关闭

关闭

关闭

封号提示

内容

首页 50 Ways to Break RFID Privacy.pdf

50 Ways to Break RFID Privacy.pdf

50 Ways to Break RFID Privacy.p…

zhaokuiman 2011-12-16 评分 0 浏览量 0 0 0 0 暂无简介 简介 举报

简介:本文档为《50 Ways to Break RFID Privacypdf》,可适用于工程科技领域,主题内容包含WaystoBreakRFIDPrivacyTonvanDeursenUniversityofLuxembourgtonvandeursenunil符等。

WaystoBreakRFIDPrivacyTonvanDeursenUniversityofLuxembourgtonvandeursenuniluAbstractWepresentataxonomyofattacksonuseruntraceabilityinRFIDsystemsInparticular,weconsiderRFIDsystemsintermsofalayeredmodelcomprisingaphysicallayer,acommunicationlayer,andanapplicationlayerWeclassifytheattacksonuntraceabilityaccordingtotheirlayeranddiscusstheirapplicabilityOurclassificationincludestwonewattacksWefirstpresentanattackontheRFIDprotocolbyKimetaltargetingthecommunicationlayerWethenshowhowanattackercouldperformanapplicationlayerattackonthepublictransportationsysteminLuxembourgFinally,weshowthatevenifallofhistagsareuntraceableapersonmaynotbeuntraceableWedothisbyexhibitingarealisticscenarioinwhichtheattackerusestheRFIDprofileofapersontotracehimKeywords:RFID,privacy,untraceability,attacks,taxonomyIntroductionRadiofrequencyidentification(RFID)systemsconsisttags,readers,andabackendRFIDtagsaresmall,inexpensivedevicesthatcommunicatewirelesslywithRFIDreadersMostRFIDtagscurrentlyinusearepassivelypoweredandrespondtoqueriesfromlegitimate,butalsorogueRFIDreadersTheyallowtouniquelyidentifyeverydayitemssuchaspassports,electronictransportationtickets,andclothesAkeypropertyofRFIDsystemsisthattagscanbescannedwithouttheowner’sconsentandwithouttheownerevennoticingitTherefore,onemustensurethatRFIDtagsembeddedinitemscarriedbyapersondonotrevealanyprivacysensitiveinformationaboutthatpersonAmajorprivacythreatincurrentRFIDsystemsisthattheRFIDsystemmaintainercanmonitorandprofilethebehaviorofitsusersConsideranRFIDsystemusedforpublictransportationeticketingsuchastheOystercardortheOVchipkaartEverytimeapersonusespublictransportationatransactionisregisteredBycollectingthisinformationoveralongperiodoftime,thepublictransportationcompaniesbuildlargedatabasesofprivacysensitiveinformationTonvanDeursenwassupportedbyagrantfromtheFondsNationaldelaRecherche(Luxembourg)http:wwwtflgovukoysterhttp:wwwovchipkaartnlSFischerHubneretal(Eds):PrivacyandIdentity,IFIPAICT,pp–,cIFIPInternationalFederationforInformationProcessingWaystoBreakRFIDPrivacyInsomecases,outsiderstotheRFIDsystemmayalsobeinterestedinmonitoringandprofilingtheusersoftheRFIDsystemIfapersondoesnotwantotherstoknowwhatitemshecarries,thentheRFIDtagsattachedtotheseitemsmustnotrevealthisinformationtounauthorizedRFIDreadersForinstance,somepeoplemaynotwanttorevealthekindofunderweartheyarewearing,theamountofmoneyintheirwallet,theirnationality,orthebrandoftheirwatchTherefore,RFIDsystemsmustenforceanonymity:thepropertythatitemsanduserscannotbeidentifiedAnRFIDsystemthatsatisfiesanonymitydoesnotnecessarilypreventanattackerfromlinkingtwodifferentactionstothesameRFIDtagInthiswork,westudytheprivacynotioncalleduntraceabilityTobreakanonymity,theattacker’sgoalistoidentifythetaganditsuserBycontrast,toattackuntraceabilitytheattacker’sobjectiveistofindoutthattwo(ormore)seeminglyunrelatedinteractionswerewiththesametagWedefineuntraceabilityasfollows:Definition(Untraceability)AnRFIDsystemsatisfiesuntraceabilityifanattackercannotdistinguish,basedonprotocolmessages,whethertwoactionswereperformedbythesametagorbytwodifferenttagsIfuntraceabilityisnotsatisfied,anattackercanattributedifferentactionstoone(possiblyunknown)tagBylinkingoneoftheseactionstothepersonthatcarriesthetagtheattackereffectivelytracesthatpersonUntraceabilityofRFIDtagsishardtoachieveforanumberofreasonsDuetotheirsmallsizeandtheabsenceofanactivepowersource,RFIDtagsareseverelyrestrictedinthetypesofcomputationtheycanperformAlso,nophysicalconnectionisneededforRFIDcommunication,easingdeploymentofroguedevicesbytheadversaryFinally,theoreticalresultsbyDamgardandPedersenshowthatitisimpossibletodesignanRFIDsystemthatsatisfiesefficiency,security,anduntraceabilitysimultaneouslyThegoalofthispaperistostudyuntraceabilityofRFIDsystemsfromtheattacker’sperspectiveDuetothevastnumberofdifferentRFIDsystems,nosilverbulletsolutiontoRFIDprivacyexistsyetItis,therefore,essentialtounderstandhowanattackercanbreakuntraceabilitybeforedecidingwhatdefensestodeployWerefertoJuelsandLangheinrichforasurveyofpossibledefensivetechniquestoRFIDprivacyContributionsOurfirstcontributionisaclassificationofattacksontheuntraceabilityofRFIDsystemsWedescribealayeredcommunicationmodelforRFIDcommunication(Section)consistingofaphysical,acommunication,andanapplicationlayerWeclassifyexistinguntraceabilityattacksaccordingtothecorrespondinglayertheyattackSectiondescribesphysicallayerattacks,Sectiondescribescommunicationlayerattacks,andSectiondescribesapplicationlayerattacksAsasecondcontribution,wedescribenewattacksonthecommunicationlayerandtheapplicationlayerSectionpresentsacommunicationlayerattackonTvanDeursentheRFIDprotocolbyKimetalandSectiondescribeshowanattackercanrecoverthedateandtimeofthelasttravelsofapersonfromhispublictransportationcardAsalastcontributionweshowinSectionthatevenifallprovideuntraceabilityandanindividualtagcannotbetraced,aperson’sRFIDprofilemaystillallowanattackertotracehimSuchattacksconsideronlytheparticularsetoftagscarriedbyapersoninordertotracehimRFIDCommunicationModelThecommunicationflowinanRFIDsystemiscommonlydescribedbyasetofprotocolsTheseprotocolsformalayeredstructurereminiscentoftheOSIreferencemodelforcomputernetworksToclassifyattacksonuntraceability,weseparatethefollowingthreelayers(seeFigure):–ThephysicallayeristhelowestlayerinthemodelandprovidesalinkbetweenanRFIDreaderandatagProtocolsformodulation,dataencoding,andanticollisionareimplementedinthislayerThephysicallayerprovidesthebasicinterfacefortransmissionofmessagesbetweenareaderandatag–ThecommunicationlayerimplementsvarioustypesofprotocolstotransferinformationProtocolsimplementedinthislayerfacilitatetaskssuchasidentificationorauthenticationofadeviceandupdatesofcryptographickeymaterialstoredonadevice–TheapplicationlayerimplementstheactualRFIDapplicationsusedbytheuserofthesystemApplicationlayerprotocolsfacilitatefetchingandinterpretationofdata,aswellasupdatingthedataonatagExamplesofsuchdataareaccountandbalanceinformationonapublictransportationcardandthephotoonthetaginanepassportApplicationCommunicationPhysicalTagReaderFigRFIDsystemlayersAsshowninSectionsthrough,eachofthelayerscanleakinformationthatcanbeusedtotraceatagItis,therefore,importanttoprotectuntraceabilityateverylayerofthecommunicationmodelOurmodeldiffersslightlyfromthelayeredcommunicationmodelbyAvoineandOechslinsincetheyseparatethephysicallayerintotwolayersWeadditionallyintroduceanapplicationlayerwhichallowsustoreasonabouthighlevelattacksWaystoBreakRFIDPrivacyAttackerModelOneofthedifficultiesindesigningprivacypreservingRFIDsystemsisthattheyfacepowerfulattackersMoreover,thecostofanattackandtheknowledgerequiredtoperformitarelimitedMostequipmentnecessarytoattackRFIDsystemscanbeboughtforlessthan$andsoftwarelibrariesformosthardwaredevicesareavailableonlineWhenanalyzingRFIDsystemsweassumetheattackerhasthefollowingcapabilities:–Impersonatingreaders:AroguereadercanbeusedforcommunicationwithagenuinetagItimplementsthesameprotocolandsendsthemessagesthetagexpectstoreceive–Impersonatingtags:Similartoimpersonatingareader,aroguetagcanbeconstructedtocommunicatewithagenuinereader–Eavesdropping:TheattackercapturesthetransmittedsignalsusingsuitableradiofrequencyequipmentHerecoversthetransmitteddataandlistensinonthecommunicationbetweenthereaderandthetagSincetheeavesdroppingdevicedoesnothavetopowertheRFIDtagitself,eavesdroppingispossiblefromalargerdistancethanimpersonatingareader–Modifyingblockingmessages:Althoughitishardtocarryoutinpractice,itispossibletorelaymessagesfromalegitimatetagtoalegitimatereaderusingamaninthemiddledeviceThemaninthemiddledevicecanselectivelymodifytransmittedmessages,orevenblockthemThemaindifficultyincarryingoutattacksistoinstalltheequipmentcloseenoughtothelegitimateRFIDreadersandtagsIncaseofprivacyattackstheattackermustcarefullyinstallhisrogueequipmentinapointofinterestSuchlocationscanbeentrancestoabuilding,checkoutcountersofastore,orcrowdedplacesForadiscussiononcommunicationdistancesandeavesdroppingdistanceswerefertoHanckePhysicalLayerAttacksPhysicallayerattacksexploitvulnerabilitiesthatareintroducedinthemanufacturingprocessoftheRFIDtags,thetransmissionprotocols,ortheimplementationofhigherlevelprotocolsWewillfirstexploreaweaknessrelatedtotheanticollisionidentifiersspecifiedbytheISOstandardWesubsequentlydescribeatraceabilityattackbyDanevetalthatabusesthevariationsinthemanufacturingprocessofRFIDtagsStaticAnticollisionIdentifiersThegreaterpartofRFIDtagscurrentlyavailableimplementthephysicallayerdefinedbytheISOAstandardExamplesofsuchtagsareepassports,MIFAREtags,andnearfieldcommunication(NFC)chipsISOpartdescribesphysicallayerprotocolsforcommunicationwithatagOneoftheseTvanDeursenphysicallayerprotocolsistheanticollisionprotocolTheprotocolallowsthereadertoselectaparticulartagwithwhichitwantstocommunicateItpreventscommunicationcollisionsbyensuringthattagsdonotrespondtothereadersimultaneouslyItisinitiatedbythereaderafterwhichthetagbroadcastsitsbituniqueidentificationnumber(UID)TheanticollisionprotocolisnotcryptographicallyprotectedTherefore,anybodywithanISOAcompliantRFIDreadercanqueryatagforitsUIDAlmostallcurrentlyavailableISOAcomplianttagshavestaticUIDsTheUIDscannotberewrittenandneverchangeTherefore,anattackercantraceatag(andthusitsowner)byrepeatedlyqueryingforUIDsSincestaticUIDsprovideauniquemappingbetweentagsandpeople,theattackerknowsthatifthesameUIDreappearsthenthesamepersonmustbepresentThisUIDbasedtraceabilityattackisveryeffectiveintermsofsuccessrateandinvestmentneededOneexceptiononwhichtheattackoutlinedabovedoesnotworkistheepassportTheepassportimplementsrandomizedUIDs:itisdesignedtorespondwithafreshrandomlychosenUIDduringanticollisionIntermsofimplementationcoststheattackerneedshardwareandsoftwareThehardwareneededconsistsofacomputerandanISOAcompliantRFIDreaderThelattercanbealowcostofftheshelfRFIDreadercurrentlyavailableforapproximatelyeuroAlternatively,anattackercanuseanNFCenabledphonetocarryouttheattackSoftwaretoperformthecommunicationbetweenreaderandtagcanbefoundonlineintheformoffreesoftwarelibrariesPhysicalFingerprintingThemanufacturingprocessofRFIDtagsintroducesverysmallvariationsinthecircuitryofanRFIDtagThesevariationscanbeusedbyanattackertotracetagsDanevetalhaverecentlyshownthatiftheradiofrequencyofthecommunicationisvaried,tagsofthesamebrandandtypebehavedifferentlySincethesedifferencesarestable,anattackercanusethemtofingerprinttagsandconsequentlytracetagsUnderlaboratoryconditionsandwithasmallsetoftags,theattacksarequiteeffectiveInasetofidenticalJCOPtagsatagcouldbecorrectlyrecognizedinofthecasesTheequipmentneededbytheattackerisrelativelyexpensiveanditishardtoperformtheattackwithoutbeingnoticedTherefore,theapplicabilityoftheattackisatpresentquitelowCommunicationLayerAttacksCommunicationlayerattackstargettheprotocolsthatareusedfor,amongothers,identification,authentication,andcryptographickeyupdatesTheseprotocolsareoftencryptographicprotocolsdesignedtosecurelyauthenticateatagwhilekeepingituntraceablehttp:wwwtouchatagcomhttp:wwwlibnfcorgWaystoBreakRFIDPrivacyUniqueAttributesInanefforttokeepRFIDtagscheap,RFIDprotocolsmustbecomputationallyaslightweightaspossibleDuetotheimpliedabsenceofstrongcryptographicprimitives,RFIDprotocolsfrequentlysufferfromalgebraicflawsthatallowanattackertoperformanattributeacquisitionattackInsuchanattack,theattackerabusesthealgebraicpropertiesofthemessagesexchangedintheprotocoltoperformacomputationthatresultsinafixedvaluethatisparticulartoatagByrepeatingthiscomputationatalaterstageondifferentmessagesandobtainingthesamefixedvalue,theattackercantracethattagWewillnowrestrictourselvestoasubclassofattributeacquisitionattacksinwhichtheattackstrategyisasfollowsLetf(a,T,i)denotetheresponsesentbythetagTuponreceiptofitsithquery,wherethequeryequalsaTheattackerqueriestwotagsTandTwithqueriesaanda′ofhischoiceandrecordstheresponsesrandr′,wherer=f(a,T,i)andr′=f′(a′,T,j)Hethenperformsacomputationgthattakesthechallengeandresponseasinputandsatisfiesthefollowingconditions:(a)IfTandTarethesametag,theng(a,r)=g(a′,r′)Theattributeg(a,r)isauniqueattribute(b)IfTandTaredifferenttags,theng(a,r)=g(a′,r′)WecapturetheaboveintuitioninthefollowingdefinitionDefinition(attributeacquisitionattack,adaptedfrom)LetTermbethesetofallpossiblemessagesofaprotocol,letTagbethesetoftagsinanRFIDsystem,andletf(a,T,i)betheresponseoftagTinsessioniuponreceiptofqueryaWedefinepresenceofauniqueattributeasfollowsT=T′Taga,a′Termi=jNg:TermTagTermg(a,f(a,T,i))=g(a′,f(a′,T,j))g(a,f(a,T,i))=g(a′,f(a′,T′,j))Wecallg(a,f(a,T,i))auniqueattributeThepresenceofauniqueattributegivestheattackeranefficientwayoftracingtagsTheattackermerelyhastoquerytags,performthecomputationg,andcomparetheattributesForaprotocoltobeuntraceable,anecessaryconditionisthatnouniqueattributesexistsTheabsenceofuniqueattributes,however,doesnotguaranteeuntraceabilityAnexampleofanRFIDprotocolthatisvulnerabletoanattributeacquisitionattackistheprotocolproposedbyKimetaldepictedinFigureTheprotocolisdesignedtoauthenticateatagTtoareaderREachtaghasanidentifierIDTandakeykT,bothknowntothereaderThereaderinitiatestheprotocolbygeneratingafreshrandomvalue(calledanonce)nUponreceiptofthequeryn,thetaggeneratesanoncesItthencomputesthebitwiseexclusiveor()ofitsidentifierIDTandsaswellastheexclusiveorofsandthecryptographicTvanDeursenkT,IDTRkT,IDTTnoncennnoncesIDTs,h(n,kT)sFigPrivacyprotectionprotocolhashofnandktTheresponseisthensenttothereaderandverifiedTheexclusiveorfunctionhasthefollowingalgebraicpropertiesForanytermsa,b,andcandaconstantterm:aa=ab=baa=a(ab)c=a(bc)()AnattributeacquisitionattackcanbecarriedoutbyanattackerthatrepeatedlyqueriestagswiththesamequeryaIfweletsT,idenotethenoncegeneratedbytagTaftertheithquery,thenthetag’sresponsetoqueryaisdefinedbyf(a,T,i)=IDTsT,i,h(a,kT)sT,iAuniqueattributecanbecomputedbydefiningg(w,(y,z))=yzToshowthatg(a,f(a,T,i))isindeedauniqueattributefollowingDefinitionrequiresthat(a)fortwosessionsofthesametag,gisthesame,and(b)fortwosessionsofadifferenttags,gisdifferentByrepetitiveapplicationofEquations()weobtain:g(a,f(a,T,))=IDTsT,h(a,kT)sT,=IDTh(a,kT)()g(a,f(a,T,))=IDTsT,h(a,kT)sT,=IDTh(a,kT)()g(a,f(a,T′,))=IDT′sT′,h(a,kT′)sT′,=IDT′h(a,kT′)()ThetermIDTh(a,kT)isauniqueattributefortagTDesynchronizationandPassportTracingThefollowingtwoexamplesillustratenonalgebraiccommunicationlayerattacksreportedinliterature–OneofthefirstRFIDprotocolswithanuntraceabilityclaimwasproposedbyHenriciandMullerTheprotocolreliesonasymmetrickeythatisupdatedattheendofasuccessfulprotocolexecutionAvoineshowedthattheprotocolsufferedfromanumberofweaknessesAparticularlyinterestingattackallowedtheattackertoforcethereaderandtagtoperformWaystoBreakRFIDPrivacydifferentkeyupdates,effectivelydesynchronizingthereaderandthetagAssoonasthathappens,agenuinereaderwillnolongerbeabletosuccessfullycompletetheprotocolandwillthusalwaysrejectthetagAssumingthatnoothertagsaredesynchronized,carryingoutadesynchronizationattackononetagallowstheattackerrecognize,andthustracethattag–InsomeRFIDsystems,anattackercantracetagsbyexploitingflawsinthecommunicationlayerandphysicallayersimultaneouslyChothiaandSmirnovdemonstratedthatepassportscanbetracedbysendingapreviouslyobservedmessagetoitItturnsoutthattheepassportfromwhichthemessageoriginatedtakessignificantlylongertorespondthanadifferentepassportwouldTherefore,anattackercantracetagsbysendingsuchmessagesandcarefullymeasuringthetimeittakesforanepassporttorespondApplicationLayerAttacksApplicationlayerattackstargettheapplicationimplementedbytheRFIDsystemTherefore,iftheRFIDsystemissolelyusedforidentificationofitems,theapplicationlayerdoesnotimplementanyprotocolsHowever,RFIDtagsarebecomingmorepowerfulandinsomecasesthecontactinterfaceofasmartcardisreplacedbyacontactlessinterfaceusingRFIDtechnologyInsuchcases,thecardbecomesanRFIDtagandcaremustbetakenthattheapplicationlayerprotocolsdonotleakanyprivacysensitiveinformationEgoTransactionDataTheegosystemIn,anelectronicfarecollectionsystem,calledego,wasintroducedforpublictransportationinLuxembourgEgoisanRFIDbasedsysteminwhichusersholdRFIDtagsandswipethemacrossRFIDreadersinbusesandonstationsUserscanpurchaseabookofvirtualticketswhichisloadedonthetagUponenteringabusauserswipeshisegotagandaticketisremovedfromitSincemostRFIDreadersoftheegosystemaredeployedinb

用户评论(0)

0/200

精彩专题

上传我的资料

每篇奖励 +1积分

资料评分:

/14
2下载券 下载 加入VIP, 送下载券

意见
反馈

立即扫码关注

爱问共享资料微信公众号

返回
顶部

举报
资料