Introduction to RFID Security and Privacy

Ari Juels Chief Scientist RSA, The Security Division of EMC

RFIDSec 2011 Tutorial
slides 2011, RSA L !or tories

Par t IV: The Outer Limits of RFID Security

All slides 2006 RSA Laboratories

Rec ll these R"#D $$lic tions

Not Really Mad

Livestoc%

&ouse$ets
50 million+

The cat came back, the very next day

&u' n loc tion tr c%in(

Schools A'use'ent $ r%s &os$it ls

A riddle)
! "

&u' n*i'$l nt !le R"#D

"
#eri$%i&T'

+++.ra&turec%rist.co(0666.%t(

+E, Su!der' l -iochi$ #'$l nt for C shless Tr ns ctions * is it the M r%.

The (ar) is 'icrochi$ sse'!ly /hich /ill !e i'$l nted under the s%in of the ri(ht h nd0 Later on* t%e (ar) +ill be i(&lanted under t%e ,ore%ead* so &eo&le +%o %ave no ri-%t %and could also %ave t%e (ar). The 'icrochi$ sse'!ly, c lled r dio fre1uency identific tion 2R"#D3 is lre dy used in ni' ls0 #n do(s, the R"#D is $l ced !et/een the shoulder !l des, nd in !irds it is i'$l nted under the /in(0 +o/ there is one for hu' ns c lled #eri$%i&/0

&u' n*i'$l nt !le R"#D

E4cellent test !ed for $riv cy nd security conce$ts5
6ro$osed for 'edic l*$ tient identific tion Also $ro$osed nd used s n uthentic tor for $hysic l ccess control, 7$rosthetic !io'etric8
E0(0, Me4ic n ttorney (ener l $ur$ortedly used for ccess to secure f cility

"

,h t %ind of cry$to(r $hy does it h ve.

+one9 #t c n !e e sily cloned :& l '% et l0 ;0<=
#eri$%i&T'

So shouldn>t /e dd ch llen(e*res$onse $rotocol. Clonin( ' y ctu lly !e good thin(

&u' n*i'$l nt !le R"#D

6hysic l coercion nd tt c%
#n 200?, ' n in M l ysi h d his fin(erti$ cut off !y thieves ste lin( his !io'etric* en !led Mercedes ,h t /ould h $$en if the @eriChi$ /ere used to ccess ATM ' chines nd secure f cilities.

6erh $s !etter if t (s c n !e cloned5 T (s should not !e used for uthentic tion Aonly for identific tion

Clone !ility B $riv cy

6riv cy 'e ns no lin% !ility or infor' tion !out identities #f t ( c n !e cloned, does th t 'e n it c n>t $rovide $riv cy.
Sur$risin(ly, no5

A very si'$le sche'e llo/s for simultaneous clone !ility nd $riv cy

Clone !ility B $riv cy

&o'o'or$hic $u!lic*%ey cry$tosyste' 2e0(0, El C ' l3
6riv te D $u!lic %ey $ ir 2SK, PK3 R ndo'iEed sche'e9 C F EPK,r :m= Se(antic security1 Advers ry c nnot distin(uish C F EPK,r :7Alice= fro' CGF EPK,s :7Bob= Re2encry&tion &ro&erty1 Civen C only, c n $roduce r ndo'iEed CG F EPK,s :m=, /ithout %no/in( m

Clone !ility B $riv cy

T%e sc%e(e1 ,hen re d, t ( chooses fresh r nd out$uts C F EPK,r :7n 'e8= Then9 Re der /ith SK c n decry$t n 'e Se(antic Security1 Advers ry c nnot distin(uish 'on( t (s, i0e0, infrin(e $riv cy Re2encry&tion &ro&erty1 Advers ry c n clone t (9 records C nd out$uts r ndo'iEed C*

The covert*ch nnel $ro!le'

Su$$ose there is n identific tion D uthentic tion syste')

os h W

? e r the

Its Alice!

E[Alice]

Authorized Employees Only

The covert*ch nnel $ro!le'

Su$$ose there is n identific tion D uthentic tion syste')
Alice low blood Alice has recently indicates that pressure passed a and casinos Alice napped on high RFID blood-alcohol reader.

Mercury switch job

os h W

? e r the

E[Alice + ?]

Authorized Employees Only

&o/ c n /e ssure Alice of no covert ch nnels.

Hut$uts 'ust !e deter'inistic
R ndo'ness l/ ys le ves roo' for covert e'issions

Could (ive Alice secret %ey to chec% th t out$uts re for' tted correctly
E0(0, $seudor ndo'*(ener tor seed for device

-ut /e don>t / nt Alice 2or third $ rty3 to h ve to ' n (e sensitive %eyin( ' teri l0 A( in, key management is the problem5 C n /e en !le Alice 2or nyone else3 to verify covert*freeness publicly, i0e0, /ithout e4$osin( secret %eys. Si'ult neous $u!licly verifi !le covert*freeness nd $riv cy re i'$ossi!le5

&ere>s /hy)
Su$$ose there /ere $u!lic CC detector)

A1

X18 Ultra CC-DetectorTM

$ $ o 3
4es* $ $5

A2

&ere>s

covert ch nnel5

10 Cre te identity for user 7-o!8

-o! could !e fictitious Just need out$ut se1uence B1, B2, ) #f no n $, out$ut A1, A2, A3, etc. /ith Alice>s identity #f Alice h s t %en n $, then fli$ to -o!>s identity, i0e0, out$ut A1, A2 B1, B2

20 Alice>s chi$ does follo/in(9

Su$$ose /e detect this covert ch nnel

A1

X18 Ultra CC-DetectorTM

A B2 1

4es* 3o $$ $$

+o/ if there re lly is user -o!, /e h ve $ro!le'000

A1
A2

X18 Ultra CC-DetectorTM

3o $$

Alice follo/ed !y -o! yields 7Ies8

A1
61

X18 Ultra CC-DetectorTM

4es* $$

6riv cy is !ro%en9 ,e c n distin(uish !et/een identities5

X18 Ultra CC-DetectorTM

3o

Alice

Alice
X18 Ultra CC-DetectorTM

4es
Alice Bob

So $u!lic CC*verifi !ility B $riv cy is i'$ossi!le

-ut /e c n chieve it ny/ y) #de 9 ch n(e the definition of $riv cy
,e %en locali!ed $riv cy, e0(0, eli'in te $riv cy cross $ ir/ise v lues Allo/ loc liEed CC*chec%in(, e0(0, $ ir/ise Loc liEed $riv cy is le st i'$ort nt ty$e of $riv cy

+o/ /e c n do s$ot CC*chec%in()

yes D no
X18 Ultra CC-DetectorTM

A1 A2 AJ AK A? A< AL AM AN

So $u!lic CC*verifi !ility B $riv cy is i'$ossi!le

+o/ let>s sho/ ho/ to chieve it ny/ y) #de 9 ch n(e the definition of $riv cy
,e %en locali!ed $riv cy, e0(0, eli'in te $riv cy cross $ ir/ise v lues Allo/ loc liEed CC*chec%in(, e0(0, $ ir/ise Loc liEed $riv cy is le st i'$ort nt ty$e of $riv cy

+o/ /e c n do s$ot CC*chec%in()

yes D no
X18 Ultra CC-DetectorTM

A1 A2 AJ AK A? A< AL B1 B2

So $u!lic CC*verifi !ility B $riv cy is i'$ossi!le

+o/ let>s sho/ ho/ to chieve it ny/ y) #de 9
,e %en $riv cy definition to e4clude locali!ed $riv cy, e0(0, $riv cy cross $ ir/ise v lues Allo/ loc liEed CC*chec%in(, e0(0, $ ir/ise Loc liEed $riv cy is le st i'$ort nt ty$e of $riv cy

+o/ /e c n do s$ot CC*chec%in()

A1 A2 AJ AK A? A< AL AM AN

...

Still

difficult $ro!le'

Constructin( dete"ministic se1uence /hose v lues re9

6u!licly, $ ir/ise verifi !le Hther/ise unlin% !le

A( in, use !iline r ' $s 2/ith non* st nd rd h rdness ssu'$tion)3 ,e h ve only solved the $ro!le' of covert ch nnels in e4$licit lo(ic l*l yer $ro!le'
Ti'in( or $o/er side*ch nnel.

,r $$in( u$

Oey #de 1 Tr c%in( $riv cy is futile

2Pnless you>re loo%in( to $u!lish $ $ers3

Content $riv cy is still i'$ort nt

Oey #de 2 E6C t (s c n>t do cry$to So'e t (s c n do cry$to, !ut %ey ' n (e'ent re' ins h rd
Cry$to is not cure* ll5

Oey #de J
R"#D is n 'or$hous l !el Also e4citin( rese rch to !e done on9
CR"#D +"C #'$l nt !le 'edic l devices Etc0, etc0

So'e note/orthy results

E4tr ction of %ill 6#+s fro' first*(ener tion E6C t (s vi re'ote $o/er n lysis
Hren Q Sh 'ir >0L

-re %s of 6hili$s Mif re 2of /hich !illions of chi$s h ve !een sold3

C rci et l0 >0M Courtois et l0 >0M

#'$le'ented rel y tt c%s

Ofir Q ,ool >0?

Hn*t ( cry$to i'$le'ent tion

Ch e et l0 ;0L

See 7ildas Avoine8s e9cellent RFID Security : Privacy biblio-ra&%y at %tt&100+++.avoine.net0r,id0

List of referenced $ $ers

O0 Ooscher, A0 Juels, @0 -r R%ovic, nd T0 Oohno9 E6C R"#D T ( Security ,e %nesses nd Defenses9 6 ss$ort C rds, Enh nced Drivers Lice 0 ACM CCS S0N0 A0 Juels, -0 6 rno, nd R0 6 $$u0 Pnidirection l Oey Distri!ution Across Ti'e nd S$ ce /ith A$$lic tions to R"#D Security 0 PSE+#T Security0 200M0 D0 - iley, D0 -oneh, E0*J0 Coh, nd A0 Juels0 Covert Ch nnels in 6riv cy*6reservin( #dentific tion Syste's0 ACM CCS >0L0 A0 Juels, 60 Syverson, nd D0 - iley0 &i(h*6o/er 6ro4ies for Enh ncin( R"#D 6riv cy nd Ptility0 6ET >0?0 S0 -ono et l0 Security An lysis of Cry$to(r $hic lly*En !led R"#D Device0 PSE+#T Security >0?0 A0 Juels nd J0 -r in rd0 Soft -loc%in(9 "le4i!le -loc%er T (s on the Che $0 ,6ES >0K0 A0 Juels, R0 L0 Rivest, nd M0 SEydlo0 The -loc%er T (9 Selective -loc%in( of R"#D T (s for Consu'er 6riv cy0 ACM CCS S0J0