1 / 18

Enabling Secure Secret Updating for Unidirectional Key Distribution in RFID-Enabled Supply Chains

ICICS 2009, Beijing, China. Enabling Secure Secret Updating for Unidirectional Key Distribution in RFID-Enabled Supply Chains. Shaoying Cai 1 , Tieyan Li 2 , Changshe Ma 1 , Yingjiu Li 1 , Robert H. Deng 1 1 Singapore Management University (SMU) 2 Institute for Infocomm Research (I 2 R)

presley
Download Presentation

Enabling Secure Secret Updating for Unidirectional Key Distribution in RFID-Enabled Supply Chains

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ICICS 2009, Beijing, China Enabling Secure Secret Updating for Unidirectional Key Distribution in RFID-Enabled Supply Chains Shaoying Cai1, Tieyan Li2, Changshe Ma1, Yingjiu Li1, Robert H. Deng1 1Singapore Management University (SMU) 2Institute for Infocomm Research (I2R) 15 Dec. 2009

  2. Project Summary - why should it be done? Outline • Introduction • The problem • Security requirements in RFID-enabled supply chains • Secret sharing approach and JPP mechanism • Our observations • The protocol • Secure secret updating protocol • Security properties • Comparisons • Implementation considerations • Security proof • Conclusions

  3. Introduction • RFID systems Radio signal (contactless) Range: from 3-5 inches to 100 yards Database Matches tag IDs to physical objects Reader (transceiver) Reads data off the tags without direct contact Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency Perfect working conditions for attackers! • RFID technology has greatly facilitated the supply chains. • All evidences(standardizations; big promoters, adopters, …)show a new age is coming. • Security, visibility and efficiency are three equally important requirements.

  4. RFID-Enabled Supply Chain Improve efficiency Increase visibility Lower uncertainty Reduce counterfeiting Source: Lyngsoe Prevent loss

  5. The problem • Usually, EPC tags are used in supply chains • They are extremely cheap, where no true cryptographic functionality can be implemented. • Maintaining a synchronized and ubiquitous database is truly hard. • Thus, almost all privacy enhanced authentication protocols (more than hundreds) fail on practicability. • Only explicit EPC privacy feature: Kill • On receiving tag-specific Kill PIN, tag self-destructs. • Who will own these Kill PINs? Or who will kill the tags, at the end of the supply chain or the end users? • But supply chain partners: • Don’t want to manage Kill PINs, and how? • Have no channel to communicate secret keys downstream in supply chain. • Key distribution is an essential problem!

  6. Supply chain characteristics • An RFID-enabled supply chain typically features: • None pre-existing trust relationship: a case might comes from or goes to any non-trusted parties. • Unidirectional downsizing: de-packing and re-packing into smaller sized aggregates at downstream parties. • Compulsory processing orders: only dispersion, no combination

  7. Secret sharing approach Idea:Apply secret sharing to spread a secret key  across multiple tags, E.g., (s1, s2, s3,…) Collecting enough shares can recover the key s1  s2 s3 Individual shares / small sets reveal no information

  8. JPP mechanism (Juels et al. Usenix Sec. 08) E(m1) s1 E(m2) s2 E(m3) s3 • Encrypt tag data under secret key  • Apply secret sharing to spread key  across tags in case • E.g.,   (s1, s2, s3,…) Supersteroids 500mg; 100 count Serial #87263YHG Mfg: ABC Inc. Exp: 6 Mar 2010 

  9. 1 2 3 4 5 6 s1 s2 s3 s4 s5 s6 Given  2 out of 4 si, get corresponding i Given  2 out of 4 si,get corresponding i Given  2 out of 4 si, get corresponding i JPP mechanism (Juels et al. Usenix Sec. 08) SWISS (Sliding Window Information Secret-Sharing)

  10. Our observations JPP mechanism is vulnerable to tracking: A tag Ti always sends the same reply (Si, Mi) to any reader who queries it. Although an adversary may not get enough shares to decrypt the content of the tag, the never-changing reply can be used by the adversary to track the tag. JPP mechanism is vulnerable to counterfeiting: As the public accessible message (Si, Mi) is used for a reader to identify the tag Ti, an adversary can easily fabricate a tag that also sends (Si, Mi), and replace the tagged item with the fabricated tag. JPP mechanism features monopolistic key assignment model: A monopoly (typically the manufacturer of the goods) pre-assigns all the keys (shares) to the tags according a fixed secret sharing scheme with conjectured parameters. The one-size-fits-all solutions restrict the realistic deployment of JPP mechanism.

  11. Secret updating protocol • JPP mechanism • A tag Ti stores (Si, Mi) only. • Where Si is the share of Ti and Mi is the (encrypted ) information carried on the tag. • Our protocol • A tag Ti stores (Si, Mi, ci). • Where ci is the individual secret key of Ti, derived from the common secret k, for the purpose of authenticating the reader. • During updating • Old secret key k is replaced with a new secret key k’; • Old (t, n) threshold scheme is replaced with new (t’, n’) scheme, according to new requirements; • Old share Si is replaced with new share S′i; • Old values (Si, Mi, ci) of a tag Ti is updated with new values (S′i, M′i, c′i).

  12. Secret updating protocol

  13. Security properties Authoritative access to RFID tags The security of the secret update protocol relies on the confidentiality of the shared secret ci. Given an update message (A, B, C), only the one who knows the value of ci can obtain the new values (S′i, M′i, c′i). Authenticity of tags A tag Ti is authenticated with any privacy-enhanced authentication scheme (E.g., a challenge-response authentication protocol). Forward secrecy A tag Ti is updated with new values (S′i, M′i, c′i), which are totally independent from its previous values (Si, Mi, ci). Untraceability The protocol messages are updated in different sessions. However, active adversary is possible to correlate identifiers (Si or S’i).

  14. Comparison [4] A. Juels, R. Pappu, and B. Parno, Unidirectional key distribution across time and space with applications to RFID security. USENIX Security’08. [10] Y. Li and X. Ding, Protecting RFID Communications in Supply Chains. ASIACCS’07. [11] David Molnar and David Wagner. Privacy and Security in Library RFID: Issues,Practices, and Architectures. ACM CCS 2004. [12] Miyako Ohkubo, Koutarou Suzuki, and Shingo Kinoshita. Efficient Hash-ChainBased RFID Privacy Protection Scheme. Ubicomp 2004.

  15. Implementation considerations JPP mechanism implemented a (15, 20) threshold secret sharingscheme. For 20 available tags, a reader needsto collect at least 15 tags’ shares to successfully recover the secret key anddecrypt the encrypted information. It employs a “Alien Squiggle” Gen2 tag, of which 16 bits are usedfor storing a single share and 80 bits are used for storing the encrypted identity. WORM memory (Write-once, Read-many times) is required. In our protocol, (Si, Mi) is replaced with (S’i, M’i, c’i), requires additional memory space for storing c’i message It is equivalent to 160 bits, can be put into the “User” memory bank. Rewritable memory, perhaps needs “access password” to access the memory. Access password can be derived from the decrypted key “k”. How to determine the threshold in the real applications? Less than certain upper bound to maximally tolerate reading or erasure errors Greater than certain lower bound to guarantee the robustness on recovering key

  16. Security proof (sketch) The privacy game: Setup phase: the game initializes the RFID system. Learning phase: the adversary A performs a series of queries to enlarge its knowledge base about the RFID system. Challenge phase: the adversary A chooses two tags. Then, a tag is chosen by randomly updating one of the two tags. After this, the updated tag is given to the adversary as a challenging tag for him to distinguish it from the original two tags. We conclude that an RFID system is private if there exists no polynomial probabilistic time adversary A whose advantage is non-negligible to win the privacy game. We then prove that the secret sharing scheme is private. Theorem: the proposed RFID protocol is private if the underlying secret sharing scheme is private.

  17. Conclusions • We tackle the key distribution problem in RFID-enabled supply chains. • We investigate the secret sharing approaches and particularly the JPP mechanism. • We propose a secure and flexible secret updating protocol to improve the original JPP mechanism. • Our protocol provides sound security properties, desirable flexibility and with proved privacy. • However, our protocol requires more powerful tags to pay for additional security and functionality. • Future points: i.e., Verifiable Secret Sharing; Confidentiality + Access Control; Real experiments/deployments; etc.

  18. Q & A ? Contact: litieyan@i2r.a-star.edu.sg (for Post-doc position) Web: http://icsd.i2r.a-star.edu.sg/staff/tieyan/SecureRFID Call for participants: RFIDsec’10 Asia, 22-23 Feb. 2009, Singapore Thank you!

More Related