Introduction to RFID Security and

Privacy

Ari Juels

Chief Scientist

RSA, The Security Division of EMC

RFIDSec 2011 Tutorial

All slides © 2011, RSA Laboratories

Part II: RFID Privacy

There are two types of RFID privacy

1. Tracking privacy: Protection against physical tracking via unique identifiers

2. Content privacy: Protection against unauthorized scanning of data stored on tag

Why physical considerations say we should forget about

tracking privacy…

Ms. Smith and her privacy-preserving RFID tag

“87D6CAA7F”

= “Ms. Smith”

Ms. Smith and her privacy-preserving RFID tag

What about PET(Privacy Enhancing Technologies) for pets?

Ms. Smith and her privacy-preserving RFID tag

What about Ms. Smith’s face?

Ms. Smith and her privacy-preserving RFID tag

What about Ms. Smith’s mobile phone?

Ms. Smith and her privacy-preserving RFID tag

Are we still worried aboutthis circle???

Well, suppose we are still worried…

We can change identifiers, right?

“87D6CAA7F”

“5ED6CF4C8”

“9816F271BB”

“D7612A873C”

Changing identifiers won’t work

• Physical-Layer Identification of RFID Devices– Danev, Heydt-Benjamin, and Capkun– USENIX Security ’09

• Extract hardware “fingerprint” based on power modulation

• Show that it is possible to identify RFID tags over the air with > 2% at ERR– This will improve, of course

Logical Layer(data,

crypto protocols)

Physical Layer(power

modulation)

r

s, fx(r,s)

• What does this mean for the dozens of paper on anti-tracking privacy?

• I’d argue that we should give up on anonymity– Not just in RFID

• Emphasis on content privacy makes more sense

Logical Layer(data,

crypto protocols)

Physical Layer(power

modulation)

r

s, fx(r,s)

Serial #878SBE871

“Oxycontin, 160 mg”

Changing identifiers won’t work

Content Privacy via “Blocker” Tags

The “Blocker” Tag

“Blocker” TagBlocker simulates all (billions of) possible tag serial numbers!!

1,2,3, …, 2023 pairs of sneakers and…1800 books and a washing machine and…(reading fails)…

“Tree-walking” anti-collision protocol for RFID tags

000 001 010 011 100 101 110 111

00 01 10 11

0 1

?

In a nutshell• “Tree-walking” protocol for identifying tags

recursively asks question:– “What is your next bit?”

• Blocker tag always says both ‘0’ and ‘1’! – Makes it seem like all possible tags are present– Reader cannot figure out which tags are actually

present– Number of possible tags is huge (at least a billion

billion), so reader stalls

Two bottlesof Merlot#458790

Blocker tag system should protect privacy but stillavoid blocking unpurchased items

Consumer privacy + commercial security

• Blocker tag can be selective:– Privacy zones: Only block certain ranges of RFID-

tag serial numbers – Zone mobility: Allow shops to move items into

privacy zone upon purchase• Example:

– Blocker blocks all identifiers with leading ‘1’ bit– Items in supermarket carry leading ‘0’ bit– On checkout, leading bit is flipped from ‘0’ to ‘1’

• PIN required, as for “kill” operation

Blocking with privacy zones

000 001 010 011 100 101 110 111

00 01 10 11

0 1

Transfer to privacy zoneon purchase of item

Privacy zone

Polite blocking• We want reader to scan privacy zone when

blocker is not present– Aim of blocker is to keep functionality active – when

desired by owner

• But if reader attempts to scan when blocker is present, it will stall!

Your humble servant requests that you not scan the privacy zone

• Polite blocking: Blocker informs reader of its presence

More about blocker tags

• Blocker tag can be cheap–Essentially just a “yes” tag and

“no” tag with a little extra logic–Can be embedded in shopping

bags, etc.• With multiple privacy zones,

sophisticated, e.g., graduated policies are possible

An Example: The RXA Pharmacy

RFID-tagged bottle + “Blocker” bag

RFID-tagged bottle + “Blocker” bag

“Soft” Blocking

• Idea: Implement polite blocking only – no hardware blocking– A little like P3P…

• External audit possible: Can detect if readers scanning privacy zone

• Advantages:– “Soft blocker” tag is an ordinary RFID tag– Flexible policy:

• “Opt-in” now possible• e.g., “Medical deblocker” now possible

• Weaker privacy, but can combine with “hard” blocker

Smart blocking approach: Personal Simulator or Proxy for

RFID• Those phones with NFC could someday

get more general-purpose radios…• We might imagine a simulation lifecycle:

– Mobile phone “acquires” tag when in proximity– Mobile phone simulates tags to readers,

enforcing user privacy policy– Mobile phone “releases” tags when tags

about to exit range

Content Privacy via Dispersion

Keeping the customer satisfied…

• “I want a rock-solid encryption algorithm… with 20-bit keys.”

• “I want my retail stores to be able to read RFID-tagged items… but I want tags to be unreadable after sale… and I don’t want to have to kill or rewrite or block them…

EPC tags and privacy• Recall that EPC tags have no true

cryptographic functionality• One true, explicit EPC privacy feature: Kill

– On receiving tag-specific PIN, tag self-destructs– Tag is “dead in the Biblical sense” (S. Sarma)

• But commercial RFID users say:– They do not want to manage kill PINs– They have no channel to communicate secret

keys downstream in supply chain– Key transport is a big problem!!!

Our approach: Put the secret keys on the tags

• Encrypt tag data under secret key • Apply secret sharing to spread key across tags in crate

– E.g., (s1, s2,, s3)

E (m1) s1

E (m2) s2

E (m3) s3

• Encrypt tag data under secret key • Apply secret sharing to spread key across tags in crate

– E.g., (s1, s2,, s3)

E (m1) s1

E (m2) s2

E (m3) s3

Our approach: Put the secret keys on the tags

Supersteroids 500mg; 100 countSerial #87263YHGMfg: ABC Inc.Exp: 6 Mar 2010

Privacy through dispersion

Privacy through dispersion E (m1) s1

E (m2) s2

E (m3) s3

Individual shares / small sets reveal no information about medication!

(Super-Steroids)

(Super-Steroids)

(Super-Steroids)

Use case: Privacy protection on medications

Step 1: Receive crateat pharmacy

Step 2: Pharmacy readstags, gets keys, decryptsdata

Step 3: Tags and dataare dispersed

Data

Some challenges1. Storage is at a premium in EPC, but no secret-sharing

literature on “tiny” shares• “Short” shares are 128 bits, but we may want 16 bits or less!

2. Scanning errors• We need robustness in our secret-sharing scheme

Some challenges3. In-store key harvesting

• Preventive idea: Add “chaff,” i.e., bogus or “noise” shares• If secret-sharing scheme for crate can tolerate d errors, then add

2d/3 bogus shares per crate• Can recover from d/3 errors in single crate• Hard to reconstruct secrets for two crates mixed together, as we

have 4d/3 > d errors• “Overinformed” adversary