8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

1/31

Introduction to RFIDSecurity and

Privacy

Ari JuelsChief Scientist

RSA, The Security Divisionof EMC

RFIDSec 2011 Tutorial

slides 2011, RSA L !or tories

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

2/31

P a r t I V :T h e O u t e r L i m i t s o f

R F I D S e c u r i t y

All slides 2006 RSA Laboratories

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

3/31

Rec ll these R"#D $$lic tionsNot Really Mad

Livestoc%

&ouse$ets

The cat came back,

the very next day

50 million+

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

4/31

&u' n loc tion tr c%in(

Schools A'use'ent $ r%s &os$it ls

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

5/31

A riddle)

! "

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

6/31

&u' n*i'$l nt !leR"#D

! " #eri$%i&T'

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

7/31

+E Su!der' l -iochi$ #'$l nt for C shless Tr ns ctions * is it the M r%.

The (ar) is 'icrochi$ sse'!ly /hich /ill !e

i'$l nted under the s%in of the ri(ht h nd Later on*t%e (ar) +ill be i(&lanted under t%e ,ore%ead* so&eo&le +%o %ave no ri-%t %and could also %avet%e (ar). The 'icrochi$ sse'!ly, c lled r diofre uency identific tion R"#D3 is lre dy used in

ni' ls #n do(s, the R"#D is $l ced !et/een theshoulder !l des, nd in !irds it is i'$l nted under the/in( +o/ there is one for hu' ns c lled#eri$%i&/

+++.ra&turec%rist.co( 666.%t(

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

8/31

&u' n*i'$l nt !leR"#D

! " #eri$%i&T'

E4cellent test !ed for $riv cy nd securityconce$ts5

6ro$osed for 'edic l*$ tient identific tion Also $ro$osed nd used s n uthentic tor for $hysic l

ccess control, 7$rosthetic !io'etric8 E ( , Me4ic n ttorney (ener l $ur$ortedly used for ccess to

secure f cility

h t %ind of cry$to(r $hy does it h ve. +one9 #t c n !e e sily cloned :& l '% et l ;0t /e dd ch llen(e*res$onse $rotocol. Clonin( ' y ctu lly !e good thin(

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

9/31

&u' n*i'$l nt !le R"#D 6hysic l coercion nd tt c%

#n 200?, ' n in M l ysi h d his fin(erti$cut off !y thieves ste lin( his !io'etric*

en !led Mercedes h t /ould h $$en if the @eriChi$ /ere usedto ccess ATM ' chines nd securef cilities.

6erh $s !etter if t (s c n !e cloned5 T (s should not !e used for uthentic tion

only for identific tion

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

10/31

Clone !ility B $riv cy 6riv cy 'e ns no lin% !ility or infor' tion !out identities #f t ( c n !e cloned, does th t 'e n it c n>t $rovide

$riv cy. Sur$risin(ly, no5

A very si'$le sche'e llo/s for simultaneous clone !ilitynd $riv cy

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

11/31

Clone !ility B $riv cy

&o'o'or$hic $u!lic*%ey cry$tosyste'e ( , El ' l3

6riv te $u!lic %ey $ ir SK , PK 3 R ndo'i ed sche'e9 C F E PK ,r :m= Se(antic security

Advers ry c nnot distin(uishC F E PK ,r :7 Alice = fro' C GF E PK ,s :7Bob =

Re encry&tion &ro&erty iven C only, c n $roduce r ndo'i ed

C G F E PK ,s :m=, /ithout %no/in( m

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

12/31

Clone !ility B $riv cy

T%e sc%e(e hen re d, t ( choosesfresh r nd out$uts C F E PK ,r :7n 'e8=Then9 Re der /ith SK c n decry$t n 'e Se(antic Security Advers ry c nnot

distin(uish 'on( t (s, i e , infrin(e

$riv cy Re encry&tion &ro&erty Advers ryc n clone t (9 records C nd out$utsr ndo'i ed C*

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

13/31

The covert*ch nnel $ro!le'Su$$ose there is n identific tion uthentic tion syste')

Authorized

Employees

Only

W h o s t h e

r e ?

E [ A l i c e ]

Its Alice!

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

14/31

The covert*ch nnel $ro!le'Su$$ose there is n identific tion uthentic tion syste')

Authorized

Employees

Only

W h o s t h e

r e ?

E [ A l i c e + ? ]

Alice has low blood pressure and

high blood-alcohol

Alice recently passed a casinos

RFID reader.

Mercury switchindicates that

Alice napped onjob

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

15/31

&o/ c n /e ssure Alice of nocovert ch nnels.

Hut$uts 'ust !e deter'inistic R ndo'ness l/ ys le ves roo' for covert e'issions

Could (ive Alice secret %ey to chec% th t out$uts refor' tted correctly

E ( , $seudor ndo'*(ener tor seed for device -ut /e don>t / nt Alice or third $ rty3 to h ve to ' n (e

sensitive %eyin( ' teri l A( in, key management is the problem 5

C n /e en !le Alice or nyone else3 to verify covert*freeness publicly , i e , /ithout e4$osin( secret %eys.

Si'ult neous $u!licly verifi !le covert*freeness nd $riv cyre i'$ossi!le5

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

16/31

&ere>s /hy)

Su$$ose there /ere $u!lic CC detector)

X18 Ultra CC-DetectorTM

A 1

A2

3 o $ $

4 e s * $ $ 5

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

17/31

&ere>s covert ch nnel5

1 Cre te identity for user 7-o!8 -o! could !e fictitious Just need out$ut se uence B1 , B2 , )

2 Alice>s chi$ does follo/in(9 #f no n $, out$ut A1, A2, A3, etc. /ith

Alice>s identity #f Alice h s t %en n $, then fli$ to -o!>s

identity, i e , out$ut A1, A2 B1, B2

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

18/31

Su$$ose /e detect this covertch nnel

X18 Ultra CC-DetectorTM

A 1

A2 3o $$

B 1 4es* $$

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

19/31

+o/ if there re lly is user -o!,/e h ve $ro!le'

X18 Ultra CC-DetectorTM

A 1

A 2

3o $$

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

20/31

Alice follo/ed !y -o! yields7Ies8

X18 Ultra CC-DetectorTM

A 1

6 1

4es* $$

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

21/31

BobAlice

Alice Alice

6riv cy is !ro%en9 e c ndistin(uish !et/een identities5

X18 Ultra CC-DetectorTM

4esX18 Ultra CC-DetectorTM

3o

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

22/31

So $u!lic CC*verifi !ility B $riv cyis i'$ossi!le

-ut /e c n chieve it ny/ y) #de 9 ch n(e the definition of $riv cy

e %en locali!ed $riv cy, e ( , eli'in te $riv cy cross $ ir/isev lues

Allo/ loc li ed CC*chec%in(, e ( , $ ir/ise Loc li ed $riv cy is le st i'$ort nt ty$e of $riv cy

+o/ /e c n do s$ot CC*chec%in()

A1 A2 A AK A? A< A A AN

X18 Ultra CC-DetectorTM

yes no

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

23/31

So $u!lic CC*verifi !ility B $riv cyis i'$ossi!le

+o/ let>s sho/ ho/ to chieve it ny/ y) #de 9 ch n(e the definition of $riv cy

e %en locali!ed $riv cy, e ( , eli'in te $riv cy cross $ ir/isev lues

Allo/ loc li ed CC*chec%in(, e ( , $ ir/ise Loc li ed $riv cy is le st i'$ort nt ty$e of $riv cy

+o/ /e c n do s$ot CC*chec%in()

A1 A2 A AK A? A< A B1 B2

X18 Ultra CC-DetectorTM

yes no

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

24/31

So $u!lic CC*verifi !ility B $riv cyis i'$ossi!le

+o/ let>s sho/ ho/ to chieve it ny/ y) #de 9

e %en $riv cy definition to e4clude locali!ed $riv cy, e ( ,$riv cy cross $ ir/ise v lues

Allo/ loc li ed CC*chec%in(, e ( , $ ir/ise Loc li ed $riv cy is le st i'$ort nt ty$e of $riv cy

+o/ /e c n do s$ot CC*chec%in()

A1 A2 A AK A? A< A A AN . . .

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

25/31

Still difficult $ro!le' Constructin( dete"ministic se uence

/hose v lues re9 6u!licly, $ ir/ise verifi !le

Hther/ise unlin% !le A( in, use !iline r ' $s /ith non*

st nd rd h rdness ssu'$tion)3

e h ve only solved the $ro!le' of covertch nnels in e4$licit lo(ic l*l yer $ro!le' Ti'in( or $o/er side*ch nnel.

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

26/31

r $$in( u$

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

27/31

Oey #de 1

Tr c%in( $riv cy is futile Pnless you>re loo%in( to $u!lish

$ $ers3 Content $riv cy is still i'$ort nt

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

28/31

Oey #de 2

E6C t (s c n>t do cry$to So'e t (s c n do cry$to, !ut

%ey ' n (e'ent re' ins h rd Cry$to is not cure* ll5

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

29/31

Oey #de

R"#D is n 'or$hous l !el Also e4citin( rese rch to !e done

on9 CR"#D +"C #'$l nt !le 'edic l devices Etc , etc

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

30/31

So'e note/orthy results E4tr ction of %ill 6#+s fro' first*(ener tion E6C t (s vi re'ote

$o/er n lysis Hren Q Sh 'ir >0

-re %s of 6hili$s Mif re of /hich !illions of chi$s h ve !een sold3 rci et l >0 Courtois et l >0

#'$le'ented rel y tt c%s Ofir Q ool >0?

Hn*t ( cry$to i'$le'ent tion

Ch e et l ;0

See 7ildas Avoine8s e9cellent RFID Security : Privacybiblio-ra&%y at %tt& +++.avoine.net r,id

8/12/2019 RFID Tutorial 2011 Part IV (Outer Limits)

31/31

List of referenced $ $ers O Ooscher, A Juels, @ -r %ovic, nd T Oohno9

E6C R"#D T ( Security e %nesses nd Defenses9 6 ss$ort C rds, Enh nced Drivers Lice ACM CCS 0N

A Juels, - 6 rno, nd R 6 $$uPnidirection l Oey Distri!ution Across Ti'e nd S$ ce /ith A$$lic tions to R"#D Security

PSE+# Security 200 D - iley, D -oneh, E *J oh, nd A Juels

Covert Ch nnels in 6riv cy*6reservin( #dentific tion Syste's ACM CCS >0 A Juels, 6 Syverson, nd D - iley

&i(h*6o/er 6ro4ies for Enh ncin( R"#D 6riv cy nd Ptility 6ET >0? S -ono et l Security An lysis of Cry$to(r $hic lly*En !led R"#D Device PSE+#

Security >0? A Juels nd J -r in rd Soft -loc%in(9 "le4i!le -loc%er T (s on the Che $ 6ES >0K A Juels, R L Rivest, nd M S ydlo

The -loc%er T (9 Selective -loc%in( of R"#D T (s for Consu'er 6riv cy ACM CCS 0

http://www.rsa.com/rsalabs/node.asp?id=3897http://www.rsa.com/rsalabs/node.asp?id=3497http://www.rsa.com/rsalabs/node.asp?id=3358http://www.rsa.com/rsalabs/node.asp?id=2948http://www.rsa.com/rsalabs/node.asp?id=2948http://www.rsa.com/rsalabs/node.asp?id=2838http://www.rsa.com/rsalabs/node.asp?id=2838http://www.rsa.com/rsalabs/node.asp?id=2032http://www.rsa.com/rsalabs/node.asp?id=2032http://www.rsa.com/rsalabs/node.asp?id=2060http://www.rsa.com/rsalabs/node.asp?id=2060http://www.rsa.com/rsalabs/node.asp?id=2060http://www.rsa.com/rsalabs/node.asp?id=2032http://www.rsa.com/rsalabs/node.asp?id=2838http://www.rsa.com/rsalabs/node.asp?id=2948http://www.rsa.com/rsalabs/node.asp?id=3358http://www.rsa.com/rsalabs/node.asp?id=3497http://www.rsa.com/rsalabs/node.asp?id=3897