privacy protection

Security and Cooperation in Wireless NetworksSecurity and Cooperation in Wireless Networks Georg-August University Göttingen

Privacy ProtectionPrivacy Protection

privacy notions and privacy notions and metrics;metrics;privacy in RFID privacy in RFID systems;systems;location privacy in location privacy in vehicular networks;vehicular networks;

Georg-August University GöttingenPrivacy ProtectionPrivacy Protection

Chapter outline

1 Important privacy related notions and metrics2 Privacy in RFID systems3 Location privacy in vehicular networks

2


Privacy related notions Anonymity: hiding the identity of the entity who performs a

given action

Untraceability: making it difficult for an adversary to identify that a given set of actions were performed by the same subject

Unlinkability: hiding information about the relationships between any items (e.g. subjects, messages, actions, etc.):– E.g. is a determined set of message senders and message receivers, the

adversary may be still unable to relate senders to receivers

Unobservability: hiding the items themselves (e.g., hide the fact that a message was sent at all)

Pseudonymity: making use of a pseudonym instead of the real identity

3


Privacy metrics (1/2) Anonymity set: a set of subjects that might have performed the

observed action– Is a good measure only if all the members of the set are equally

likely to have performed the observed action Entropy-based measure of anonymity:

.log

where is the anonymity set is the probability (for the adversary)

that the observed action has been performed by subject

x xx A

x

p p

Ap

x A

4


Privacy metrics (2/2) Entropy-based measure for unlinkability:

1 2

1 2

R

1 2

.log

where and are the sets of items that the adversary wants to relate is the probability (for the adversary) that the real relationship

between the elements in and in is ca

R RR I I

p p

I Ip

I I

1 2ptured by relation R I I

5


Outline


6


What is RFID? RFID = Radio-Frequency Identification RFID system elements

– RFID tag + RFID reader + back-end database RFID tag = microchip + RF antenna

– microchip stores data (few hundred bits)– tags can be active

• have their own battery expensive– or passive

• powered up by the reader’s signal• reflect the RF signal of the reader modulated with stored data

7

RFID tagRFID reader

back-enddatabase

tagged object

readingsignal

IDID

detailedobject

information


RFID privacy problems RFID tags respond to reader’s query automatically, without

authenticating the reader clandestine scanning of tags is a plausible threat two particular problems:

1. inventorying: a reader can silently determine what objects a person is carrying• books• medicaments • banknotes• underwear• …

2. tracking: set of readers can determine where a given person is located• tags emit fixed unique identifiers• even if tags do not emit unique identifiers,

it is possible to track a person by tracking a constellation of a set of particular tags: in a given period of time, there may be a single person in a city wearing a

specific type of shoes and wrist watch and carrying a specific book in a specific suitcase

8

watch: Casio

book: Applied

Cryptography

shoes: Nike

suitcase: Samsonit

e

jeans: Lee

Cooper


RFID read ranges nominal read range

– max distance at which a normally operating reader can reliably scan tags

– e.g., ISO 14443 specifies 10 cm for contactless smart cards rogue scanning range

– rogue reader can emit stronger signal and read tags from a larger distance than the nominal range

– e.g., ISO 14443 cards can possibly be read from 50-100 cm tag-to-reader eavesdropping range

– read-range limitations result from the requirement that the reader powers the tag

– however, one reader can power the tag, while another one can monitor its emission (eavesdrop)

– e.g., RFID enabled passports can be eavesdropped from a few meters reader-to-tag eavesdropping range

– readers transmit at much higher power than tags– readers can be eavesdropped form much further (kilometers?)– readers may reveal tag specific information

9


Classification of privacy protection approaches

standard tags– “kill” command– “sleep” command– renaming– blocking– legislation

crypto enabled tags– synchronization approach– hash chain based approach– tree-approach

10


Dead tags tell no tales idea: permanently disable tags with a special “kill” command advantages:

– simple– effective

disadvantages:– eliminates all post-purchase benefits of RFID for the consumer and

for society• no return of items without receipt• no smart house-hold appliances• …

– cannot be applied in some applications• library• e-passports• banknotes• ...

similar approaches:– put RFID tags into price tags or packaging which are removed and

discarded

11


“Sleep” command idea:

– instead of killing the tag put it in sleep mode– tag can be re-activated if needed

advantages:– simple– effective

disadvantages:– difficult to manage in practice

• tag re-activation must be password protected• how the consumers will manage hundreds of passwords for their

tags?• passwords can be printed on tags, but then they need to be

scanned optically or typed in by the consumer

12


Renaming idea:

– get rid of fixed names (identifiers)– use random pseudonyms and change them frequently

requirements:– only authorized readers should be able to determine the real

identifier behind a pseudonym – authorized readers would be able to refresh the list of pseudonyms

in a tag– The tag rotates the pseudonym list and uses a new tag each time

being read

a possible implementation– pseudonym = {R|ID}K

• R is a random number• K is a key shared by all authorized readers

– authorized readers can decrypt pseudonyms and determine real ID– for unauthorized readers, pseudonyms look like random bit strings

13


Renaming

potential problems– if someone can eavesdrop during the renaming operation, then she

may be able to link the new pseudonym to the old one– An adversary can rapidly query the tag several times until all

pseudonyms are emitted --> tag tracked until the next refresh operation

• Solution: limited bandwidth at the tags (by hardware means)

– no reader authentication rogue reader can overwrite pseudonyms in tags (tags will be erroneously identified by authorized readers)

14


Blocking Uses a mechanism which is designed for determining present tags: binary tree walking

– a mechanism to determine which tags are present (singulation procedure)– IDs are leaves of a binary tree– reader performs a depth first search in the tree as follows

• reader asks for the next bit of the ID starting with a given prefix• if every tag’s ID starts with that prefix, then no collision will occur, and the reader can

extend the prefix with the response• if there’s a collision, then the reader recurses on both possible extensions of the prefix • Example: 3 tags are present with IDs 001, 100 and 101

reader: prefix “-” ?tags: collisionreader: prefix “0” ?tags: 0reader: prefix “00” ?tags: 1reader: prefix “1” ?tags: 0reader: prefix “10” ?tags: collision

15

-

0 1

00 01 10 11

000 010 100 110001 011 101 111100101

001

Note: real tag sizes are much larger (e.g., 96 bits for EPC)


blocker tag: simulates a collision upon each request of the reader to force it to go through the whole tree and to stall as the tree is usually very big

Privacy protection solution using binary tree walking mechanism:– The user can carry the blocker with her to prevent scanning and

tracking of her tags and can deactivate the blocker when its tags need to be read, e.g. returning an item to a shop

Problem: blocks reading all tags nearby even by legitimate readers

16

Blocking


Blocking Solution:

• tree is divided into two zones– privacy zone: all IDs starting with 1

• Tags can be sent between two zones by appropriately setting the leading bit of their IDs• upon purchase of a product, its tag is transferred into the privacy zone by setting the

leading bit

the blocker tag simulates a collision when the prefix in the reader’s query starts with 1

when the blocker tag is present, all IDs in the privacy zone will appear to be present for the reader

when the blocker tag is not present, everything works normally Clearly, a reader that transfers tags from one zone to another must be authenticated

17

-

0 1

00 01 10 11

000 010 100 110001 011 101 111

privacy zone

transfer to the privacy zoneupon purchase


Crypto enabled tags assume that tags can perform some crypto

operations tags can compute their own pseudonyms !

a solution that doesn’t scale:– next pseudonym = {ID,R}K

• R is a random number generated by the tag (ensures that pseudonyms look random and they are different)

• ID is the real identifier• K is a key shared by the tag to the readers

– the reader tries all possible keys until it finds the right one (Some redundancy in the encrypted message is required to let the reader realize it used the right key)

– if there are many tags, then the verification may be too slow

18


Synchronization approach

c is a counter, K is a key shared by the tag and the reader operation of tag:

– when queried by the reader, the tag responds with its current pseudonym p = EK(c) and then increments the counter

operation of the reader:– reader must know approximate current counter value– for each tag, it maintains a table with the most likely current

counters and corresponding pseudonyms (c+1, p1)…(c+d, pd)– when a tag responds with a pseudonym p, it looks up p in any of its

tables, identifies the tag, and updates the table corresponding to the tag

19

c c+1 c+2 c+3 …

p0 p1 p2 p3

EK EK EK EK


Hash-chain based approach

H and G are one-way functions (e.g., hash functions) operation of the tag:

– current state is si

– when queried the tag responds with the current pseudonym pi = G(si) and computes its new state si+1 = H(si)

operation of the reader is similar to the previous approach one-wayness of H ensures forward secrecy :

– even if a disposed tag is broken and its current state is determined, previous states (and pseudonyms) cannot be computed

20

s1 s2 s3 s4 …

p1 p2 p3 p4

H H H H

G G G G


The tree-based approach

Each leave represents a tag and a key is assigned to each edge A tag sends all of its keys from highest to lowest level in the tree For each level the reader searches through keys only in that level

below the already identified key previous-level key After identifying all the keys the tag can be identified by the reader

21

reader

k 1

k 11

k 111

k1, k11, k111R

E(k1, R’ | R), E(k11, R’ | R), E(k111, R’ | R)

try all these keys until one of them works

k1, k11, k111 tag ID

tag


Optimal key-trees

if tags get compromised, then the level of privacy provided to other tags decreases:– E.g. if the leftmost leave of the tree is compromised: k1, k11, k111

are revealed to the adversary – Later on, by observing the transactions of any non-compromised tag,

the adversary can recognize the use of some compromised keys – P0: contains the compromised tag; P1: contains tags whose parent is

the same as the compromised tag and not in P0; P2: contains tags whose grandparent is the same as the compromised tag and not in P0 or P1; etc.

• tags in different partitions can be distinguished• tags in a given partition (Pi) are indistinguishable

22

k 1

k 11

k 111

P 0 P 1 P 2 P 3


– Consider a l level tree with b branches at each level– To measure privacy, one can calculate the expected anonymity set

size of a randomly selected tag (or the average size of the anonymity set of non-compromised tags)

– where N is the total number of tags, Pi is partition i– this can be normalized to N to obtain a metric value between 0 and

1:

23

k 1

k 11

k 111

P 0 P 1 P 2 P 3


Normalized Average Anonymity Set Size (NAASS) (3/3) computing NAASS for regular trees (same branching factor at

each level) when a single tag is compromised:

24


Outline


25


The location privacy problem and a solution vehicles continuously broadcast heart beat

messages, containing their ID, position, speed, etc.

tracking the physical location of vehicles is easy just by eavesdropping on the wireless channel

one possible solution is to change the vehicle identifier, or in other words, to use pseudonyms

26


Adversary model changing pseudonyms is ineffective against a global

eavesdropper

hence, the adversary is assumed to be able to monitor the communications only at a limited number of places and in a limited range

27

A, GPS position, speed, direction

predicted positionat the time of thenext heart beat

B, GPS position, speed, direction


The mix zone concept

A mix network is a store-and-forward networks containing mix nodes

A mix node collects n messages and forwards them all at the same time, and then does the same to the next n messages so on.

So an observer can not easily determine which outgoing message belongs to which incoming message.

In our case, the adversary can not easily say which vehicle in the unmonitored area belongs to which one entering it – unmonitored area functions as a mix zone

we assume that the vehicles change pseudonyms frequently so that each vehicle changes pseudonym while in the mix zone

note that the vehicles do not know where the mix zone is

28


Example of mix zone

29

Example: the mix zone has 3 gates; gate 2 is far away from gates 1 and 3

the adversary observes vehicles 1 and 2 entered gates 1 and 2 and after a short time a vehicle exited the mix zone at gate 3

If the distance between gates 2 and 3 is so large that it is impossible to go from 2 to 3 in such a short time, then the adversary can link the vehicle entered at gate 1 to the one exited at gate 3 (no privacy is provided by the mix zone in this case)


Model of the mix zone time is divided into discrete steps pij = Pr{ exiting at j | entering at i } Dij is a random variable (delay) that represents the

time that elapses between entering at i and exiting at j

dij(t) = Pr{ Dij = t }

Pr{ exiting at j at t | entering at i at } = pij dij(t-)

30

dij(t)

t


Observations the adversary can observe the points (ni, xi) and the times (i, ti) of enter

and exit events (Ni, Xi)

by assumption, the nodes change pseudonyms inside the mix zone there’s no easy way to determine which exit event corresponds to which enter event

each possible mapping between exit and enter events is represented by a permutation of {1, 2, …, k}:

m = (N1 ~ X[1], N2 ~ X[2], …, Nk ~ X[k])where [i] is the i-th element of the permutation

we want to determine Pr{ m | (N, X) }

31

tn1 n2 nk

x1 x2 xk

2 k

t1 tk

N1 N2 Nk

X1 X2 Xk

1 = 0


Computing the level of privacy

32

where mπ is the mapping described by the permutation π

where pij is a cell of the matrix P of size nxn, where n is the number of gates of the mix zoneand dij(t) describes the probability distribution of the delay when crossing the mix zone from gate i to gate j , (i.e. dij(t) is the probability of having delay t for an object who enters at gate iAnd exits from gate j).


Summary Privacy problems and solutions in RFID:

– Privacy problems: clandestine reading and eavesdropping– Low-cost RFID tags:

• resource constrained• any privacy protecting solution must be carefully

designed and optimized

Location privacy in vehicular networks:– Adversary model: monitored zones and unmonitored zones– The level of location privacy can be quantified using an

entropy based metric

33

privacy protection

Documents