Tracker: Security and Privacy for

guineanscarletΗλεκτρονική - Συσκευές

27 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

58 εμφανίσεις

Tracker: Security and Privacy for
RFID
-
based Supply Chains


Erik
-
Oliver Blass, Kaoutar Elkhiyaoui, Refik Molva




Motivation


Supply chain management


Product

tracking


Counterfeit

detection


Flow

control


Problems in supply chain:


Injecting
fake

products


Very problematic:
pharmaceutics


WHO
: 10 %
of U.S.
pharmaceutics are fake





a

c

e

f

b

d

g

h

2

Approach


Genuineness:
Path
Validity
in supply chain


Basic idea


Products equipped
with
storage
-
only

RFID
tags


Path trace stored in tag


Check points:
Path
validity


Valid path: genuine
product






a

c

e

f

b

d

g

h

Quality
control

Issuer

3

Challenges

RFID tags


Wireless
communication


Anyone
can

read
and

write


New

privacy threats


Scarce

resources:
gate count matters


No classical
cryptography



Challenge:
How to implement product genuineness
verification using RFID tags while ensuring privacy
and security?


4

General setup

R
i

v
i

R
i+1
v
i+1

T

s
i
-
1

)
(
1


i
v
i
s
f
s
i
s
i

T

)
(
1
1
i
v
i
s
f
s
i



s
i

s
i+1

I

M

T

s
0

T

s
l

l
v
v
v
,...,
,
1
0
5


Path encoding



Compact encoding


Non
-
commutative


Technique for
run
time fault detection
(Noubir et al. ‘97)


Step v
i

associated
with
secret v
i

in F
q
,
|q| = 160


T

v
i

s
i
-
1

i
i
i
i
v
i
v
x
s
s
)
s
(
f
s
i





0
1
1
s
i

v
i+1

T

1
0
2
0
1
1
0
1
1
1












i
i
i
i
i
i
i
i
v
i
v
x
v
x
s
s
v
x
s
s
)
s
(
f
s
i
s
i

s
i+1

i
l
i
l
l
x
v
x
s
s




0
0
0
6

Protocol

Overview


EC Elgamal encryption:
(
sk
,
pk
) = (x, (G, Y))

1)
Probabilistic

2)
Additively
homomorphic


Tag state



:
identity of tag



: identity of issuer



:
path signature


link tag’s identity to the path it takes.



Readers re
-
encrypt and update tag state


Manager decrypts tag state


Manager has a set of valid polynomials

)
(
)
(
0
x
Q
P
valid
P
valid


ID
)
ID
(
HMAC
k
)
P
(
)
ID
(
HMAC
k

7

Protocol

State update

Input:



Update path encoding







Re
-
encrypt
ciphertexts

Output:


1
0
0
1
1
i
i i
v i
C'
i k
k
k
i i
x v E( HMAC ( ID).G)
E( H
( x
MAC ( ID).G)
E( HMAC ( I
( P ) v )
f ( ( P )
( P v )
D
)
.G
B
) )
C






 



1
1
1
i
i
k i k
s
s ( E( ID),E( HMAC ( ID).G),E( ( P )HM
( A,B,C
AC ( ID).G))
)






1
i i
i
i
k i k
P v
s
s ( E( ID),E( HMAC ( ID
( A',B',C')
).G),E( ( P )HMAC ( ID).G))




8

Protocol

Path verification by manager

On
input

of tag T with
s = (A, B, C)
,

manager


1)
checks for
clones
:


2)
authenticates issuer:


3)
checks

validity of path:





ID
)
A
(
D

G
).
ID
(
HMAC
)
B
(
D
k

G
).
P
(
)
ID
(
HMAC
)
C
(
D
valid
k


9

Tracker’s Security


Tracker is secure under the
security of HMAC
and
CDH assumption
.


Reductionist

proofs

1)
Creating a new tag with a valid state


Breaks the

security of

HMAC

2)
Writing a valid state in a legitimate tag


Breaks
CDH



10

Tracker’s Privacy


Assumption:
adversary does not have full
control over the network.


New

privacy definitions

for supply chain

1)
Tag unlinkability

2)
Step unlinkability


Reductionist
proofs


Tracker’s privacy ensured under the
semantic
security of Elgamal

11

Conclusion



Solution for
secure
and
privacy
-
preserving
supply chain
management



Encode
paths

in supply chain as
polynomials



Tracker is
lightweight


Tags are
storage only
(80 bytes), unlike Li and Ding ’07,
Ouafi and Vaudenay ’09


Readers:
O(1)

computational,
O(n+
γ
)

storage complexity


Currently, implementing Tracker on
EPC1 GEN2
tags



Provable security and privacy:


New privacy models



Formal proofs

12




Questions

13