Security and Privacy for RFID Systems

1
Security and Privacy for RFID Systems

• Burt Kaliski, RSA Security
• RSA Conference Japan 2004

2
Objectives

• Describe security and privacy attributes for RFID
  systems
• Extensions of standard network security and
  privacy attributes, but more challenging and
  complex
• Motivate research and development into safe
  RFID deployments, where security and privacy are
  built in
• Part of the benefit, also part of the cost
• Variety of RFID systems are contemplated
• Low-cost EPC tags
• Proximity cards
• Payment cards
• Attributes apply to differing extent to each type
  of system

3
General Model

• Readers interact with tags
• Readers report tag events to applications
• Applications record tag events in tag databases
• Users, applications implement business processes
  using tag databases

4
General Model
application server
reader
tag
database
5
Security and Privacy Attributes

• Tag privacy
• Tag authenticity
• Reader security
• Tag database security
• Attributes are ideals, not necessarily
  requirements
• Applications need to make a cost/benefit tradeoff

6
1 Tag Privacy

• IdealOnly authorized applications should be
  able to identify tags
• Identify associate with other information
• e.g., determine actual identity link to previous
  tag events
• Readers may be able to scan tags, but results
  should not be meaningful to application unless
  authorized
• Authorized having permission according to some
  privacy policy
• Store X can identify its own unpurchased tags,
  but not purchased ones
• Company Y can identify tags only for products it
  has ordered
• Extension Tag Access Management Applications
  should not be able to access tag data or control
  tags without authorization
• e.g., kill command

7
Tag Privacy Threats and Challenges

• Threats
• Rogue scanning
• e.g., by stores, competitors, thieves
• Passive eavesdropping on reader-to-tag
  transmissions
• Eavesdropping on tag possible at a short
  distance, but some tag singulation protocols
  are vulnerable to long-distance eavesdropping on
  the reader
• Challenges
• Tag cost, power may limit crypto capabilities
• Readers may be offline, so may need to be
  provisioned with authentication data for many tags

8
Eavesdropping at a Distance

• In the main EPC protocol for scanning RFID tags,
  the reader considers the tags as belonging to a
  binary tree
• The reader addresses or singulates individual
  tags by a tree-walking protocol using depth-first
  search
• Each subtree T corresponds to an identifier
  prefix
• Reader searches T by sending prefix, asking tags
  for their next bit
• If all 0, searches Left(T)
• If all 1, searches Right(T)
• If both 0 and 1, searches Left(T) and
  Right(T)
• Prefixes send by reader reveal tag identifiers
  and can be heard at a long distance

9
Tag Privacy Approaches (1)

• Deactivation
• Tag killed at point of sale
• Protects against rogue scanning, but doesnt
  defend against passive eavesdropping on
  authorized scanners
• And tags are too useful to kill universally, and
  not easy to reactivate securely
• Public-key protocol
• Tag interacts with reader by public-key protocol
  that authenticates reader, then encrypts tag
  identifier with readers public key
• Protects against both threats
• But too heavyweight for todays low-end tags

10
The Reactivation Dilemma

• San Francisco Public Library announced in October
  2003 a plan to identify library books with RFID
  tags
• Tag deactivation proposed to address privacy
  concerns
• If you deactivate the tag when a book is checked
  out, how do you reactivate it when checked in?
• Reactivation command must be authenticated
• Public-key methods too heavyweight
• So command needs a shared secret
• The dilemma Which secret?
• If a tag-specific secret, how does reader know
  which one?
• And if not tag-specific, then its not a secret

11
Tag Privacy Approaches (2)

• User intervention
• User presses button on tag to authorize scanning
• Protects against rogue scanning if user can
  identify unauthorized readers, but not passive
  eavesdropping
• Not suitable within supply chain
• Blocker tags (Juels, Rivest, Szydlo)
• User carries special blocker tag that interferes
  with singulation protocol within private subtrees
• Always answers 0 and 1 within subtree
• Protects against both threats for private tags
  when applied
• Again not suitable within supply chain

12
Tag Privacy Approaches (3)

• Silent tree-walking (Weis et al.)
• Singulation protocol modified so that search
  process doesnt reveal actual identifier
• e.g., tag singulates with a random identifier,
  then quietly sends actual identifier
• Protects against passive eavesdropping from a
  distance, but not rogue scanning
• One-time identifiers (aka pseudonym tag)
  (Juels)
• Tag steps through multiple identifiers, linkable
  to tags actual identity only by authorized
  applications
• Protects against both threats if enough
  identifiers
• Or if scanning rate somehow limited by tag
• But how to manage a large supply of identifiers?

13
2 Tag Authenticity

• IdealOnly authorized applications should be
  able to produce valid tags
• Valid having an identity recognized by
  authorized application
• Authorized e.g.
• Only manufacturer Z can produce tags
  recognizable as being from Z

14
Tag Authenticity Threats, Challenges

• Threats
• Cloning copying existing tags
• Forgery making new tags with a valid identity
• Relabeling (transferring a tag from one physical
  item to another) requires physical
  countermeasures, not addressed here
• Grandmaster attack (spoofing tag and reader
  simultaneously by relaying messages between them)
  also requires physical countermeasures
• Challenges
• Tag cost, power may limit crypto capabilities
• Cost and form factor likewise may limit
  tamper-resistance

15
Tag Authenticity Approaches (1)

• Track and trace
• Application anticipates tag movements, detects
  and reports fraud
• anomalies and duplicates
• No secrets on tag
• Protects against both threats but only after
  the fact
• Challenge-response
• Tag interacts with reader by challenge-response
  protocol based on tag-specific secret key
• Protects against both threats
• But a little (or a lot) heavyweight
• Feasible for payment cards

16
Tag Authenticity Approaches (2)

• Static authentication (e.g., as in EMV spec.)
• Tag identifier includes a digital signature or
  MAC, or is itself an application secret
• No crypto needed on tag
• Protects against forgery, but not cloning
• Static authentication with public-key protocol
  (e.g., SAML)
• Tag authenticates reader by public-key protocol,
  then encrypts static authenticator above with
  readers public key
• Only public-key operations needed on tag no tag
  secret key
• Protects against both threats, assuming readers
  trustworthy
• Still too heavyweight for low-end tags
• Again feasible for payment cards

17
Tag Authenticity Approaches (3)

• Pseudonym tag with mutual authentication (Juels)
• Three-part protocol
• Tag presents one-time identifier
• Reader sends corresponding one-time PIN
• Tag returns its own one-time PIN for authenticity
• Protects against both threats if enough
  identifiers
• But again, how to manage a large supply of
  identifiers?

18
3 Reader Security

• Ideala) Only authorized applications should be
  able to interact with readers (e.g., to obtain
  information about tag events)
• b) Only authorized readers should be able to
  provide information about tag events to an
  application
• Authorized having permission under some policy
• Company A can obtain information from its own
  readers, but not Company Bs readers
• Store Cs readers can provide tag events to
  Store C, but not Store Ds readers

19
Reader Security Threats, Challenges

• Threats
• Eavesdropping on reader-to-application
  transmissions
• Insertion, deletion, modification of tag events
• e.g., bogus readers
• Reader compromise (e.g., by intrusion) requires
  IT security countermeasures, not addressed here
• Challenges
• Readers need to be swapped in and out in the
  field, which complicates key management
• Reader cost, power may limit crypto capabilities
• though not nearly to the extent that tags are
  limited

20
Reader Security Approaches

• Basically, standard security protocols
• Application, reader authenticate each other,
  establish a session key
• Public-key or symmetric-key based protocol
• But how to determine which keys (i.e., readers
  and applications) are authorized?
• Tag event data encrypted and integrity-protected
  with session key
• Examples IPsec TLS WiFi
• Though some computational cost, crypto
  capabilities will continue to improve, following
  general trend in wireless and wired security
• Further research may yield more interesting
  approaches

21
4 Tag Database Security

• IdealOnly authorized applications and users
  should be able to access online tag information
  databases
• Authorized having permission according to some
  policy among parties
• Administrator E can read tag information from
  Company Fs database
• Applications at Supplier G can query only about
  Supplier Gs tags from Retailer Hs database

22
Tag Database Security Threats and Challenges

• Threats
• Disclosure of information about tags
• Modification
• Traffic analysis, etc.
• Challenges
• Tag databases potentially need to be available to
  many parties
• Suppliers, retailers, consumers, auditors,
• Information about a given tag may be managed in
  many places, and/or may change hands over time
• Even referrals on lookups can reveal competitive
  information!

23
Tag Database Security Approaches

• Basically, good distributed database / Web
  services security
• Application, users authenticate, obtain
  authorization
• Database / Web service decides whether to accept
  request based on authorization
• But questions remain
• Which database(s) to query about a given tag? Is
  the application or user authorized to find out
  even this much?
• How to manage authorizations across supply chain?
• More for another presentation

24
Conclusions

• Security and privacy challenges are significant
  in the emerging RFID infrastructure, yet
  approaches are available or being developed to
  address them
• Solutions can combine approaches to achieve
  security and privacy attributes at various levels
  (and costs) according to policy, business
  requirements
• The reward from an RFID deployment tomorrow
  depends on the investment in security and privacy
  in the design today

25
For More Information

• S. Sarma et al., Radio-Frequency Identification
  Security Risks and Challenges, CryptoBytes 6(1),
  Spring 2003, http//www.rsasecurity.com/rsalabs/cr
  yptobytes/
• S. Weis home page, http//theory.lcs.mit.edu/swei
  s/
• RFID privacy and security page, RSA Laboratories,
  http//www.rsasecurity.com/rsalabs/rfid/

26
Contact Information

• Burt KaliskiChief Scientist, RSA
  SecurityDirector, RSA Laboratoriesbkaliski_at_rsase
  curity.comhttp//www.rsasecurity.com/rsalabs/