Beruflich Dokumente
Kultur Dokumente
COLE POLYTECHNIQUE
FDRALE DE LAUSANNE
Gildas Avoine
1 / 50
2 / 50
(Pictures and videos have been removed from this downloadable version)
Gildas Avoine
3 / 50
First Questions
Gildas Avoine
4 / 50
Outline
Gildas Avoine
5 / 50
Gildas Avoine
6 / 50
RFID Systems
tag
tag
tag
database
tag
7 / 50
Current Trend
very
gs
p ta
chea
p
chea
tags
storage
computation
g
hin
not
xor
tric
me
sym
tric
me
m
asy
The boom which RFID technology is enjoying today relies essentially on the willingness to develop small and cheap RFID tags.
Gildas Avoine
8 / 50
General Sketch
System
Tag
request
information to identify the tag
additional message
Gildas Avoine
9 / 50
RFID Characteristics
Frequency
Extremely limited storage and computation capabilities
No battery
Not tamper-resistant
Low cost
Gildas Avoine
10 / 50
Existing Tags
(Pictures and videos have been removed from this downloadable version)
Gildas Avoine
11 / 50
Applications
Gildas Avoine
12 / 50
Authentication vs identification
Gildas Avoine
13 / 50
Gildas Avoine
14 / 50
reader
Gildas Avoine
15 / 50
Communication Model
application
presentation
application
session
transport
network
communication
data link
physical
OSI
Gildas Avoine
physical
RFID
RFID Security Issues
16 / 50
1001
1101
0111
The computational power of the tags is very limited and they are
unable to communicate with each other:
the reader must deal with the collision avoidance itself.
Gildas Avoine
17 / 50
Gildas Avoine
18 / 50
1 0
1
1
0
10
1 0
0
1
0
10
1 0
1
1
0
10
1 0
1
1
An attacker can simulate the whole tree. Blocker tags [JRS03] use
this technique to enforce privacy.
Gildas Avoine
19 / 50
reader
Gildas Avoine
20 / 50
reader
Gildas Avoine
21 / 50
Impersonation of tags:
System
Tag
request
information to identify the tag
additional message
Gildas Avoine
22 / 50
Key (RFID)
r
Ek (r)
Cipher (not public) uses 40 bit keys: active attack in less than 1
minute (time-memory trade-offs)
Gildas Avoine
23 / 50
(Pictures and videos have been removed from this downloadable version)
Gildas Avoine
24 / 50
Cheap RFID tags (which are not tamper-resistant) are not suited
to authentication! Strong security has a cost!
Marketing pressure implies trade-off between security and cost.
Ratio cost / benefit e.g. we can not use a unique key in all the tags
because the cost is negligible compared with the benefit.
Gildas Avoine
25 / 50
Gildas Avoine
26 / 50
Privacy
Information
leakage
Traceability
Gildas Avoine
27 / 50
Privacy
Gildas Avoine
28 / 50
Solutions
Gildas Avoine
29 / 50
Protocols Sketches
Gildas Avoine
30 / 50
System
Tag
request
information to identify the tag
information to refresh the identifier
Gildas Avoine
31 / 50
32 / 50
Protocol
System
Tag
request
[(0 , 0 ); (1 , 1 )]
[(0 1r0 , 0 1r0 ); (1r1 , 1r1 )]
33 / 50
Cheap Tags
System
Tag
request
Ek (r), r
The key k is the identifier of the tag. The second message must
be indistinguishable (by an attacker) from a random value. Thus
the protocol can be proven to be secure.
The main difference with well-known authentication protocols is
that the system does not know with which party it speaks with and
therefore does not know which key k it should use.
The system carries out an exhaustive search over all the symmetric
keys it stores.
Gildas Avoine
34 / 50
Gildas Avoine
35 / 50
System
Tag
request
Ek (r), r
Gildas Avoine
36 / 50
Complexity Improvements
Gildas Avoine
37 / 50
ID1
ID3
ID5
ID2
ID4
ID6
ID7
Gildas Avoine
38 / 50
Exercise:
1
Gildas Avoine
39 / 50
Gildas Avoine
40 / 50
tag
reader
tag
tag
tag
database
tag
The sources of information which can benefit an adversary are limited to the channels between the reader and the tag i.e., forward
channel and backward channel, as well as the contents of the memory of the tag.
Gildas Avoine
41 / 50
Reader
Information Channels
Adversary
Tag
Forward Channel
Backward Channel
Memory Channel
Gildas Avoine
42 / 50
Tag
request
information
data to refresh the information
Gildas Avoine
43 / 50
After having interacted with a target tag T and possibly some readers and thus obtaining an interaction I (T ), an adversary A needs
to find his target among two tags T1 and T2 which are presented
to him. In order to do this, he can query both T1 and T2 , thus
obtaining two interactions I1 (T1 ) and I2 (T2 ).
T1
T2
I1 (T1 )
{Q, E , R}
I2 (T2 )
outputs T {T1 , T2 }
interaction I (T )
{S}
Gildas Avoine
R
RFID Security Issues
44 / 50
Advantage
Gildas Avoine
45 / 50
Relations
Gildas Avoine
UNT-E
UNT-Q
46 / 50
Results
Protocol
is
is not
Golle et al.
Existential-UNT-Q
Existential-UNT-E
Saito et al.
Existential-UNT-Q
Universal-UNT-QS
Henrici and M
uller
Existential-UNT-Q
Universal-UNT-QE
Weis et al.
Existential-UNT-QSE
Forward-UNT-QSER
Ohkubo et al.
Existential-UNT-QSE
Forward-UNT-QSER
Gildas Avoine
47 / 50
Conclusion
Gildas Avoine
48 / 50
Current Works
Gildas Avoine
49 / 50
Further Readings
RFID
Gildas Avoine
50 / 50