
(3) nT−−−−−−−−−−−−→ (4)
Fig. 6. Authentication protocol.
Back-End B Reader RIdR, IdT ,KT , cB IdR, cR
IdT , kTR = EKT (IdR, cR)
(1)IdT , cup, kTRup−−−−−−−−−−−→ (2)
Fig. 7. Key update protocol.
Initialization. When the system is set up, each tag T is assigned with the followingvalues:
– a unique identifier IdT ,
– a long-term key KT ,
– three counters cB , cR and cT , initially synchronized and all equal to zero.
And during this set up, each reader R is assigned with the following values:
– a unique identifier IdR,
– for every tag T , its identifier and an encryption of its secret: IdT , kTR = EKT(IdR, cR).
B stores IdR, IdT , KT and cB .
R stores IdR, cR, IdT and kTR = EKT(IdR, cR).
T stores IdT , KT , cT .
Authentication. The authentication protocol consists of four steps (see Fig. 6):
(1) The reader sends to the tag its identifier IdR, the counter cR and a nonce nR.
(2) The tag checks the value cR it receives:
– If cR ≥ cT , it computes the key kTR = EKT(IdR, cR). Then, it picks a nonce
nT and answers the encryption EkTR(nR, nT ) to the reader.
– If cR < cT , the protocol aborts.
(3) The reader decrypts the received message with the symmetric key kTR, andverifies the value nR. Then, it sends to the tag the recovered value nT .
(4) T checks the validity of nT : if so and cR > cT , it updates cT to the value cR(cT ← cR).
• TS ← {(IDT , kTR)} ∀T
• kTR ← EKT(IDR , cR)
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 88
Tan et al. (TanSL)
(5) For every entry T in L, the reader computes H ′ = h(h(IdR||tT )||nR||nT ) withH ′ = Hb′||He′, and checks if Hb matches with Hb′:– If so and k ≤ �−b
2 , it sends to T the answer ansR to the question quesR.Thus, ansR represents the actual bits in positions ques1R, ques
2R, . . . , ques
kR
of He′.– Else it sends ansR = rand where rand is a random bit string of length k.
In turn, it sends a question quesT = (ques1T , ques2T , . . . , ques
kT ), built like quesR.
(6) The tag T checks if ansR is correct:– If so and {∀x, y, quesxR �= quesyT }, it sends to R the answer ansT to the
question quesT .– Else it sends ansT = rand.
(7) The reader R verifies the answer ansT .
Reader R Tag TIdR, L = [IdT : h(IdR||tT )] IdT , tT
(1) request−−−−−−−−−−−→nT←−−−−−−−−−− (2)
(3) IdR, nR−−−−−−−−−−→Hb, quesR←−−−−−−−−−− (4)
(5) ansR, quesT−−−−−−−−−−−→(7)
ansT←−−−−−−−−−−− (6)
Fig. 5. TanSL protocol.
4 Security Analysis
We now study the security of all the previous protocols in the different scenariosdefined in Section 2.
4.1 Tag Impersonation
As authentication protocols are designed by nature to be secure in the context ofScenario 1, we only focus in Section 4.1 on Scenario 2.
Scenario 2. For SK-based challenge/response protocols, once the adversary com-promised a reader, she knows all the secrets stored by the reader. She is so able toimpersonate any tag.
For signature schemes and zero-knowledge protocols (including GPS), the privatekey used to answer to the challenges is only known by the tag. Thus even if theadversary compromises a reader, she does not know the tags’ private keys. Shecannot impersonate them.
Regarding WIPR, an adversary who compromised a reader R knows its publicand private keys (n and (p, q)) and the tags’ identifiers. The result is that she willbe able to impersonate any tag to every reader.
For the TanSL protocol, an adversary can obtain from a compromised reader Rits identifier IdR and the list L containing all (IdT : h(IdR||tT )), for every tag T .The adversary will not be able to impersonate a tag T in front of any other non-compromised reader R′. Indeed, she does not know the tag’s secret tT , thus she isnot able to compute the symmetric key h(IdR′ ||tT ) shared between R′ and T .
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 89
Client-Side Fare Calculation: Toll Pricing
• Decentralized approach to fare calculation;
• Privacy preservation by client-side fare calculation;
• Enforcement through spot checks, ZKP of the validityof the committed values, etc.;
• The price calculation flow may be fairly complex(involves several noncolluding parties);
• Substantial computational and operational overhead forusers;
→ Does not suit well for a target e-ticketing system.
TU Dresden, 12 June 2013 Privacy Protection in E-ticketing slide 90