security & privacy on epc networks
TRANSCRIPT
![Page 1: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/1.jpg)
Security&PrivacyonEPCNetworks
2nd Canada-France Workshop on Foundations & Practice of Security
FPS2009.JoaquinGarciaAlfaro
Joaquin Garcia-Alfaro Carleton University
Joint work with Michel Barbeau and Evangelos Kranakis
![Page 2: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/2.jpg)
2
• Distributed infrastructure that enables physical objects to be connected to the Internet by using RFID technologies
EPCGlobal Network
• EPC: Electronic Product Code - Family of coding schemes to uniquely identify physical objects
• ONS: Object Name Service - Directory service that maps EPCs to Internet services
FPS2009.JoaquinGarciaAlfaro
![Page 3: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/3.jpg)
• Successor of optical barcodes
• Sample representation of the EPC GID-96:
ELECTRONIC PRODUCT CODE
Header Manager number Object class Serial number
Electronic Product Code
Exact type of the product, e.g., Rice Krispies® Unique reference to the item Manufacturer of the product, e.g., KELLOGG’s® Identifies the EPC version number, e.g., GID-96
3FPS2009.JoaquinGarciaAlfaro
![Page 4: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/4.jpg)
• The EPC number is stored in an electronic label
• Using Radio Frequency technology, it “communicates” the code
Electronic Product Code
4
35 · 006A13A · 012B5F · 000034DA0 ELECTRONIC PRODUCT CODE
Manager number Object class Serial number Header
ELECTRONIC PRODUCT CODE
Manager number Object class Serial number
• Low-cost RFID labels
- EPC Class 1 Generation 2 (Gen2) - ISO/IEC 18000
FPS2009.JoaquinGarciaAlfaro
![Page 5: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/5.jpg)
5
35 · 006A13A · 012B5F · 000034DA0 ELECTRONIC PRODUCT CODE
Header Manager number Object class Serial number
- Very limited (less than 1000 bits) - One part stores the EPC number; the rest is available to the user - Read only write-once or Read/write
Memory Circuitry
EPC Gen2 tags
FPS2009.JoaquinGarciaAlfaro
![Page 6: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/6.jpg)
6
35 · 006A13A · 012B5F · 000034DA0 ELECTRONIC PRODUCT CODE
Header Manager number Object class Serial number
- Execution of queries - Anti-collision procedures - Control for specific commands
Logic Circuitry
EPC Gen2 tags
FPS2009.JoaquinGarciaAlfaro
![Page 7: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/7.jpg)
7
35 · 006A13A · 012B5F · 000034DA0 ELECTRONIC PRODUCT CODE
Header Manager number Object class Serial number
- Antenna pads - Demodulation/Modulation circuits - Capacitor/rectifier for storing energy and power the circuits
RF Circuitry
EPC Gen2 tags
FPS2009.JoaquinGarciaAlfaro
![Page 8: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/8.jpg)
Tags & readers
8FPS2009.JoaquinGarciaAlfaro
![Page 9: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/9.jpg)
Rea
ders
Request
Sample EPC network
9FPS2009.JoaquinGarciaAlfaro
![Page 10: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/10.jpg)
Rea
ders
Response Request
Middleware
Repository
Repository
EPC Information Service (EPC-IS)
Sample EPC network
10FPS2009.JoaquinGarciaAlfaro
![Page 11: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/11.jpg)
• The EPC number is stored in an electronic label
• Using Radio Frequency technology, it “communicates” the code
Electronic Product Code
11
35 · 006A13A · 012B5F · 000034DA0 ELECTRONIC PRODUCT CODE
Manager number Object class Serial number Header
ELECTRONIC PRODUCT CODE
Manager number Object class Serial number
• Low-cost RFID labels - Very limited storage & computational power - EPC is only the key to request further data
FPS2009.JoaquinGarciaAlfaro
![Page 12: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/12.jpg)
Interoperability between EPC Networks
12FPS2009.JoaquinGarciaAlfaro
![Page 13: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/13.jpg)
13
Threats to EPC networks
• Can target the different components of the infrastructure
• We focus on threats targeting the wireless channel between readers and tags & the ID resolution on the Internet
[Garcia-Alfaro, Barbeau, Kranakis, 2008] Analysis of Threats to the Security of EPC Networks, CNSR, Halifax, 2008. FPS2009.JoaquinGarciaAlfaro
![Page 14: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/14.jpg)
Tags (TA)
Readers (RA)
Middleware
Database
EPC-IS
Local ONS
EPC network A
Tags (TB)
Readers (RB)
Middleware
Database
EPC-IS
Local ONS
EPC network B ONS
Threats to EPC networks
Leakage of sensitive information
14FPS2009.JoaquinGarciaAlfaro
![Page 15: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/15.jpg)
Tags (TA)
Readers (RA)
Middleware
Database
EPC-IS
Local ONS
EPC network A
Tags (TB)
Readers (RB)
Middleware
Database
EPC-IS
Local ONS
EPC network B ONS
Threats to EPC networks
Leakage of sensitive information
15FPS2009.JoaquinGarciaAlfaro
![Page 16: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/16.jpg)
16
• Security features on EPC are minimalist − Kill & Access command
Threats targeting the wireless channel
• Communication over insecure channel - Lack of authentication & confidentiality
• Read-range distances sufficient to allow eavesdropping … - … if we consider a dishonest third party using highly sensitive
receivers, special antenna, etc.
FPS2009.JoaquinGarciaAlfaro
![Page 17: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/17.jpg)
17
Tag Reader
Operating range (~ 10 m.)
(reader-to-tag channel)
Eavesdropping of reader-to-tag communications (~ 1000 m.)
Eavesdropping reader channel
FPS2009.JoaquinGarciaAlfaro
![Page 18: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/18.jpg)
18
Operating range (~ 10 m.)
Tag
Rogue scanning range
Eavesdropping of reader-to-tag communications (~ 1000 m.)
Reader
Rogue scanning
FPS2009.JoaquinGarciaAlfaro
![Page 19: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/19.jpg)
19
• Can lead to clandestine inventory, tracking, profiling, …
– For retailers, impact might be rated as medium – For holders of objects on health care or military scenarios,
impact can be rated as high
• Which information can be disclosed? the EPC number associated to a tagged object
ELECTRONIC PRODUCT CODE
Header Manufacturer Object class Serial number
Disclosure of information
FPS2009.JoaquinGarciaAlfaro
![Page 20: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/20.jpg)
20
• Shielding, jamming, blockers, guardians, … – It may work on some RFID applications – Requires the management of new components
How to deal with these threats ?
• Use of low-overhead and lightweight authentication – Pseudo-randomness and XOR masking
FPS2009.JoaquinGarciaAlfaro
![Page 21: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/21.jpg)
21
– Readers and tags share a common secret (s)
– When tag receives a proof of this secret, it locks itself
→ when interrogated, it only responds with a pseudonym
– Tag unlocks itself when it receives again a proof of secret
Reader TagIDx
1. pseudoID ← s IDx,s,pseudoID
2. proof(s)
Lock-based Access Control
3. pseudoID
FPS2009.JoaquinGarciaAlfaro
![Page 22: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/22.jpg)
22
Reader TagIDx
1. pseudoID ← s IDx,s,pseudoID
2. proof(s)
Lock-based Access Control
3. pseudoID
– It may handle eavesdropping and rogue scanning, but still allows location & tracking
Adversaries should not be able to get useful information about the item for tracking or discovering tag identity !
FPS2009.JoaquinGarciaAlfaro
![Page 23: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/23.jpg)
Reader TagSx 1. Query
2. Select random R
3. R,proof(Sx, R) S1…Sx…
4. Searches proof(Sx, R)
23
Randomized Lock-based Access Control
[Garcia-Alfaro, Barbeau, Kranakis, 2009] A Proactive Threshold Secret Sharing Scheme Handling Gen2 Privacy Threats, March 2009.
FPS2009.JoaquinGarciaAlfaro
![Page 24: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/24.jpg)
Proof-of-concept
35 · 006A13A · 012B5F · 000034DA0 ELECTRONIC PRODUCT CODE
Manager number Object class Serial number Header
ELECTRONIC PRODUCT CODE
Manager number Object class Serial number
![Page 25: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/25.jpg)
![Page 26: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/26.jpg)
![Page 27: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/27.jpg)
27
ContribuIonsofourProposal
• Compact: shares fit into the memory of EPC tags (90 to 270
bits)
• Proactive: tags can renew their shares without changing the initial secret
• Robust: our scheme guarantees strong security
• Anonymous: process does not require tag identities
[Garcia-Alfaro, Barbeau, Kranakis, 2009] A Proactive Threshold Secret Sharing Scheme Handling Gen2 Privacy Threats, March 2009.
FPS2009.JoaquinGarciaAlfaro
![Page 28: Security & Privacy on EPC Networks](https://reader035.vdocuments.us/reader035/viewer/2022071601/613d3d57736caf36b75afa79/html5/thumbnails/28.jpg)
28
Conclusions
• Evolution of optical barcodes
• May lead to privacy violations
• Threats to wireless channel between readers and tags
• Countermeasures to increase technical difficulties
FPS2009.JoaquinGarciaAlfaro