Strong Privacy for RFID Systems from Plaintext-Aware ... strong privacy CANS 2012 1 / 32 Our Problem...

Strong Privacy for RFID Systems fromPlaintext-Aware Encryption

Khaled Ouafi and Serge Vaudenay

ÉCOLE POLYTECHNIQUEFÉDÉRALE DE LAUSANNE

http://lasec.epfl.ch/

supported by the ECRYPT project

SV strong privacy CANS 2012 1 / 32

http://lasec.epfl.ch/

Our Problem

Tag Systemwho’s there?�

-ZUKTHPFBVI

that’s tag ID=38925629

one system (may include several readers), many tags

tags: passive (no battery), limited capabilities, not tamper-proof

primary concern (industry driven): securityif System identifies tag ID, it must be tag ID

secondary concern (user driven): privacytags could only be identified/traced/linked by System

problem: formal model


A Typical Protocol

Tag Systemkey: S {. . . ,(ID,K ), . . .}

c=challenge←−−−−−−−−−−−−− pick ρ, c = Gen(ρ)r = Alg(S,c;coins)

r=response−−−−−−−−−−−−−→ find (ID,K ) s.t. Ver(K ,ρ, r)output: ID

stateless

2-round


1 Towards a Formal Model

2 Definitions and Results

3 Strong Privacy is Possible


ISO/IEC 9798-2 2-Pass Unilateral Authentication

Tag Systemstate: K {. . . ,(ID,K ), . . .}

a←−−−−−−−−−−−−− pick a

c = EncK (a)c−−−−−−−−−−−−−→ find (ID,K ) s.t. c = EncK (a)

output: ID

pro stateless, symmetric crypto

con replay attack −→ tag traceability


Variant


pick ba←−−−−−−−−−−−−− pick a

c = EncK (a,b)b,c−−−−−−−−−−−−−→ find (ID,K ) s.t. c = EncK (a,b)

output: ID

pro stateless, symmetric crypto, secure, weak privacy

con tag corruption −→ tag traceability


Evolution of Privacy Protocols

early: did not address corruption or result channel

OSK03: corruption at the end only (forward privacy)

ADO06: early corruption considered

JW06: result channel considered

Vau07: 2×4 matrix (result channel × corruption model)


RFID SchemeComponents:

System = (stateless) Reader securely connected� - (stateful) DatabaseSetupReader→ (KS,KP):generate keys (KS,KP), store in Reader, and empty databaseSetupTagKP

(ID)→ (K ,S):S is an initial state for tag ID(ID,data) is to be inserted in databaseProtocols:

Tag Reader Database(S) KS db

←−−− −−−→−−−→ output ←−−−

output: tag ID (if valid) or ⊥ (if not)

Functionality:correctness: identification under normal execution


Adversarial Model

Adversary

6ID1, ID2, ID3

CreateTag

� distr -

vtag1vtag2

vtag3

free tagsID1 ID2 ID3

+

3

vtag1 (ID2)

?

6

vtag2 (ID1)

s

k

vtag3 (ID3)

-� reader


Oracle Accesses

Adversary

+

vtag

Free

� -vtag,mes

mes′SendTag

k

s

distrvtag,bit

...(vtag, ID)

...DrawTag

?

6vtag state

Corrupt

6ID bit

CreateTag

s

k

bitπ

Result

-�π,mes

mes′SendReader

3

+

π

Launch


Security

Wining condition: one reader-protocol instance π identified ID but thistag did not have any matching conversation(i.e. same transcript and well interleaved messages).

DefinitionAn RFID scheme is secure if for any polynomially bounded adversarythe probability of success is negligible.


Privacy Adversary

A

-�

-�

-�

CrTag, Free, Corrupt

Launch, Send, Result

DrawTag

?

?true/false

table�

Wining condition: the adversary outputs true

Problem: there are trivial wining adversaries(e.g. an adversary who always answers true)


Blinders

A

-�

-�

-�

B

-�

-�



DrawTag

?

?true/false

table�

DefinitionA blinder is an interface between the adversary and the oracles that

passively looks at communications to CreateTag, DrawTag, Free,and Corrupt queries

simulates the oracles Launch, SendReader, SendTag, and Result


Privacy

A

-�

-�

-�



DrawTag

?

?true/false

table�

AB

-�

-�

-�

-�

-�

?

?true/false

-

Definition

An RFID scheme protects privacy if for any polynomially bounded Athere exists a polynomially bounded blinder B such thatPr[A wins]−Pr[AB wins] is negligible.


Privacy Models

no readeroutput

(narrow)

readeroutput

corrupt(strong)

destructivecorrupt

(destructive)

finalcorrupt

(forward)

nocorrupt(weak)

strong destructive forward weak

narrowstrong

narrowdestructive

narrowforward

narrowweak

⇒ ⇒ ⇒

⇒ ⇒ ⇒

⇓ ⇓ ⇓ ⇓


Challenge-Response RFID Scheme


pick ba←−−−−−−−−−−−−− pick a

c = FK (a,b)b,c−−−−−−−−−−−−−→ find (ID,K ) s.t. c = FK (a,b)

output: ID

TheoremAssuming that F is a pseudorandom function, this RFID scheme is

correct

secure

weak private⇓

⇒

no forward privacy: trace tag by corrupting it in the future


Narrow-Weak Privacy Implies One-Way Function

TheoremAn RFID scheme that is

correct

narrow-weak private⇓

⇒

can be transformed into a one-way function.

no privacy without any crypto!

Proof idea:1 the function mapping the initial states and random coins to the

protocol transcript must be one-way (otherwise compute newstates and identify in future sessions)


Modified OSK

Tag Systemstate: S {. . . ,(ID,K ), . . .}

a←−−−−−−−−−−−−− pick a

c = F(S,a)c−−−−−−−−−−−−−→ find (ID,K ) s.t.

replace S by G(S) c = F(Gi(K ),a) and i < treplace K by Gi(K )

output: ID

TheoremAssuming that F and G are random oracles, this RFID scheme is

correct

secure

narrow-destructive private⇓

⇒

no privacy with a side channel: DoS [JW 2006]


Public-Key-Based RFID Scheme

Tag Systemstate: KP , ID,K secret key: KS

{. . . ,(ID,K ), . . .}a←−−−−−−−−−−−−− pick a

c = EncKP (ID‖K‖a)c−−−−−−−−−−−−−→ DecKS(c) = ID‖K‖a

check a, (ID,K )output: ID

TheoremAssuming that Enc/Dec is an IND-CCA public-key cryptosystem, thisRFID scheme is

correct

secure

narrow-strong and forward private⇓

⇒


Narrow-Strong Privacy Implies Public-Key Cryptography

TheoremAn RFID scheme that is

correct

narrow-strong private⇓

⇒

can be transformed into a secure key agreement protocol.

no narrow-strong privacy without public-key crypto!

Proof idea:1 Alice creates two legitimate tags 0 and 1, sends their states to

Bob, and simulate the system for Bob2 Bob flips a bit b and simulate tag b to Alice3 Alice identifies b which is an agreed key bit


Caveat: Not Destructive Private

1: CreateTag(0)2: vtag0← DrawTag(0)3: S0← Corrupt(vtag0)4: (·,S1)← SetupTagKP

(1)5: flip a coin b ∈ {0,1}6: π← Launch7: simulate a tag of state Sb with

reader instance π8: x ← Result(π)9: if T (x) = b then

10: output true11: else12: output false13: end if

We have Pr[A wins]≈ 1.

A blinder who computes x translatesinto an IND-CPA adversary againstthe public-key cryptosystem, thusPr[AB wins]≈ 1

2 for any B.

Hence, A is a significant destructiveadversary.


Strong Privacy is Infeasible

TheoremAn RFID scheme cannot be

correct

narrow-strong and destructive private⇓

⇒

at the same time.

no strong privacy!


Results about Privacy Models (2007 Version)

no readeroutput

readeroutput

corruptdestructive

corruptfinal

corruptno

corrupt

impossible ??

equiv toPK-crypto

doable withPK-crypto

doablein ROM

doable withPRF

equiv toPRF

⇒ ⇒

⇒ ⇒ ⇒

⇓ ⇓ ⇓

possible: (PRF) (ROM) (PKC)

impossible: (w/o KA)


Impossibility Proof

take the following adver-sary (for destructive pri-vacy)

1: (·,S0)← SetupTagKP(0)

2: CreateTag(1)3: vtag← DrawTag(1)4: S1← Corrupt(vtag) (destroy it)5: flip a coin b ∈ {0,1}6: π← Launch7: simulate tag of state Sb with π8: x ← Result(π)9: output 1x=b

a blinder B for this advesary getsS1, simulate reader interacting withb = 0 or 1 and can guess b

B defines an adversary(for narrow-strong pri-vacy)

1: create tag 0 and tag 12: draw both tags3: corrupt both tags and get their

states S0 and S1

4: free both tags5: draw a random tag: vtag ←

DrawTag(0 or 1)6: simulate B with input KP , S1,

and interacting with vtag and getbit x

7: output 1T (vtag)=x


Ng-Susilo-Mu-Safavi-Naini 2008

not strong private because the adversary asks questions forwhich he knows the answer but the blinder cannot guess it

notion of “wise” adversary (cannot ask question for which heknows the answer)

we take a different approach:

we let the blinder be able to read the adversary’s thoughts


New Blinders

A

-�

-�

-�

B

-�

-�



DrawTag

?

?true/false

table�

DefinitionA blinder is an interface between the adversary and the oracles that

passively looks at communications to CreateTag, DrawTag, Free,and Corrupt queries

simulates the oracles Launch, SendReader, SendTag, and Result

see the adverary’s random coins


Public-Key-Based RFID Scheme

Tag Systemstate: KP , ID,K secret key: KS

{. . . ,(ID,K ), . . .}a←−−−−−−−−−−−−− pick a

c = EncKP (ID‖K‖a)c−−−−−−−−−−−−−→ DecKS(c) = ID‖K‖a

check a, (ID,K )output: ID

TheoremAssuming that Enc/Dec is a PA2+IND-CPA public-key cryptosystem,this RFID scheme is

correct

secure

strong private⇓

⇒


PA2 Trick

PA2 means for all valid ciphertexts form the adversary, either it isreused or the adversary must know the plaintext(Bellare-Palacio 2004)

know the plaintext =⇒ blinder can get it be reading his thoughts

PA2 needed because the blinder must simulate Result bydecrypting ciphertexts forged by the adversary (they could bebased on corrupted states)


Conclusion

no readeroutput

readeroutput

corruptfinal

corruptno

corrupt

doable withPA-crypto

equiv toPK-crypto

doable withPK-crypto

doablein ROM

doable withPRF

equiv toPRF

⇒ ⇒

⇒ ⇒

⇓ ⇓ ⇓

we have a good framework to study privacystrong privacy is possible, but only with PK-cryptosome open problems

forward privacy based on PRF (or ROM)?narrow-forward privacy based on PRF (no ROM)?separation with a concurrent model based on indistinguishability


Strong Privacy for RFID Systems from Plaintext-Aware ... strong privacy CANS 2012 1 / 32 Our Problem...

Documents

Transcript of Strong Privacy for RFID Systems from Plaintext-Aware ... strong privacy CANS 2012 1 / 32 Our Problem...