Beruflich Dokumente
Kultur Dokumente
Five-Cent Computers
5¢
Ari Juels
Principal Research Scientist
RSA Laboratories
USENIX Security 2004
LABORATORIES
What is a Radio-Frequency
Identification (RFID) tag?
• In terms of appearance…
Chip (IC)
Antenna
What is an RFID tag?
• You may own a few RFID tags…
– Proximity cards (contactless physical-access cards)
– ExxonMobil Speedpass
– EZ Pass
• RFID in fact denotes a spectrum of devices:
What is an RFID tag?
• You may own a few RFID tags…
– Proximity cards (contactless physical-access cards)
– ExxonMobil Speedpass
– EZ Pass
• RFID in fact denotes a spectrum of devices:
Basic
RFID EZ Pass
SpeedPass
Tag Mobile phone
What is a basic RFID tag?
• Characteristics:
– Passive device – receives power from reader
– Range of up to several meters
– In effect a “smart label”: simply calls out its (unique)
name and/or static data
“74AB8”
“Plastic #3”
“5F8KJ3”
The capabilities of a basic
RFID tag
• Little memory
– Static 64-to-128-bit identifier in current ultra-cheap
generation (five cents / unit)
– Hundreds of bits soon
– Maybe writeable under good conditions
• Little computational power
– A few thousand gates
– Static keys for read/write permission
– No real cryptographic functions available
The grand vision:
RFID as next-generation barcode
Fast, automated
scanning
Line-of-sight Radio contact
• Parenting logistics
– Water-park with tracking bracelet
• RFID in Euro banknotes (?)
There is an impending explosion
in RFID-tag use
• EPCglobal
– Joint venture of UCC and EAN
– Wal-Mart, Gillette, Procter & Gamble, etc.
– Spearheading EPC (electronic product code) data standard for tags
– Putting finishing touches on basic-tag standard (Class 1 Gen 2) this week
• Wal-Mart requiring top 100 suppliers to start deploying RFID in 2005
• Other retailers and DoD following Wal-Mart lead
• Pallet and case tagging first -- item-level retail tagging seems years away
• Estimated costs
• 2005: $0.05 per tag; hundreds of dollars per reader
• 2008: $0.01 per tag; several dollars per reader (?)
• A broader vision: “Extended Internet”
The Problems of Privacy and
Security
RFID means a world with billions of
ant-sized, five-cent computers
• Highly mobile
• Contain personal information
• Subject to surreptitious scanning
• Again, no cryptography…
• Access control difficult to achieve
• Data privacy difficult to achieve
The consumer privacy problem
Here’s Wig
Replacement hip model #4456
Mr. Jones medical part #459382 (cheap
polyester)
in 2020…
1500 Euros
in wallet
Serial numbers:
30 items 597387,389473
of lingerie …
…and the tracking problem
Wig
serial #A817TS8
• Mr. Jones pays with a credit card; his RFID tags now linked to his
identity; determines level of customer service
– Think of car dealerships using drivers’ licenses to run credit checks…
• Mr. Jones attends a political rally; law enforcement scans his RFID
tags
• Mr. Jones wins Turing Award; physically tracked by paparazzi via
RFID
Early examples of consumer
backlash
• 42% of Google results on “RFID” include word
“privacy”
• CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)
– Diatribes on RFID at:
• Spychips.com
• BoycottGillette.com
• BoycottBenetton.com
– National news coverage: NY Times, Time, etc.
• Wal-Mart “smart-shelf project” cancelled
• Benetton RFID plans (purportedly) withdrawn
Some problems you don’t hear about
• Corporate espionage: Privacy is not just a consumer issue
– Eavesdropping on warehouse transmissions
– Scanning of shelves for turnover rates
• Tag counterfeiting
– Automation means dependence!
– Think about RFID-enabled medicine cabinets…
• Special demands of U.S. Department of Defense
– “DoD would be like Wal-Mart… if Christmas were a random event
every five years, and a stockout meant that everyone in the store
could die…” -Nicholas Tsougas, DoD
Some proposed solutions
to the privacy problem
Approach 1: Cover RFID tags with
protective mesh or foil
Problems:
(1) Makes locomotion
difficult
(2) Shops don’t like
distributing tools for
theft
Approach 2: “Kill” RFID tags
Problem:
RFID tags are
much too useful
in “live” state…
We already
have SpeedPass,
etc., and then…
Tomorrow’s consumer applications
• Prada, Soho NYC
– Personalization / accessorization
• Tagged products
– Clothing, appliances, CDs, etc. tagged for store returns and locatable in house
• “Smart” appliances
– Refrigerators that automatically create shopping lists and when milk expires
– Closets that tell you what clothes you have available, and search the Web for advice
on current styles, etc.
– Washing machines that detect improper wash cycle
• “Smart” print
– Airline tickets that indicate your location in the airport
– Business cards
• Aids for cognitively impaired, e.g., “smart” medicine cabinets
– Project at Intel
• Recovery of stolen goods (?)
• Recycling
– Plastics that sort themselves
Consumers will not want their tags “killed,” but should still have a
right to privacy!
Approach 3: Policy and legislation
• Undoutedly helpful if thought through well, but…
Welcome to Hell
IT Department
011001010010
A basic RFID tag cannot survive…
Welcome to Hell
IT Department
011001010010
For RFID, we can consider different
and weakened adversarial assumptions
• Adversary is not present 24 hours a day
– Adversary must be physically close to tag to scan it
• We can deploy security protocols on physical
channels – not just logical ones
• External, higher-capability devices can help
protect tags
First approach [Juels, SCN ’04]:
Minimalist cryptography
Key observation: Adversary must have physical proximity to
tag to interact with it
Key assumption: Adversary can query tag only limited
number of times in given attack session
“74AB8” “MMW91”
?
=
Strengthening the approach
• Strengthen restriction on adversarial queries using “throttling”
– Tag enforces pattern of query delays via, e.g., capacitor-discharge
timing
• Pseudonym refresh
– Trusted reader provides new pseudonyms
– Pseudonyms must be protected against eavesdropping and tampering
using encryption, but tags cannot do standard cryptography!
– Can load up tag with one-time pads – assuming adversary is not
always present, some pads will be secret!
• Not for retail items, which must include basic item
information. Perhaps for prox. cards, tickets, etc.?
Second Approach [Juels, Rivest, & Szydlo CCS ‘03]:
The “Blocker” Tag
“Blocker” Tag
Blocker simulates
all (billions of)
possible tag serial
numbers!!
?
00 01 10 11
VeriChip™
“Unlike a bar code, [an RFID tag] can be read from a distance, right through your
clothes, wallet, backpack or purse -- without your knowledge or consent -- by
anybody with the right reader device. In a way, it gives strangers x-ray vision powers
to spy on you, to identify both you and the things you're wearing and carrying.”
RFID realities
• Deployers can scarcely get RFID working at all!
• UHF tags hard to read near liquids, like water
– You are salt water so…
– If you’re worried about your sweater being scanned, wear it!
• And even when range is good…
– In NCR automated point-of-sale trials, participants paid for
groceries of people behind them…
• Consumer goods manufacturers and retailers don’t want to
drive customers away
• Corporations and governments don’t make very effective
use of data anyway
“Given the potentially huge benefits to consumers from wide-scale
deployment of RFID, including higher productivity and lower prices,
the privacy community knows that the only way they can stop RFID
at the consumer level is to make all sorts of outlandish claims
about the Orwellian uses of RFID, which either can’t happen or are
so unlikely as to be a non-issue.”
Robert Atkinson,
Progressive Policy Institute
Admonitions to privacy naysayers
• The technology will improve in
ways we may not expect
– Industry has an incentive to
overcome obstacles
– Tag power, reader sensitivity,
antenna
• Standards and legacy systems stick
around for years – we should try to
build flexibility and safeguards in
early
• An RFID tag is not like a cookie –
psychologically more potent
– If people think there’s a privacy
problem, then there’s a problem
• Security and privacy are enabling
(unofficial URL)